add trivy scans for built images

Signed-off-by: Brian Downs <brian.downs@gmail.com>
pull/2253/head
Brian Downs 2020-09-15 11:43:27 -07:00
parent a08e998bc5
commit f4c12a44ee
4 changed files with 36 additions and 1 deletions

View File

@ -9,6 +9,16 @@ ENV no_proxy=$no_proxy
RUN apk -U --no-cache add bash git gcc musl-dev docker vim less file curl wget ca-certificates jq linux-headers zlib-dev tar zip squashfs-tools npm coreutils \ RUN apk -U --no-cache add bash git gcc musl-dev docker vim less file curl wget ca-certificates jq linux-headers zlib-dev tar zip squashfs-tools npm coreutils \
python2 openssl-dev libffi-dev libseccomp libseccomp-dev make libuv-static sqlite-dev sqlite-static libselinux libselinux-dev zlib-dev zlib-static python2 openssl-dev libffi-dev libseccomp libseccomp-dev make libuv-static sqlite-dev sqlite-static libselinux libselinux-dev zlib-dev zlib-static
RUN if [ "$(go env GOARCH)" = "arm64" ]; then \
wget https://github.com/aquasecurity/trivy/releases/download/v0.7.0/trivy_0.7.0_Linux-ARM64.tar.gz && \
tar -zxvf trivy_0.7.0_Linux-ARM64.tar.gz && \
mv trivy /usr/local/bin; \
else \
wget https://github.com/aquasecurity/trivy/releases/download/v0.7.0/trivy_0.7.0_Linux-64bit.tar.gz && \
tar -zxvf trivy_0.7.0_Linux-64bit.tar.gz && \
mv trivy /usr/local/bin; \
fi
RUN trivy --download-db-only
RUN mkdir -p /go/src/golang.org/x && \ RUN mkdir -p /go/src/golang.org/x && \
cd /go/src/golang.org/x && git clone https://github.com/golang/tools && cd tools && \ cd /go/src/golang.org/x && git clone https://github.com/golang/tools && cd tools && \
git checkout -b current aa82965741a9fecd12b026fbb3d3c6ed3231b8f8 && \ git checkout -b current aa82965741a9fecd12b026fbb3d3c6ed3231b8f8 && \
@ -19,7 +29,7 @@ ARG DAPPER_HOST_ARCH
ENV ARCH $DAPPER_HOST_ARCH ENV ARCH $DAPPER_HOST_ARCH
RUN if [ "${ARCH}" = 'amd64' ]; then \ RUN if [ "${ARCH}" = 'amd64' ]; then \
curl -sL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s v1.30.0; \ curl -sL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s v1.30.0; \
fi fi
ARG SELINUX=true ARG SELINUX=true

View File

@ -33,3 +33,7 @@ build/data:
.PHONY: binary-size-check .PHONY: binary-size-check
binary-size-check: binary-size-check:
scripts/binary_size_check.sh scripts/binary_size_check.sh
.PHONY: image-scan
image-scan:
scripts/image_scan.sh $(IMAGE)

20
scripts/image_scan.sh Executable file
View File

@ -0,0 +1,20 @@
#/bin/sh
set -e
if [ -n ${DEBUG} ]; then
set -x
fi
if [ -z $1 ]; then
echo "error: image tag required as argument. exiting..."
exit 1
fi
IMAGE=$1
SEVERITIES="HIGH,CRITICAL"
docker container run --rm --name=image-scan --volume /var/run/docker.sock:/var/run/docker.sock \
docker.io/aquasec/trivy:0.10.2 --quiet image --severity ${SEVERITIES} --no-progress --ignore-unfixed ${IMAGE}
exit 0

View File

@ -15,4 +15,5 @@ PROXY_OPTS=
[ -z "$https_proxy" ] || PROXY_OPTS="$PROXY_OPTS --build-arg https_proxy=$https_proxy" [ -z "$https_proxy" ] || PROXY_OPTS="$PROXY_OPTS --build-arg https_proxy=$https_proxy"
[ -z "$no_proxy" ] || PROXY_OPTS="$PROXY_OPTS --build-arg no_proxy=$no_proxy" [ -z "$no_proxy" ] || PROXY_OPTS="$PROXY_OPTS --build-arg no_proxy=$no_proxy"
docker build ${PROXY_OPTS} -t ${IMAGE} -f package/Dockerfile . docker build ${PROXY_OPTS} -t ${IMAGE} -f package/Dockerfile .
./scripts/image_scan.sh ${IMAGE}
echo Built ${IMAGE} echo Built ${IMAGE}