You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
217 lines
5.5 KiB
Bash
217 lines
5.5 KiB
Bash
#!/bin/bash
|
|
set -e
|
|
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:y:z:" o; do
|
|
case "${o}" in
|
|
a)
|
|
export scanType=${OPTARG}
|
|
;;
|
|
b)
|
|
export format=${OPTARG}
|
|
;;
|
|
c)
|
|
export template=${OPTARG}
|
|
;;
|
|
d)
|
|
export exitCode=${OPTARG}
|
|
;;
|
|
e)
|
|
export ignoreUnfixed=${OPTARG}
|
|
;;
|
|
f)
|
|
export vulnType=${OPTARG}
|
|
;;
|
|
g)
|
|
export severity=${OPTARG}
|
|
;;
|
|
h)
|
|
export output=${OPTARG}
|
|
;;
|
|
i)
|
|
export imageRef=${OPTARG}
|
|
;;
|
|
j)
|
|
export scanRef=${OPTARG}
|
|
;;
|
|
k)
|
|
export skipDirs=${OPTARG}
|
|
;;
|
|
l)
|
|
export input=${OPTARG}
|
|
;;
|
|
m)
|
|
export cacheDir=${OPTARG}
|
|
;;
|
|
n)
|
|
export timeout=${OPTARG}
|
|
;;
|
|
o)
|
|
export ignorePolicy=${OPTARG}
|
|
;;
|
|
p)
|
|
export hideProgress=${OPTARG}
|
|
;;
|
|
q)
|
|
export skipFiles=${OPTARG}
|
|
;;
|
|
r)
|
|
export listAllPkgs=${OPTARG}
|
|
;;
|
|
s)
|
|
export scanners=${OPTARG}
|
|
;;
|
|
t)
|
|
export trivyIgnores=${OPTARG}
|
|
;;
|
|
u)
|
|
export githubPAT=${OPTARG}
|
|
;;
|
|
v)
|
|
export trivyConfig=${OPTARG}
|
|
;;
|
|
x)
|
|
export tfVars=${OPTARG}
|
|
;;
|
|
y)
|
|
export dockerHost=${OPTARG}
|
|
;;
|
|
z)
|
|
export limitSeveritiesForSARIF=${OPTARG}
|
|
;;
|
|
esac
|
|
done
|
|
|
|
|
|
scanType=$(echo $scanType | tr -d '\r')
|
|
export artifactRef="${imageRef}"
|
|
if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ] || [ "${scanType}" = "sbom" ];then
|
|
artifactRef=$(echo $scanRef | tr -d '\r')
|
|
fi
|
|
input=$(echo $input | tr -d '\r')
|
|
if [ $input ]; then
|
|
artifactRef="--input $input"
|
|
fi
|
|
#trim leading spaces for boolean params
|
|
ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r')
|
|
hideProgress=$(echo $hideProgress | tr -d '\r')
|
|
limitSeveritiesForSARIF=$(echo $limitSeveritiesForSARIF | tr -d '\r')
|
|
|
|
GLOBAL_ARGS=""
|
|
if [ $cacheDir ];then
|
|
GLOBAL_ARGS="$GLOBAL_ARGS --cache-dir $cacheDir"
|
|
fi
|
|
|
|
SARIF_ARGS=""
|
|
ARGS=""
|
|
format=$(echo $format | xargs)
|
|
if [ $format ];then
|
|
ARGS="$ARGS --format $format"
|
|
fi
|
|
if [ $template ] ;then
|
|
ARGS="$ARGS --template $template"
|
|
fi
|
|
if [ $exitCode ];then
|
|
ARGS="$ARGS --exit-code $exitCode"
|
|
SARIF_ARGS="$SARIF_ARGS --exit-code $exitCode"
|
|
fi
|
|
if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
|
|
ARGS="$ARGS --ignore-unfixed"
|
|
SARIF_ARGS="$SARIF_ARGS --ignore-unfixed"
|
|
fi
|
|
if [ $vulnType ] && [ "$scanType" != "config" ] && [ "$scanType" != "sbom" ];then
|
|
ARGS="$ARGS --vuln-type $vulnType"
|
|
SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
|
|
fi
|
|
if [ $scanners ];then
|
|
ARGS="$ARGS --scanners $scanners"
|
|
SARIF_ARGS="$SARIF_ARGS --scanners $scanners"
