-
Notifications
You must be signed in to change notification settings - Fork 95
/
Copy pathvulnerability-checks.sh
executable file
·53 lines (48 loc) · 4.07 KB
/
vulnerability-checks.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#!/usr/bin/env bash
source ./scripts/utils.sh
printMessage "$HEART_ICON" "$HEART_ICON" "Starting Trivy Vulnerability scan...."
####################################################################################################
# Setting default value to 0,0 in case the ALLOWED_CRITICAL_HIGH_VULNERABILITIES variable is not set
# This will be used to make the allowed critical and high vulnerabilities configurable
####################################################################################################
ALLOWED_CRITICAL_HIGH_VULNERABILITIES="${ALLOWED_CRITICAL_HIGH_VULNERABILITIES:-0,0}"
IFS=',' read -ra my_array <<< "$ALLOWED_CRITICAL_HIGH_VULNERABILITIES"
ALLOWED_CRITICAL_VULNERABILITIES="${my_array[0]}"
ALLOWED_HIGH_VULNERABILITIES="${my_array[1]}"
printMessage "$HEART_ICON" "$HEART_ICON" "ALLOWED_CRITICAL_HIGH_VULNERABILITIES: $ALLOWED_CRITICAL_HIGH_VULNERABILITIES, ALLOWED_CRITICAL_VULNERABILITIES: $ALLOWED_CRITICAL_VULNERABILITIES, ALLOWED_HIGH_VULNERABILITIES: $ALLOWED_HIGH_VULNERABILITIES"
####################################################################################################
# Evaluating the tag for the image to be scanned
####################################################################################################
#TODO: Use semver for docker image tagging.
TAG=$(cat version/docker-version.txt)
TAG=$([ "${TAG}" == "" ] && echo "latest" || echo "${TAG}")
printMessage "$HEART_ICON" "$HEART_ICON" "Scanning Tag : ${TAG}"
####################################################################################################
# Scanning the docker image and storing the results in a report
####################################################################################################
mkdir reports
time_stamp="$(date +'%d-%m-%Y-%r')"
printMessage "$HEART_ICON" "$HEART_ICON" "Checking Vulnerabilities at: ${time_stamp}"
#### The real game starts here
trivy image "${DOCKER_USER}/${DOCKER_IMAGE}:${TAG}" > reports/"vulnerability-report-${time_stamp}".txt
####################################################################################################
# Evaluating the Trivy scan results
####################################################################################################
scan_status=$(grep -m 1 Total: reports/"vulnerability-report-${time_stamp}".txt)
high_vulnerability=$(echo "$scan_status" | grep -oE 'HIGH: [0-9]+' | awk '{print $2}')
critical_vulnerability=$(echo "$scan_status" | grep -oE 'CRITICAL: [0-9]+' | awk '{print $2}')
printMessage "$HEART_ICON" "$HEART_ICON" "Vulnerabilities Report Generated...\n"
####################################################################################################
# Check if the Critical and High Vulnerability matches the configured allowed values, default set to 0,0 i.e., no vulnerabilities should be allowed
# Example: In scenarios where no fix is available and we would like to temporarily allow the vulnerable images to be deployed we can update the variable in the pipeline without updating the code.
####################################################################################################
if [[ $critical_vulnerability == $ALLOWED_CRITICAL_VULNERABILITIES && $high_vulnerability == $ALLOWED_HIGH_VULNERABILITIES ]]; then
printEmojiWrappedMessage "${GREEN}${HEART_ICON}" "Temporarily allowing '$ALLOWED_CRITICAL_VULNERABILITIES' CRITICAL and '$ALLOWED_HIGH_VULNERABILITIES' HIGH vulnerabilities"
printEmojiWrappedMessage "${GREEN}${HEART_ICON}" "'$critical_vulnerability' Critical & '$high_vulnerability' High Vulnerabilities Identified, please review 'reports/vulnerability-report-${time_stamp}.txt' for detailed information. \n Scan status : ${scan_status}"
# echo -e "\033[0m"
else
printEmojiWrappedMessage "${RED}${SKULL_ICON}" "'$critical_vulnerability' CRITICAL & '$high_vulnerability' HIGH Vulnerabilities Identified, please review 'reports/vulnerability-report-${time_stamp}.txt' for detailed information."
printEmojiWrappedMessage "${RED}${SKULL_ICON}" "Scan status : ${scan_status}\nFix the vulnerabilities to proceed with the deployment."
exit 1
fi
echo "Trivy Vulnerabilities Scan Ends..."