Skip to content

Commit

Permalink
[CI] Add images check with Trivy
Browse files Browse the repository at this point in the history
Signed-off-by: v.oleynikov <[email protected]>
  • Loading branch information
duckhawk committed Aug 31, 2024
1 parent c01392f commit eccafa1
Show file tree
Hide file tree
Showing 2 changed files with 80 additions and 0 deletions.
79 changes: 79 additions & 0 deletions .github/workflows/trivy_image_check.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
name: Trivy images check

env:
MODULES_MODULE_NAME: ${{ vars.MODULE_NAME }}
MODULES_MODULE_SOURCE: ${{ vars.DEV_MODULE_SOURCE }}
PR_NUMBER: ${{ github.event.pull_request.number }}
MODULES_REGISTRY: ${{ vars.DEV_REGISTRY }}
MODULES_REGISTRY_LOGIN: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
MODULES_REGISTRY_PASSWORD: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

on:
pull_request:

jobs:
test:
name: Trivy images check
runs-on: [self-hosted, regular]

steps:
- uses: actions/checkout@v4
- uses: deckhouse/modules-actions/setup@v1

- name: Check and Install Latest Trivy
run: |
mkdir -p $HOME/bin
LATEST_VERSION=$(curl -sL https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r ".tag_name")
CLEAN_VERSION=${LATEST_VERSION#v}
INSTALL_TRIVY=true
if [[ -f "$HOME/bin/trivy" ]]; then
INSTALLED_VERSION=$("$HOME/bin/trivy" --version | grep -oP 'Version: \K.*')
if [ "$INSTALLED_VERSION" == "$CLEAN_VERSION" ]; then
echo "Trivy is already up-to-date (version $INSTALLED_VERSION)."
INSTALL_TRIVY=false
else
echo "Updating Trivy from version $INSTALLED_VERSION to $CLEAN_VERSION."
fi
else
echo "Trivy is not installed. Installing version $CLEAN_VERSION."
fi
if [ "$INSTALL_TRIVY" = true ]; then
wget https://github.com/aquasecurity/trivy/releases/download/$LATEST_VERSION/trivy_${CLEAN_VERSION}_Linux-64bit.tar.gz -O trivy.tar.gz
tar zxvf trivy.tar.gz -C $HOME/bin
fi
echo "$HOME/bin" >> $GITHUB_PATH
- name: Run Trivy vulnerability scanner in image mode
run: |
exit_code=0
image_name=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME
image_name_with_tag=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME:pr$PR_NUMBER
crane_output=$(crane export $image_name_with_tag | tar -xOf - images_digests.json | jq -c 'to_entries[]')
while read -r item; do
key=$(echo "$item" | jq -r '.key')
value=$(echo "$item" | jq -r '.value')
echo 'Checking image '$key' '$value
trivy image --quiet --config trivy-silent.yaml --format table $image_name@$value
result=$(trivy image --quiet --config trivy-silent.yaml --format json $image_name@$value)
vulnerabilities=$(echo "$result" | jq '[.Results[]? | select(has("Vulnerabilities")) | .Vulnerabilities | length] | add // 0')
if [ "$vulnerabilities" -gt 0 ]; then
echo "There are vulnerabilities in image"
exit_code=1
else
echo "There are no vulnerabilities in image"
fi
done <<< "$crane_output"
exit $exit_code
1 change: 1 addition & 0 deletions trivy-silent.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
exit-code: 0

0 comments on commit eccafa1

Please sign in to comment.