Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
ddd9665f
Unverified
Commit
ddd9665f
authored
Apr 03, 2023
by
Guilherme Macedo
Committed by
GitHub
Apr 03, 2023
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Improve Trivy configuration (#7154)
Signed-off-by:
Guilherme Macedo
<
guilherme.macedo@suse.com
>
parent
fdf994dc
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
87 additions
and
16 deletions
+87
-16
Dockerfile.dapper
Dockerfile.dapper
+12
-12
image_scan.sh
scripts/image_scan.sh
+13
-4
trivy.yaml
updatecli/updatecli.d/trivy.yaml
+62
-0
No files found.
Dockerfile.dapper
View file @
ddd9665f
...
...
@@ -19,19 +19,19 @@ RUN apk -U --no-cache add bash git gcc musl-dev docker vim less file curl wget c
RUN python3 -m pip install awscli
RUN if [ "$(go env GOARCH)" = "arm64" ]; then \
wget https://github.com/aquasecurity/trivy/releases/download/v0.36.1/trivy_0.36.1_Linux-ARM64.tar.gz && \
tar -zxvf trivy_0.36.1_Linux-ARM64.tar.gz && \
mv trivy /usr/local/bin; \
elif [ "$(go env GOARCH)" = "arm" ]; then \
wget https://github.com/aquasecurity/trivy/releases/download/v0.36.1/trivy_0.36.1_Linux-ARM.tar.gz && \
tar -zxvf trivy_0.36.1_Linux-ARM.tar.gz && \
mv trivy /usr/local/bin; \
elif [ "$(go env GOARCH)" = "amd64" ]; then \
wget https://github.com/aquasecurity/trivy/releases/download/v0.36.1/trivy_0.36.1_Linux-64bit.tar.gz && \
tar -zxvf trivy_0.36.1_Linux-64bit.tar.gz && \
mv trivy /usr/local/bin; \
RUN TRIVY_VERSION="0.38.3" && \
if [ "$(go env GOARCH)" = "arm64" ] || [ "$(go env GOARCH)" = "arm" ]; then \
# Turn arm64 and arm into uppercase ARM64 and ARM, respectively, for Trivy's download
TRIVY_ARCH=$(go env GOARCH | tr "[:lower:]" "[:upper:]") && \
wget --no-verbose "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-${TRIVY_ARCH}.tar.gz" && \
tar -zxvf "trivy_${TRIVY_VERSION}_Linux-${TRIVY_ARCH}.tar.gz" && \
mv trivy /usr/local/bin; \
elif [ "$(go env GOARCH)" = "amd64" ]; then \
wget --no-verbose "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" && \
tar -zxvf "trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" && \
mv trivy /usr/local/bin; \
fi
# this works for both go 1.17 and 1.18
RUN GOPROXY=direct go install golang.org/x/tools/cmd/goimports@gopls/v0.11.0
RUN rm -rf /go/src /go/pkg
...
...
scripts/image_scan.sh
View file @
ddd9665f
...
...
@@ -18,11 +18,20 @@ if [ -n ${DEBUG} ]; then
set
-x
fi
IMAGE
=
$1
SEVERITIES
=
"HIGH,CRITICAL"
trivy
--quiet
image
--severity
${
SEVERITIES
}
--no-progress
--ignore-unfixed
${
IMAGE
}
TRIVY_TEMPLATE
=
'{{- $critical := 0 }}{{- $high := 0 }}
{{- println "Target - Severity - ID - Package - Vulnerable Version - Fixed Version" -}}{{ print }}
{{ range . }}
{{- $target := .Target -}}
{{ range .Vulnerabilities }}
{{- if eq .Severity "CRITICAL" }}{{- $critical = add $critical 1 }}{{- end }}
{{- if eq .Severity "HIGH" }}{{- $high = add $high 1 }}{{- end }}
{{- list $target .Severity .VulnerabilityID .PkgName .InstalledVersion .FixedVersion | join " - " | println -}}
{{- end -}}
{{ end }}
Vulnerabilities - Critical: {{ $critical }}, High: {{ $high }}{{ println }}'
trivy
--quiet
image
--severity
${
SEVERITIES
}
--no-progress
--ignore-unfixed
--format
template
--template
"
${
TRIVY_TEMPLATE
}
"
${
IMAGE
}
exit
0
updatecli/updatecli.d/trivy.yaml
0 → 100644
View file @
ddd9665f
---
name
:
"
Bump
Trivy
version"
scms
:
k3s
:
kind
:
"
github"
spec
:
user
:
"
{{
.github.user
}}"
email
:
"
{{
.github.email
}}"
username
:
"
{{
.github.username
}}"
token
:
"
{{
requiredEnv
.github.token
}}"
owner
:
"
{{
.k3s.org
}}"
repository
:
"
{{
.k3s.repo
}}"
branch
:
"
{{
.k3s.branch
}}"
commitmessage
:
title
:
"
Bump
Trivy
version"
actions
:
github
:
title
:
"
Bump
Trivy
version"
kind
:
"
github/pullrequest"
scmid
:
"
k3s"
spec
:
automerge
:
false
mergemethod
:
"
squash"
usetitleforautomerge
:
true
labels
:
-
"
dependencies"
sources
:
trivy-release
:
name
:
"
Get
Trivy
latest
release"
kind
:
"
githubrelease"
spec
:
owner
:
"
aquasecurity"
repository
:
"
trivy"
token
:
"
{{
requiredEnv
.github.token
}}"
versionfilter
:
kind
:
"
latest"
transformers
:
-
trimprefix
:
"
v"
conditions
:
trivy-version
:
name
:
"
Check
Trivy
usage
in
Dockerfile.dapper"
kind
:
"
file"
scmid
:
"
k3s"
disablesourceinput
:
true
spec
:
file
:
"
Dockerfile.dapper"
matchpattern
:
'
TRIVY_VERSION="\d+\.\d+.\d+"'
targets
:
trivy-version
:
name
:
"
Update
Trivy
version
in
Dockerfile.dapper"
kind
:
"
file"
scmid
:
"
k3s"
disablesourceinput
:
true
spec
:
file
:
"
Dockerfile.dapper"
matchpattern
:
'
TRIVY_VERSION="\d+\.\d+.\d+"'
replacepattern
:
'
TRIVY_VERSION="{{
source
`trivy-release`
}}"'
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment