This repository has been archived by the owner on Jul 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
/
popular-containers-vulnerability-checks.sh
executable file
·137 lines (118 loc) · 6.24 KB
/
popular-containers-vulnerability-checks.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
#!/usr/bin/env bash
set -euo pipefail
TMP_DIR=${1:-/tmp/trivy_output_files}
TRIVY_PREVIOUS_OUTPUT_FILE_DIRECTORY=${2:-trivy_output_files}
POPULAR_CONTAINERS_VULNERABILITY_CHECKS_TABLE_FILE=${3:-container-vulnerability-table.md}
POPULAR_CONTAINERS_VULNERABILITY_CHECKS_README_FILE=${4:-README.md}
CONTAINERS=(
"docker.io/debian:buster-slim"
"docker.io/debian:stable-slim"
"docker.io/node:18-alpine"
"docker.io/node:latest"
"docker.io/node:slim"
"docker.io/openjdk:20-oracle"
"docker.io/openjdk:20-slim"
"docker.io/openjdk:latest"
"docker.io/php:latest"
"docker.io/python:alpine"
"docker.io/python:slim"
"docker.io/ruby:alpine"
"docker.io/ruby:latest"
"docker.io/ruby:slim"
"docker.io/ubuntu:latest"
"gcr.io/distroless/base-debian11:latest"
"gcr.io/distroless/java-debian11:latest"
"gcr.io/distroless/nodejs-debian11:latest"
"gcr.io/distroless/python3-debian11:latest"
"gcr.io/distroless/static-debian11:latest"
"gcr.io/distroless/static:latest"
"registry.access.redhat.com/ubi9-micro:latest"
"registry.access.redhat.com/ubi9-minimal:latest"
"registry.access.redhat.com/ubi9/nodejs-16-minimal:latest"
"registry.access.redhat.com/ubi9/nodejs-16:latest"
"registry.access.redhat.com/ubi9/openjdk-11-runtime:latest"
"registry.access.redhat.com/ubi9/php-80:latest"
"registry.access.redhat.com/ubi9/python-39:latest"
"registry.access.redhat.com/ubi9/ruby-30:latest"
"registry.access.redhat.com/ubi9/ubi:latest"
)
test -d "${TMP_DIR}" || mkdir "${TMP_DIR}"
test -d "${TRIVY_PREVIOUS_OUTPUT_FILE_DIRECTORY}" || mkdir "${TRIVY_PREVIOUS_OUTPUT_FILE_DIRECTORY}"
# In case you are not running inside GitHub Actions, where GITHUB_STEP_SUMMARY is always defined
[[ -n ${GITHUB_STEP_SUMMARY+z} ]] || GITHUB_STEP_SUMMARY="${TMP_DIR}/GITHUB_STEP_SUMMARY"
# Create ${POPULAR_CONTAINERS_VULNERABILITY_CHECKS_TABLE_FILE} if not exists
if [[ ! -f "${POPULAR_CONTAINERS_VULNERABILITY_CHECKS_TABLE_FILE}" ]]; then
(
# First line - Date + Containers
echo -n "| Date |"
for CONTAINER in "${CONTAINERS[@]}"; do
echo -n " ${CONTAINER} |"
done
# Second line - separator
echo -en "\n| --- |"
for CONTAINER in "${CONTAINERS[@]}"; do
echo -n " --- |"
done
echo
) | column -t > "${POPULAR_CONTAINERS_VULNERABILITY_CHECKS_TABLE_FILE}"
fi
CRITICAL_VULNERABILITY_IMAGES_FOUND=0
POPULAR_CONTAINERS_VULNERABILITY_CHECKS_TABLE_CONTAINERS_DATA=()
for CONTAINER in "${CONTAINERS[@]}"; do
echo "*** ${CONTAINER}"
docker pull "${CONTAINER}" > /dev/null
TRIVY_OUTPUT_FILE="${TMP_DIR}/${CONTAINER//\//_}"
TRIVY_PREVIOUS_OUTPUT_FILE="${TRIVY_PREVIOUS_OUTPUT_FILE_DIRECTORY}/${CONTAINER//\//_}"
trivy image --quiet --scanners vuln --vuln-type os "${CONTAINER}" --output "${TRIVY_OUTPUT_FILE}"
TRIVY_OUTPUT_FILE_CRITICAL=$(sed -n 's/^Total:.*CRITICAL: \([0-9]*\).*/\1/p' "${TRIVY_OUTPUT_FILE}")
TRIVY_OUTPUT_FILE_TOTAL=$(grep '^Total:' "${TRIVY_OUTPUT_FILE}")
POPULAR_CONTAINERS_VULNERABILITY_CHECKS_TABLE_CONTAINERS_DATA+=("${TRIVY_OUTPUT_FILE_TOTAL}")