|
|
fi
|
|
if [ $severity ];then
|
|
ARGS="$ARGS --severity $severity"
|
|
fi
|
|
if [ $output ];then
|
|
ARGS="$ARGS --output $output"
|
|
fi
|
|
if [ $skipDirs ];then
|
|
for i in $(echo $skipDirs | tr "," "\n")
|
|
do
|
|
ARGS="$ARGS --skip-dirs $i"
|
|
SARIF_ARGS="$SARIF_ARGS --skip-dirs $i"
|
|
done
|
|
fi
|
|
if [ $tfVars ] && [ "$scanType" == "config" ];then
|
|
ARGS="$ARGS --tf-vars $tfVars"
|
|
fi
|
|
|
|
if [ $trivyIgnores ];then
|
|
for f in $(echo $trivyIgnores | tr "," "\n")
|
|
do
|
|
if [ -f "$f" ]; then
|
|
echo "Found ignorefile '${f}':"
|
|
cat "${f}"
|
|
cat "${f}" >> ./trivyignores
|
|
else
|
|
echo "ERROR: cannot find ignorefile '${f}'."
|
|
exit 1
|
|
fi
|
|
done
|
|
ARGS="$ARGS --ignorefile ./trivyignores"
|
|
fi
|
|
if [ $timeout ];then
|
|
ARGS="$ARGS --timeout $timeout"
|
|
SARIF_ARGS="$SARIF_ARGS --timeout $timeout"
|
|
fi
|
|
if [ $ignorePolicy ];then
|
|
ARGS="$ARGS --ignore-policy $ignorePolicy"
|
|
SARIF_ARGS="$SARIF_ARGS --ignore-policy $ignorePolicy"
|
|
fi
|
|
if [ "$hideProgress" == "true" ];then
|
|
ARGS="$ARGS --quiet"
|
|
SARIF_ARGS="$SARIF_ARGS --quiet"
|
|
fi
|
|
if [ $dockerHost ];then
|
|
ARGS="$ARGS --docker-host $dockerHost"
|
|
fi
|
|
|
|
listAllPkgs=$(echo $listAllPkgs | tr -d '\r')
|
|
if [ "$listAllPkgs" == "true" ];then
|
|
ARGS="$ARGS --list-all-pkgs"
|
|
fi
|
|
if [ "$skipFiles" ];then
|
|
for i in $(echo $skipFiles | tr "," "\n")
|
|
do
|
|
ARGS="$ARGS --skip-files $i"
|
|
SARIF_ARGS="$SARIF_ARGS --skip-files $i"
|
|
done
|
|
fi
|
|
|
|
trivyConfig=$(echo $trivyConfig | tr -d '\r')
|
|
# To make sure that uploda GitHub Dependency Snapshot succeeds, disable the script that fails first.
|
|
set +e
|
|
if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then
|
|
# SARIF is special. We output all vulnerabilities,
|
|
# regardless of severity level specified in this report.
|
|
# This is a feature, not a bug :)
|
|
echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
|
|
trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
|
|
elif [ $trivyConfig ]; then
|
|
echo "Running Trivy with trivy.yaml config from: " $trivyConfig
|
|
trivy --config $trivyConfig ${scanType} ${artifactRef}
|
|
else
|
|
echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}"
|
|
echo "Global options: " "${GLOBAL_ARGS}"
|
|
trivy $GLOBAL_ARGS ${scanType} ${ARGS} ${artifactRef}
|
|
fi
|
|
returnCode=$?
|
|
|
|
set -e
|
|
if [[ "${format}" == "github" ]]; then
|
|
if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
|
|
printf "\n Uploading GitHub Dependency Snapshot"
|
|
curl -H 'Accept: application/vnd.github+json' -H "Authorization: token $githubPAT" 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
|
|
else
|
|
printf "\n Failing GitHub Dependency Snapshot. Missing github-pat"
|
|
fi
|
|
fi
|
|
|
|
exit $returnCode
|