Improve Trivy configuration (#7154)

Signed-off-by: Guilherme Macedo <guilherme.macedo@suse.com>
pull/7204/head
Guilherme Macedo 2 years ago committed by GitHub
parent fdf994dc35
commit ddd9665fed
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -19,19 +19,19 @@ RUN apk -U --no-cache add bash git gcc musl-dev docker vim less file curl wget c
RUN python3 -m pip install awscli RUN python3 -m pip install awscli
RUN if [ "$(go env GOARCH)" = "arm64" ]; then \ RUN TRIVY_VERSION="0.38.3" && \
wget https://github.com/aquasecurity/trivy/releases/download/v0.36.1/trivy_0.36.1_Linux-ARM64.tar.gz && \ if [ "$(go env GOARCH)" = "arm64" ] || [ "$(go env GOARCH)" = "arm" ]; then \
tar -zxvf trivy_0.36.1_Linux-ARM64.tar.gz && \ # Turn arm64 and arm into uppercase ARM64 and ARM, respectively, for Trivy's download
mv trivy /usr/local/bin; \ TRIVY_ARCH=$(go env GOARCH | tr "[:lower:]" "[:upper:]") && \
elif [ "$(go env GOARCH)" = "arm" ]; then \ wget --no-verbose "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-${TRIVY_ARCH}.tar.gz" && \
wget https://github.com/aquasecurity/trivy/releases/download/v0.36.1/trivy_0.36.1_Linux-ARM.tar.gz && \ tar -zxvf "trivy_${TRIVY_VERSION}_Linux-${TRIVY_ARCH}.tar.gz" && \
tar -zxvf trivy_0.36.1_Linux-ARM.tar.gz && \
mv trivy /usr/local/bin; \ mv trivy /usr/local/bin; \
elif [ "$(go env GOARCH)" = "amd64" ]; then \ elif [ "$(go env GOARCH)" = "amd64" ]; then \
wget https://github.com/aquasecurity/trivy/releases/download/v0.36.1/trivy_0.36.1_Linux-64bit.tar.gz && \ wget --no-verbose "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" && \
tar -zxvf trivy_0.36.1_Linux-64bit.tar.gz && \ tar -zxvf "trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" && \
mv trivy /usr/local/bin; \ mv trivy /usr/local/bin; \
fi fi
# this works for both go 1.17 and 1.18 # this works for both go 1.17 and 1.18
RUN GOPROXY=direct go install golang.org/x/tools/cmd/goimports@gopls/v0.11.0 RUN GOPROXY=direct go install golang.org/x/tools/cmd/goimports@gopls/v0.11.0
RUN rm -rf /go/src /go/pkg RUN rm -rf /go/src /go/pkg

@ -18,11 +18,20 @@ if [ -n ${DEBUG} ]; then
set -x set -x
fi fi
IMAGE=$1 IMAGE=$1
SEVERITIES="HIGH,CRITICAL" SEVERITIES="HIGH,CRITICAL"
TRIVY_TEMPLATE='{{- $critical := 0 }}{{- $high := 0 }}
trivy --quiet image --severity ${SEVERITIES} --no-progress --ignore-unfixed ${IMAGE} {{- println "Target - Severity - ID - Package - Vulnerable Version - Fixed Version" -}}{{ print }}
{{ range . }}
{{- $target := .Target -}}
{{ range .Vulnerabilities }}
{{- if eq .Severity "CRITICAL" }}{{- $critical = add $critical 1 }}{{- end }}
{{- if eq .Severity "HIGH" }}{{- $high = add $high 1 }}{{- end }}
{{- list $target .Severity .VulnerabilityID .PkgName .InstalledVersion .FixedVersion | join " - " | println -}}
{{- end -}}
{{ end }}
Vulnerabilities - Critical: {{ $critical }}, High: {{ $high }}{{ println }}'
trivy --quiet image --severity ${SEVERITIES} --no-progress --ignore-unfixed --format template --template "${TRIVY_TEMPLATE}" ${IMAGE}
exit 0 exit 0

@ -0,0 +1,62 @@
---
name: "Bump Trivy version"
scms:
k3s:
kind: "github"
spec:
user: "{{ .github.user }}"
email: "{{ .github.email }}"
username: "{{ .github.username }}"
token: "{{ requiredEnv .github.token }}"
owner: "{{ .k3s.org }}"
repository: "{{ .k3s.repo }}"
branch: "{{ .k3s.branch }}"
commitmessage:
title: "Bump Trivy version"
actions:
github:
title: "Bump Trivy version"
kind: "github/pullrequest"
scmid: "k3s"
spec:
automerge: false
mergemethod: "squash"
usetitleforautomerge: true
labels:
- "dependencies"
sources:
trivy-release:
name: "Get Trivy latest release"
kind: "githubrelease"
spec:
owner: "aquasecurity"
repository: "trivy"
token: "{{ requiredEnv .github.token }}"
versionfilter:
kind: "latest"
transformers:
- trimprefix: "v"
conditions:
trivy-version:
name: "Check Trivy usage in Dockerfile.dapper"
kind: "file"
scmid: "k3s"
disablesourceinput: true
spec:
file: "Dockerfile.dapper"
matchpattern: 'TRIVY_VERSION="\d+\.\d+.\d+"'
targets:
trivy-version:
name: "Update Trivy version in Dockerfile.dapper"
kind: "file"
scmid: "k3s"
disablesourceinput: true
spec:
file: "Dockerfile.dapper"
matchpattern: 'TRIVY_VERSION="\d+\.\d+.\d+"'
replacepattern: 'TRIVY_VERSION="{{ source `trivy-release` }}"'
Loading…
Cancel
Save