119 lines
4.3 KiB
Bash
Executable File
119 lines
4.3 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Copyright 2024 The Karmada Authors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
set -o errexit
|
|
set -o nounset
|
|
set -o pipefail
|
|
|
|
# This script starts a images scanning with trivy
|
|
# This script depends on utils in: ${REPO_ROOT}/hack/util.sh
|
|
# 1. used to locally scan Karmada component images vulnerabilities with trivy
|
|
# 2. Used to scan specified image with trivy
|
|
|
|
function usage() {
|
|
echo "Usage:"
|
|
echo " hack/scan-image-vuln.sh [-i imageRef] [-r registry] [-v version] [-s skip-image-generation] [-f format][-h]"
|
|
echo "Examples:"
|
|
echo " # starts a images scanning with specific image provided"
|
|
echo " hack/scan-image-vuln.sh -i docker.io/karmada/karmada-controller-manager:v1.8.0"
|
|
echo " # scan Karmada component images with trivy and images will be automatically generated, imageRef='docker.io/karmada/{imageName}:latest'"
|
|
echo " hack/scan-image-vuln.sh"
|
|
echo " # scan Karmada component images with trivy and images generation will be skipped, imageRef='docker.io/karmada/{imageName}:latest'"
|
|
echo " hack/scan-image-vuln.sh -s"
|
|
echo " # scan Karmada component images with trivy and provide specific image's registry or version"
|
|
echo " hack/scan-image-vuln.sh -r foo # imageRef='foo/{imageName}:latest'"
|
|
echo " hack/scan-image-vuln.sh -s -v v1.8.0 # imageRef='docker.io/karmada/{imageName}:v1.8.0'"
|
|
echo "Args:"
|
|
echo " i imageRef: starts a images scanning with specific image provided, if not provided, local Karmada images will be scanned"
|
|
echo " r registry: registry of images"
|
|
echo " v version: version of images"
|
|
echo " s skip-image-generation: whether to skip image generation"
|
|
echo " f format: output format(table). must be one of ['table' 'json' 'template' 'sarif' 'cyclonedx' 'spdx' 'spdx-json' 'github' 'cosign-vuln']"
|
|
echo " h: print help information"
|
|
}
|
|
|
|
while getopts 'h:si:r:v:f:' OPT; do
|
|
case $OPT in
|
|
h)
|
|
usage
|
|
exit 0
|
|
;;
|
|
s)
|
|
SKIP_IMAGE_GENERAION="true";;
|
|
i)
|
|
IMAGEREF=${OPTARG};;
|
|
r)
|
|
REGISTRY=${OPTARG};;
|
|
v)
|
|
VERSION=${OPTARG};;
|
|
f)
|
|
FORMAT=${OPTARG};;
|
|
?)
|
|
usage
|
|
exit 1
|
|
;;
|
|
esac
|
|
done
|
|
|
|
FORMAT=${FORMAT:-"table"}
|
|
SKIP_IMAGE_GENERAION=${SKIP_IMAGE_GENERAION:-"false"}
|
|
IMAGEREF=${IMAGEREF:-""}
|
|
|
|
source "hack/util.sh"
|
|
|
|
echo -n "Preparing: 'trivy' existence check - "
|
|
if util::cmd_exist trivy ; then
|
|
echo "pass"
|
|
else
|
|
echo "start installing trivy"
|
|
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.48.1
|
|
fi
|
|
|
|
if [ ${IMAGEREF} ];then
|
|
echo "---------------------------- the image scanning result of Image <<${IMAGEREF}>> ----------------------------"
|
|
trivy image --format ${FORMAT} --ignore-unfixed --vuln-type os,library --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL -q ${IMAGEREF}
|
|
exit 0
|
|
fi
|
|
|
|
REPO_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
|
|
cd "${REPO_ROOT}"
|
|
export VERSION=${VERSION:-"latest"}
|
|
export REGISTRY=${REGISTRY:-"docker.io/karmada"}
|
|
IMAGE_ARRAR=(
|
|
karmada-controller-manager
|
|
karmada-scheduler
|
|
karmada-descheduler
|
|
karmada-webhook
|
|
karmada-agent
|
|
karmada-scheduler-estimator
|
|
karmada-interpreter-webhook-example
|
|
karmada-aggregated-apiserver
|
|
karmada-search
|
|
karmada-operator
|
|
karmada-metrics-adapter
|
|
)
|
|
if [ ${SKIP_IMAGE_GENERAION} == "false" ]; then
|
|
echo "start generating image"
|
|
make images GOOS="linux" --directory=.
|
|
fi
|
|
|
|
echo "start image scan"
|
|
for image in ${IMAGE_ARRAR[@]}
|
|
do
|
|
imageRef="$REGISTRY/$image:$VERSION"
|
|
echo "---------------------------- the image scanning result of Image <<$imageRef>> ----------------------------"
|
|
trivy image --format ${FORMAT} --ignore-unfixed --vuln-type os,library --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL -q $imageRef
|
|
done
|