Rework trivy scanning in releases to upload report as an artifact (#7148

) Signed-off-by: Derek Nola <[email protected]>
rancher · Oct 29, 2024 · 3af06a5 · 3af06a5
1 parent 857acbd
commit 3af06a5
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 31 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -52,9 +52,18 @@ jobs:
     
     - name: Scan Images
       continue-on-error: true
-      run: |
-        dapper -f Dockerfile --target dapper make scan-images
-    
+      # This is a temporary workaround until the base image is updated
+      # in the Dockerfile to include the new trivy version that supports VEX
+      run: |
+        docker run --rm -v "$(pwd)/build:/build" -v "$(pwd):/workspace" \
+          -w /workspace rancher/hardened-build-base:v1.22.8b2 \
+          make scan-images
+    - name: Upload Scan Results
+      uses: actions/upload-artifact@v4
+      with:
+        name: release-trivy-scan
+        path: trivy_scan_report.txt
+
     - name: Test
       run: |
         dapper -f Dockerfile --target dapper make test

diff --git a/scripts/scan-images b/scripts/scan-images
@@ -2,35 +2,37 @@
 
 cd $(dirname $0)/..
 
-EXITCODE=0
-SCAN_OUTPUT="scan.json"
+SCAN_OUTPUT="trivy_scan_report.txt"
+rm "$SCAN_OUTPUT"
+
+# Download the Rancher OpenVEX Trivy report
+curl -fsSO https://raw.githubusercontent.com/rancher/vexhub/refs/heads/main/reports/rancher.openvex.json
 
 for IMAGE in $(cat build/images*.txt); do
-  echo -e "\nScanning ${IMAGE}"
-  trivy image \
-    --format json \
-    --output ${SCAN_OUTPUT} \
-    --exit-code 1 \
-    --security-checks vuln \
-    --severity ${SEVERITIES:-CRITICAL,HIGH} \
-    --ignore-unfixed \
-    --no-progress \
-    --quiet \
-    ${IMAGE}
-  RC=$?
-  if [ ${RC} -gt ${EXITCODE} ]; then
-    EXITCODE=${RC}
-  fi
-  if [ ${RC} -gt 0 ]; then
-    echo -e "\nSev\tPackage\tVulnID\tInstalled\tFixed"
-    jq -rc 'try .Results[].Vulnerabilities[] | "\(.Severity)\t\(.PkgName)\t\(.VulnerabilityID)\t\(.InstalledVersion)\t\(.FixedVersion)"' ${SCAN_OUTPUT} | sort
-  fi
-  echo
-  rm ${SCAN_OUTPUT}
+    echo "Scanning image: $IMAGE"
+
+    # Run Trivy scan and append the report to the output file
+    trivy image "${IMAGE}" -q --no-progress \
+      --severity ${SEVERITIES:-CRITICAL,HIGH} \
+      --ignore-unfixed --show-suppressed \
+      --vex rancher.openvex.json >> "$SCAN_OUTPUT"
+
+    if [ "$1" = "dump-report" ]; then
+      trivy image "${IMAGE}" -q --no-progress \
+      --severity ${SEVERITIES:-CRITICAL,HIGH} \
+      --ignore-unfixed \
+      -f json \
+      --exit-code 1 \
+      --vex rancher.openvex.json > "temp.json"
+      RC=$?
+      if [ ${RC} -gt 0 ]; then
+        echo -e "\nSev\tPackage\tVulnID\tInstalled\tFixed"
+        jq -rc '.Results[].Vulnerabilities | select( . != null ) | .[] | "\(.Severity)\t\(.PkgName)\t\(.VulnerabilityID)\t\(.InstalledVersion)\t\(.FixedVersion)"' "temp.json" | sort
+        echo
+      fi
+    fi
 done
 
-if [ ${EXITCODE} -gt 0 ]; then
-  echo "VULNERABILITIES FOUND"
-fi
-
-exit ${EXITCODE}
+rm rancher.openvex.json
+[ "$1" = "dump-report" ] && rm temp.json
+echo "Trivy scan completed. Reports are saved in $SCAN_OUTPUT."