2020-09-15 18:43:27 +00:00
|
|
|
#/bin/sh
|
|
|
|
|
|
|
|
set -e
|
|
|
|
|
2022-04-20 19:21:46 +00:00
|
|
|
if [ -z $1 ] && [ -z $2 ]; then
|
2022-04-15 16:41:40 +00:00
|
|
|
echo "error: image name and arch name are required as arguments. exiting..."
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
ARCH=$2
|
|
|
|
|
2023-07-13 18:03:50 +00:00
|
|
|
# skipping image scan for 32 bits image since trivy dropped support for those https://github.com/aquasecurity/trivy/discussions/4789
|
|
|
|
if [[ "${ARCH}" = "arm" ]] || [ "${ARCH}" != "386" ]; then
|
2022-04-15 16:41:40 +00:00
|
|
|
exit 0
|
|
|
|
fi
|
|
|
|
|
2020-09-15 18:43:27 +00:00
|
|
|
if [ -n ${DEBUG} ]; then
|
|
|
|
set -x
|
|
|
|
fi
|
|
|
|
|
|
|
|
IMAGE=$1
|
|
|
|
SEVERITIES="HIGH,CRITICAL"
|
2023-04-03 19:09:21 +00:00
|
|
|
TRIVY_TEMPLATE='{{- $critical := 0 }}{{- $high := 0 }}
|
|
|
|
{{- println "Target - Severity - ID - Package - Vulnerable Version - Fixed Version" -}}{{ print }}
|
|
|
|
{{ range . }}
|
|
|
|
{{- $target := .Target -}}
|
|
|
|
{{ range .Vulnerabilities }}
|
|
|
|
{{- if eq .Severity "CRITICAL" }}{{- $critical = add $critical 1 }}{{- end }}
|
|
|
|
{{- if eq .Severity "HIGH" }}{{- $high = add $high 1 }}{{- end }}
|
|
|
|
{{- list $target .Severity .VulnerabilityID .PkgName .InstalledVersion .FixedVersion | join " - " | println -}}
|
|
|
|
{{- end -}}
|
|
|
|
{{ end }}
|
|
|
|
Vulnerabilities - Critical: {{ $critical }}, High: {{ $high }}{{ println }}'
|
2024-10-01 21:20:35 +00:00
|
|
|
VEX_REPORT="rancher.openvex.json"
|
2023-04-03 19:09:21 +00:00
|
|
|
|
2024-10-01 21:20:35 +00:00
|
|
|
# Download Rancher's VEX Hub standalone report
|
|
|
|
curl -fsS -o ${VEX_REPORT} https://raw.githubusercontent.com/rancher/vexhub/refs/heads/main/reports/rancher.openvex.json
|
|
|
|
|
|
|
|
trivy --quiet image --severity ${SEVERITIES} --vex ${VEX_REPORT} --no-progress --ignore-unfixed --format template --template "${TRIVY_TEMPLATE}" ${IMAGE}
|
2020-09-15 18:43:27 +00:00
|
|
|
|
|
|
|
exit 0
|