From 2e3fe96d532e73602e97b0b2c8e14ec375862747 Mon Sep 17 00:00:00 2001 From: colin Date: Sat, 20 Jan 2024 21:16:53 +0000 Subject: [PATCH] Update docker/trivy/start.sh --- docker/trivy/start.sh | 85 ++++++++++++------------------------------- 1 file changed, 24 insertions(+), 61 deletions(-) diff --git a/docker/trivy/start.sh b/docker/trivy/start.sh index 41f2c2e..29235a1 100644 --- a/docker/trivy/start.sh +++ b/docker/trivy/start.sh @@ -1,73 +1,36 @@ #!/bin/sh TIMEOUT=${TIMEOUT:-120m} -SCANNERS=${SCANNERS:-vuln,misconfig,secret} +SCANNERS=("vuln" "config" "secret") IGNORE_UNFIXED=${IGNORE_UNFIXED:-false} LOW_PRIORITY=${LOW_PRIORITY:-true} -compare_scans() { - echo "Comparing scans..." - PREVIOUS_LOG="/log/previous_scan.log" - CURRENT_LOG="/log/trivy_scan.log" - SCAN_DATE=$(date +%Y.%m.%d) - DIFF_LOG="/log/scandiff.$SCAN_DATE.log" - - # Check if CURRENT_LOG exists - if [ -f "$CURRENT_LOG" ]; then - if [ -f "$PREVIOUS_LOG" ]; then - echo "Previous scan log found. Comparing with current scan..." - if diff $PREVIOUS_LOG $CURRENT_LOG > $DIFF_LOG; then - echo "No differences found between scans." - report_scan_results false - else - echo "Differences found. Check $DIFF_LOG for more details." - report_scan_results true - fi - else - echo "No previous scan log found. Treating all findings as new." - cp $CURRENT_LOG $DIFF_LOG || { echo "Failed to copy $CURRENT_LOG to $DIFF_LOG"; exit 1; } - report_scan_results true - fi - - # Archive current log as previous for next run - cp $CURRENT_LOG $PREVIOUS_LOG || { echo "Failed to copy $CURRENT_LOG to $PREVIOUS_LOG"; exit 1; } - else - echo "Current scan log ($CURRENT_LOG) not found. No scan performed." - exit 1 - fi -} - -report_scan_results() { - is_diff=$1 - DIFF_LOG="/log/scandiff.$(date +%Y.%m.%d).log" - - if [ "$is_diff" = true ]; then - echo "Scan differences detected:" - if [ -f "$DIFF_LOG" ]; then - cat $DIFF_LOG - else - echo "Differences log file $DIFF_LOG not found." - fi - else - echo "No differences to report." - fi -} - - run_scan() { - if [ "$LOW_PRIORITY" = "true" ]; then - echo "Running Trivy scan with low priority (nice 19)..." - nice -n 19 trivy filesystem --skip-update --config $CURRENT_LOG --timeout $TIMEOUT --scanners $SCANNERS $( [ "$IGNORE_UNFIXED" = "true" ] && echo '--ignore-unfixed' ) /mnt - else - echo "Running Trivy scan..." - trivy filesystem --skip-update --config $CURRENT_LOG --timeout $TIMEOUT --scanners $SCANNERS $( [ "$IGNORE_UNFIXED" = "true" ] && echo '--ignore-unfixed' ) /mnt - fi + for SCANNER in "${SCANNERS[@]}"; do + CURRENT_LOG="/log/trivy_scan_${SCANNER}.log" + if [ "$LOW_PRIORITY" = "true" ]; then + nice -n 19 trivy filesystem --skip-update --timeout $TIMEOUT --scanners $SCANNER $( [ "$IGNORE_UNFIXED" = "true" ] && echo '--ignore-unfixed' ) /mnt > $CURRENT_LOG + else + trivy filesystem --skip-update --timeout $TIMEOUT --scanners $SCANNER $( [ "$IGNORE_UNFIXED" = "true" ] && echo '--ignore-unfixed' ) /mnt > $CURRENT_LOG + fi + done } -# Archive existing log for comparison -if [ -f "/log/trivy_scan.log" ]; then - mv /log/trivy_scan.log /log/previous_scan.log -fi +compare_scans() { + for SCANNER in "${SCANNERS[@]}"; do + PREVIOUS_LOG="/log/previous_scan_${SCANNER}.log" + CURRENT_LOG="/log/trivy_scan_${SCANNER}.log" + SCAN_DATE=$(date +%Y.%m.%d) + DIFF_LOG="/log/scandiff_${SCANNER}_$SCAN_DATE.log" + + if [ -f "$CURRENT_LOG" ]; then + if [ -f "$PREVIOUS_LOG" ]; then + diff $PREVIOUS_LOG $CURRENT_LOG > $DIFF_LOG + fi + cp $CURRENT_LOG $PREVIOUS_LOG + fi + done +} run_scan compare_scans