47 lines
1.4 KiB
Bash
47 lines
1.4 KiB
Bash
#!/bin/sh
|
|
|
|
TIMEOUT=${TIMEOUT:-120m}
|
|
IGNORE_UNFIXED=${IGNORE_UNFIXED:-false}
|
|
LOW_PRIORITY=${LOW_PRIORITY:-true}
|
|
|
|
# Use SCANNERS_ENV if provided, otherwise default to vuln, config, secret
|
|
if [ -n "$SCANNERS_ENV" ]; then
|
|
OLD_IFS="$IFS"
|
|
IFS=',' read -r -a SCANNERS <<EOF
|
|
$SCANNERS_ENV
|
|
EOF
|
|
IFS="$OLD_IFS"
|
|
else
|
|
SCANNERS=("vuln" "config" "secret")
|
|
fi
|
|
|
|
run_scan() {
|
|
for SCANNER in "${SCANNERS[@]}"; do
|
|
CURRENT_LOG="/log/trivy_scan_${SCANNER}.log"
|
|
if [ "$LOW_PRIORITY" = "true" ]; then
|
|
nice -n 19 trivy filesystem --skip-update --timeout $TIMEOUT --scanners $SCANNER $( [ "$IGNORE_UNFIXED" = "true" ] && echo '--ignore-unfixed' ) /mnt > $CURRENT_LOG
|
|
else
|
|
trivy filesystem --skip-update --timeout $TIMEOUT --scanners $SCANNER $( [ "$IGNORE_UNFIXED" = "true" ] && echo '--ignore-unfixed' ) /mnt > $CURRENT_LOG
|
|
fi
|
|
done
|
|
}
|
|
|
|
compare_scans() {
|
|
for SCANNER in "${SCANNERS[@]}"; do
|
|
PREVIOUS_LOG="/log/previous_scan_${SCANNER}.log"
|
|
CURRENT_LOG="/log/trivy_scan_${SCANNER}.log"
|
|
SCAN_DATE=$(date +%Y.%m.%d)
|
|
DIFF_LOG="/log/scandiff_${SCANNER}_$SCAN_DATE.log"
|
|
|
|
if [ -f "$CURRENT_LOG" ]; then
|
|
if [ -f "$PREVIOUS_LOG" ]; then
|
|
diff $PREVIOUS_LOG $CURRENT_LOG > $DIFF_LOG
|
|
fi
|
|
cp $CURRENT_LOG $PREVIOUS_LOG
|
|
fi
|
|
done
|
|
}
|
|
|
|
run_scan
|
|
compare_scans
|