-
Notifications
You must be signed in to change notification settings - Fork 90
/
entrypoint.sh
executable file
·136 lines (116 loc) · 3.64 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
#!/usr/bin/env bash
set -e
set -o pipefail
# DATE=$(date +%F)
# CACHE_DIR="/codefresh/volume/.trivy"
CACHE_DIR="~/.trivy"
# REPORT_DIR="${TRIVY_DIR}/reports"
# TRIVY_OUTPUT_FILE=${TRIVY_OUTPUT_FILE:-`echo ${REPORT_DIR}/report-${DATE}.json`}
TRIVY_IGNOREFILE="/tmp/.trivyignore" # default
# TRIVY_IGNORE_FILE # set as a step parameter
function echoSection {
printf -- "--------------------------------------------\n\n"
printf "\n\n[INFO] $1\n\n"
}
unset_empty_vars() {
echoSection "Unsetting empty vars"
for var in $(env); do
if [[ "${var##*=}" == "\${{${var%=*}}}" ]]; then
echo "Unsetting ${var%=*}";
unset ${var%=*};
fi;
done
}
set_trivy_ignore() {
echoSection "Set up trivy ignore file"
echo > $TRIVY_IGNOREFILE
# merge from file
if [[ ! -z $TRIVY_IGNORE_FILE ]]; then
stat -c "%n" "$TRIVY_IGNORE_FILE"
cp $TRIVY_IGNORE_FILE $TRIVY_IGNOREFILE
fi
local IFS=$','
for cve in $TRIVY_IGNORE_LIST; do
echo $cve >> $TRIVY_IGNOREFILE
done
echo ".trivyignore:"
cat $TRIVY_IGNOREFILE
}
generate_images_list() {
local IMAGES
# merge from file
if [[ ! -z $IMAGES_FILE ]]; then
IMAGES=$(cat $IMAGES_FILE | tr '\n' ' ')
fi
# merge from list
if [[ ! -z $IMAGES_LIST ]]; then
IMAGES="$IMAGES $(echo $IMAGES_LIST | tr ',' ' ')"
fi
if [[ -z $IMAGES ]]; then
echo "[ERROR] The list of images is empty."
exit 1
fi
echo $IMAGES
}
scan_template() {
local image=$1
local object=$(trivy image -q -f json --cache-dir ${CACHE_DIR} --ignorefile ${TRIVY_IGNOREFILE} ${image} | sed 's|null|\[\]|')
count=$( echo $object | jq '.Results | length')
for ((i = 0 ; i < $count ; i++)); do
local vuln_length=$(echo $object | jq -r --arg index "${i}" '.Results[($index|tonumber)].Vulnerabilities // [] | length')
if [[ "$vuln_length" -eq "0" ]] && [[ "$SKIP_EMPTY" == "true" ]]; then
continue
fi
echo -E "\n"Target: $(echo $object | jq -r --arg index "${i}" '.Results[($index|tonumber)].Target')
echo "..."
if [[ "$vuln_length" -eq "0" ]]; then
# Return a non-empty default value
echo "No vulnerabilities found."
continue
fi
echo $object | jq -r --arg index "${i}" '.Results[($index|tonumber)].Vulnerabilities // [] | .[] | "\(.PkgName) \(.VulnerabilityID) \(.Severity)"' | column -t | sort -k3
done
}
slack_image_section() {
local image=$1
local header="*${image}*"
local body=$(scan_template $image | awk '{print}' ORS='\\n')
if [[ -z $body ]]; then
return
fi
echo -E "{
\"type\": \"section\",
\"text\": {
\"type\": \"mrkdwn\",
\"text\": \"${header}\n\`\`\`${body}\`\`\` \"
}
}
"
}
# MAIN
main() {
unset_empty_vars
set_trivy_ignore
if [[ ! -d "$CACHE_DIR" ]]; then
mkdir -p ${CACHE_DIR}
fi
echoSection "Update trivy DB"
trivy image --download-db-only --cache-dir ${CACHE_DIR}
SLACK_REPORT_MESSAGE='{"blocks":[]}'
local images=$(generate_images_list)
echoSection "List of images: ${images}"
for cfimage in $images; do
echoSection "Scanning $cfimage image"
local section=$(slack_image_section "$cfimage")
if [[ ! -z $section ]]; then
SLACK_REPORT_MESSAGE=$( jq --argjson insert "${section}" '.blocks[.blocks|length] |= .+ $insert' <<< "$SLACK_REPORT_MESSAGE" )
SLACK_REPORT_MESSAGE=$( jq '.blocks[.blocks|length] |= .+ {"type": "divider"}' <<< "$SLACK_REPORT_MESSAGE" )
fi
done
if [[ "$(echo $SLACK_REPORT_MESSAGE | jq '[.blocks[] | select(.type == "section")] | length' )" -eq "0" ]]; then
echoSection "The list of vulnerabilities is empty. Nothing to send."
else
curl -X POST -H "Content-type: application/json" ${SLACK_INCOMING_URL} --data "$SLACK_REPORT_MESSAGE"
fi
}
main $@