From cd18421cbeb31beb10e17018b9ea4dcc04ca3e62 Mon Sep 17 00:00:00 2001
From: "v.oleynikov" <vasily.oleynikov@flant.com>
Date: Sat, 31 Aug 2024 07:08:37 +0300
Subject: [PATCH] [CI] Add images check with Trivy

Signed-off-by: v.oleynikov <vasily.oleynikov@flant.com>
---
 .github/workflows/trivy_image_check.yaml | 69 ++++++++++++++++++++++++
 trivy-silent.yaml                        |  1 +
 2 files changed, 70 insertions(+)
 create mode 100644 .github/workflows/trivy_image_check.yaml
 create mode 100644 trivy-silent.yaml

diff --git a/.github/workflows/trivy_image_check.yaml b/.github/workflows/trivy_image_check.yaml
new file mode 100644
index 0000000..e76a0fb
--- /dev/null
+++ b/.github/workflows/trivy_image_check.yaml
@@ -0,0 +1,69 @@
+name: Trivy images check
+
+env:
+  MODULES_MODULE_NAME: ${{ vars.MODULE_NAME }}
+  MODULES_MODULE_SOURCE: ${{ vars.DEV_MODULE_SOURCE }}
+  PR_NUMBER: ${{ github.event.pull_request.number }}
+  MODULES_REGISTRY: ${{ vars.DEV_REGISTRY }}
+  MODULES_REGISTRY_LOGIN: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
+  MODULES_REGISTRY_PASSWORD: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
+
+on:
+  pull_request:
+
+jobs:
+  test:
+    name: Trivy images check
+    runs-on: [self-hosted, regular]
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: deckhouse/modules-actions/setup@v1
+
+      - name: Detect platform and install Trivy
+        run: |
+          # Создать директорию для установки
+          mkdir -p $HOME/bin
+
+          if [[ -f "$HOME/bin/trivy" ]]; then
+            echo "Trivy is already installed."
+          else
+            echo "Trivy is not installed. Installing..."
+            VERSION=$(curl -sL https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r ".tag_name")
+            CLEAN_VERSION=${VERSION#v}
+          
+            wget https://github.com/aquasecurity/trivy/releases/download/$VERSION/trivy_${CLEAN_VERSION}_Linux-64bit.tar.gz -O trivy.tar.gz
+            tar zxvf trivy.tar.gz -C $HOME/bin
+          fi
+
+          echo "$HOME/bin" >> $GITHUB_PATH
+
+      - name: Run Trivy vulnerability scanner in image mode
+        run: |
+          exit_code=0
+          image_name=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME
+          image_name_with_tag=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME:pr$PR_NUMBER
+          
+          crane_output=$(crane export $image_name_with_tag | tar -xOf - images_digests.json | jq -c 'to_entries[]')
+          
+          while read -r item; do
+            key=$(echo "$item" | jq -r '.key')
+            value=$(echo "$item" | jq -r '.value')
+
+            echo 'Checking image '$key' '$value
+
+            trivy image --quiet --config trivy-silent.yaml --format table $image_name@$value
+
+            result=$(trivy image --quiet --config trivy-silent.yaml --format json $image_name@$value)
+
+            vulnerabilities=$(echo "$result" | jq '[.Results[]? | select(has("Vulnerabilities")) | .Vulnerabilities | length] | add // 0')
+
+            if [ "$vulnerabilities" -gt 0 ]; then
+              echo "There are vulnerabilities in image"
+              exit_code=1
+            else
+              echo "There are no vulnerabilities in image"
+            fi
+          done <<< "$crane_output"
+
+          exit $exit_code
diff --git a/trivy-silent.yaml b/trivy-silent.yaml
new file mode 100644
index 0000000..f147cdb
--- /dev/null
+++ b/trivy-silent.yaml
@@ -0,0 +1 @@
+exit-code: 0
\ No newline at end of file