diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml index 5ff351a63..8e79d73ea 100644 --- a/.github/workflows/stackhpc-container-image-build.yml +++ b/.github/workflows/stackhpc-container-image-build.yml @@ -136,6 +136,10 @@ jobs: run: | curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.49.0 + - name: Install yq + run: | + curl -sL https://github.com/mikefarah/yq/releases/download/v4.42.1/yq_linux_amd64.tar.gz | tar xz && sudo mv yq_linux_amd64 /usr/bin/yq + - name: Install Kayobe run: | mkdir -p venvs && diff --git a/etc/kayobe/trivy/allowed-vulnerabilities.yml b/etc/kayobe/trivy/allowed-vulnerabilities.yml new file mode 100644 index 000000000..d2e490a74 --- /dev/null +++ b/etc/kayobe/trivy/allowed-vulnerabilities.yml @@ -0,0 +1,18 @@ +--- +############################################################################### +# Trivy allowed vulnerabilities list + +# Example allowed vulnerabilities file setup +# +# global_allowed_vulnerabilities: +# - CVE-2024-36039 +# +# keystone_allowed_vulnerabilities: +# - CVE-2022-2447 +# +# barbican_api_allowed_vulnerabilities: +# - CVE-2023-31047 + +############################################################################### +# Dummy variable to allow Ansible to accept this file. +workaround_ansible_issue_8743: yes diff --git a/tools/scan-images.sh b/tools/scan-images.sh index 74223ad90..b8cde6ede 100755 --- a/tools/scan-images.sh +++ b/tools/scan-images.sh @@ -34,6 +34,16 @@ touch image-scan-output/clean-images.txt image-scan-output/dirty-images.txt # generate a csv summary for image in $images; do filename=$(basename $image | sed 's/:/\./g') + imagename=$(echo $filename | cut -d "." -f 1 | sed 's/-/_/g') + global_vulnerabilities=$(yq .global_allowed_vulnerabilities[] src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml) + image_vulnerabilities=$(yq .$imagename'_allowed_vulnerabilities[]' src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml) + touch .trivyignore + for vulnerability in $global_vulnerabilities; do + echo $vulnerability >> .trivyignore + done + for vulnerability in $image_vulnerabilities; do + echo $vulnerability >> .trivyignore + done if $(trivy image \ --quiet \ --exit-code 1 \ @@ -76,4 +86,5 @@ for image in $images; do | .[] | @csv' image-scan-output/${filename}.json >> image-scan-output/${filename}.summary.csv fi + rm .trivyignore done