Skip to content

Commit 20e8bdb

Browse files
assumptionsandgassumptionsandg
committed
Support trivy allow lists per image
1 parent fc278ab commit 20e8bdb

File tree

3 files changed

+39
-2
lines changed

3 files changed

+39
-2
lines changed

.github/workflows/stackhpc-container-image-build.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -136,6 +136,10 @@ jobs:
136136
run: |
137137
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.49.0
138138
139+
- name: Install yq
140+
run: |
141+
curl -sL https://github.com/mikefarah/yq/releases/download/v4.42.1/yq_linux_amd64.tar.gz | tar xz && sudo mv yq_linux_amd64 /usr/bin/yq
142+
139143
- name: Install Kayobe
140144
run: |
141145
mkdir -p venvs &&

etc/kayobe/trivy/allowed-vulnerabilities.yml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
---
2+
###############################################################################
3+
# Trivy allowed vulnerabilities list
4+
5+
# Example allowed vulnerabilities file setup
6+
#
7+
# keystone_allowed_vulnerabilities:
8+
# - CVE-2022-2447
9+
#
10+
# barbican-api_allowed_vulnerabilities:
11+
# - CVE-2023-31047
12+
13+
horizon_allowed_vulnerabilities:
14+
- CVE-2022-28346
15+
- CVE-2022-28347
16+
- CVE-2022-34265
17+
- CVE-2023-31047
18+
- CVE-2024-36039
19+
20+
###############################################################################
21+
# Dummy variable to allow Ansible to accept this file.
22+
workaround_ansible_issue_8743: yes

tools/scan-images.sh

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -34,12 +34,23 @@ touch image-scan-output/clean-images.txt image-scan-output/dirty-images.txt
3434
# generate a csv summary
3535
for image in $images; do
3636
filename=$(basename $image | sed 's/:/\./g')
37+
imagename=$(echo $filename | cut -d "." -f 1)
38+
vulnerabilities=$(yq .$imagename'_allowed_vulnerabilities[]' src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml)
39+
rc=$?
40+
rm .trivyignore && touch .trivyignore
41+
for vulnerability in $vulnerabilities; do
42+
echo $vulnerability
43+
if [ $rc -eq 0 ]; then
44+
echo $vulnerability >> .trivyignore
45+
fi
46+
done
47+
cat .trivyignore
3748
if $(trivy image \
38-
--quiet \
49+
--debug \
3950
--exit-code 1 \
4051
--scanners vuln \
4152
--format json \
42-
--severity HIGH,CRITICAL \
53+
--severity CRITICAL \
4354
--output image-scan-output/${filename}.json \
4455
--ignore-unfixed \
4556
$image); then

0 commit comments

Comments
 (0)