Skip to content

CI: Add sbom generation to Kolla container image builds #1689

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 17 additions & 8 deletions tools/scan-images.sh
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,8 @@ fi
# Clear any previous outputs
rm -rf image-scan-output

# Make a fresh output directory
mkdir -p image-scan-output
# Make fresh output directories
mkdir -p image-scan-output image-sboms

# Get built container images
docker image ls --filter "reference=ark.stackhpc.com/stackhpc-dev/*:$2" > $1-scanned-container-images.txt
Expand All @@ -40,6 +40,7 @@ for image in $images; do
global_vulnerabilities=$(yq .global_allowed_vulnerabilities[] src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml)
image_vulnerabilities=$(yq .$imagename'_allowed_vulnerabilities[]' src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml)
touch .trivyignore
mkdir -p image-scan-output/$filename
for vulnerability in $global_vulnerabilities; do
echo $vulnerability >> .trivyignore
done
Expand All @@ -52,22 +53,22 @@ for image in $images; do
--scanners vuln \
--format json \
--severity HIGH,CRITICAL \
--output image-scan-output/${filename}.json \
--output image-scan-output/${filename}/${filename}.json \
--ignore-unfixed \
--db-repository ghcr.io/aquasecurity/trivy-db:2 \
--db-repository public.ecr.aws/aquasecurity/trivy-db \
--java-db-repository ghcr.io/aquasecurity/trivy-java-db:1 \
--java-db-repository public.ecr.aws/aquasecurity/trivy-java-db \
$image); then
# Clean up the output file for any images with no vulnerabilities
rm -f image-scan-output/${filename}.json
rm -f image-scan-output/${filename}/${filename}.json

# Add the image to the clean list
echo "${image}" >> image-scan-output/clean-images.txt
else

# Write a header for the summary CSV
echo '"PkgName","PkgPath","PkgID","VulnerabilityID","FixedVersion","PrimaryURL","Severity"' > image-scan-output/${filename}.summary.csv
echo '"PkgName","PkgPath","PkgID","VulnerabilityID","FixedVersion","PrimaryURL","Severity"' > image-scan-output/${filename}/${filename}.summary.csv

# Write the summary CSV data
jq -r '.Results[]
Expand All @@ -88,15 +89,23 @@ for image in $images; do
]
)
| .[]
| @csv' image-scan-output/${filename}.json >> image-scan-output/${filename}.summary.csv
| @csv' image-scan-output/${filename}/${filename}.json >> image-scan-output/${filename}/${filename}.summary.csv

if [ $(grep "CRITICAL" image-scan-output/${filename}.summary.csv -c) -gt 0 ]; then
if [ $(grep "CRITICAL" image-scan-output/${filename}/${filename}.summary.csv -c) -gt 0 ]; then
# If the image contains critical vulnerabilities, add the image to critical list
echo "${image}" >> image-scan-output/critical-images.txt
else
# Otherwise, add the image to the dirty list
echo "${image}" >> image-scan-output/dirty-images.txt
fi
fi
rm .trivyignore
trivy image \
--quiet \
--format spdx \
--output image-scan-output/${filename}/${filename}-sbom.spdx \
--db-repository ghcr.io/aquasecurity/trivy-db:2 \
--db-repository public.ecr.aws/aquasecurity/trivy-db \
--java-db-repository ghcr.io/aquasecurity/trivy-java-db:1 \
--java-db-repository public.ecr.aws/aquasecurity/trivy-java-db \
$image
done
Loading