if [[ -f "${TRIVY_PREVIOUS_OUTPUT_FILE}" ]]; then
TRIVY_PREVIOUS_OUTPUT_FILE_CRITICAL=$(sed -n 's/^Total:.*CRITICAL: \([0-9]*\).*/\1/p' "${TRIVY_PREVIOUS_OUTPUT_FILE}")
TRIVY_PREVIOUS_OUTPUT_FILE_TOTAL=$(grep '^Total:' "${TRIVY_PREVIOUS_OUTPUT_FILE}")
else
TRIVY_PREVIOUS_OUTPUT_FILE_CRITICAL=0
TRIVY_PREVIOUS_OUTPUT_FILE_TOTAL="No previous data"
fi
CONTAINER_REPO_TAGS=$(docker inspect --format '{{ index .RepoTags 0 }}' "${CONTAINER}")
CONTAINER_REPO_DIGESTS=$(docker inspect --format '{{ index .RepoDigests 0 }}' "${CONTAINER}")
case "${CONTAINER}" in
"docker.io"*)
# https://hub.docker.com/layers/library/debian/sid-slim/images/sha256-744464ba95b3ca63e9084ab66ab90f923ccd8b464824314aaa4c54f237030a4a?context=explore
CONTAINER_ID=$(docker inspect --format '{{ .Id }}' "${CONTAINER}")
DOCKER_HUB_PATH=$(echo "${CONTAINER##*/}" | tr : /)
POPULAR_CONTAINERS_VULNERABILITY_CHECKS_README_CONTAINERS_DATA="- [${CONTAINER}](https://hub.docker.com/layers/library/${DOCKER_HUB_PATH}/images/${CONTAINER_ID/:/-}) | ${CONTAINER_REPO_DIGESTS}"
;;
"gcr.io"*)
POPULAR_CONTAINERS_VULNERABILITY_CHECKS_README_CONTAINERS_DATA="- [${CONTAINER}](https://${CONTAINER_REPO_TAGS}) | [${CONTAINER_REPO_DIGESTS}](https://${CONTAINER_REPO_DIGESTS})"
;;
"registry.access.redhat.com"*)
CONTAINER_CONFIG_LABELS_RELEASE=$(docker inspect --format '{{ index .Config.Labels "release" }}' "${CONTAINER}")
CONTAINER_CONFIG_LABELS_BUILD_DATE=$(docker inspect --format '{{ index .Config.Labels "build-date" }}' "${CONTAINER}")
POPULAR_CONTAINERS_VULNERABILITY_CHECKS_README_CONTAINERS_DATA="- ${CONTAINER} | ${CONTAINER_REPO_DIGESTS} | Release: ${CONTAINER_CONFIG_LABELS_RELEASE} | Build date: ${CONTAINER_CONFIG_LABELS_BUILD_DATE}"
;;
*)
echo "Unsupported image registry: ${CONTAINER} !!!"
exit 1
;;
esac
if [[ "${TRIVY_OUTPUT_FILE_CRITICAL}" != "${TRIVY_PREVIOUS_OUTPUT_FILE_CRITICAL}" ]]; then
CRITICAL_VULNERABILITY_IMAGES_FOUND=$((CRITICAL_VULNERABILITY_IMAGES_FOUND + 1))
if [[ CRITICAL_VULNERABILITY_IMAGES_FOUND -eq 1 ]]; then
echo -e "\n## $(date +%F)\n" | tee -a "${GITHUB_STEP_SUMMARY}" >> "${POPULAR_CONTAINERS_VULNERABILITY_CHECKS_README_FILE}"
echo -n "| $(date +%F) |" >> "${POPULAR_CONTAINERS_VULNERABILITY_CHECKS_TABLE_FILE}"
fi
echo -e "Previous -> ${TRIVY_PREVIOUS_OUTPUT_FILE_TOTAL}\nCurrent -> ${TRIVY_OUTPUT_FILE_TOTAL}"
echo -e "${POPULAR_CONTAINERS_VULNERABILITY_CHECKS_README_CONTAINERS_DATA}\n ${TRIVY_OUTPUT_FILE_TOTAL}" | tee -a "${GITHUB_STEP_SUMMARY}" >> "${POPULAR_CONTAINERS_VULNERABILITY_CHECKS_README_FILE}"
fi
# Copy current Trivy file to the git repository to be committed later
cp "${TRIVY_OUTPUT_FILE}" "${TRIVY_PREVIOUS_OUTPUT_FILE}"
done
if [[ ${CRITICAL_VULNERABILITY_IMAGES_FOUND} -ne 0 ]]; then
for DATA in "${POPULAR_CONTAINERS_VULNERABILITY_CHECKS_TABLE_CONTAINERS_DATA[@]}"; do
echo -en " ${DATA} |" >> "${POPULAR_CONTAINERS_VULNERABILITY_CHECKS_TABLE_FILE}"
done
echo >> "${POPULAR_CONTAINERS_VULNERABILITY_CHECKS_TABLE_FILE}"
fi
echo -e "\n*** \"${CRITICAL_VULNERABILITY_IMAGES_FOUND}\" CRITICAL vulnerabilities were added/removed in monitored container images.\n"
# Use markdown-table-formatter to properly format the table in Markdown