Skip to content

Commit 98581ec

Browse files
hansinikarunarathnehansinikarunarathne
committed
Fixed a issue in trivy_scan.yaml and trivy_scan.sh
Signed-off-by: Hansini Karunarathne <[email protected]>
1 parent b127acc commit 98581ec

File tree

2 files changed

+26
-35
lines changed

2 files changed

+26
-35
lines changed

.github/workflows/trivy.yaml

+4-6
Original file line numberDiff line numberDiff line change
@@ -8,11 +8,9 @@ on:
88
- master
99

1010
jobs:
11-
# This job will run the image scan scripts
12-
image-scan:
11+
image-extraction-and-security-scan:
1312
runs-on: ubuntu-latest
1413
steps:
15-
# Checkout the code from repository
1614
- name: Checkout code
1715
uses: actions/checkout@v3
1816

@@ -50,14 +48,14 @@ jobs:
5048
- name: Run image extracting and security scanning script
5149
run: |
5250
cd hack
53-
chmod +x extract_images.sh
54-
./extract_images.sh
51+
chmod +x trivy_scan.sh
52+
./trivy_scan.sh
5553
5654
# Upload the artifact
5755
- name: Upload trivy scanned_results
5856
uses: actions/upload-artifact@v4
5957
with:
60-
name: my-artifact
58+
name: trivy_scanned_results
6159
path: docs/image_lists/
6260

6361

hack/trivy_scan.sh

+22-29
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,6 @@ mkdir -p "$SUMMARY_OF_SEVERITY_COUNTS"
9999
echo "Started scanning images"
100100

101101
files=($(find "$DIRECTORY" -type f -name "*.txt" ! -name "kf_latest_all_images.txt"))
102-
echo "Files to scan: $files"
103102

104103
# Loop through each text file in the specified directory
105104
for file in "${files[@]}"; do
@@ -108,7 +107,6 @@ for file in "${files[@]}"; do
108107

109108
# Extract the base name of the file (without the directory and extension)
110109
file_base_name=$(basename "$file" .txt)
111-
echo "Scanning images in $file"
112110

113111
# Directory to save reports for this specific file
114112
file_reports_dir="${SCAN_REPORTS_DIR}/${file_base_name}"
@@ -131,33 +129,29 @@ for file in "${files[@]}"; do
131129
image_name_scan="${image_name_scan}_${image_tag}"
132130
fi
133131

134-
# Run Trivy scan and capture output
135-
trivy_output=$(trivy image --format json --output /dev/null "$line" 2>&1)
136-
137-
# Check if the scan was successful
138-
if [[ $? -eq 0 ]]; then
139-
trivy_output=$(trivy image --format json --output "${file_reports_dir}/${image_name_scan}_scan.json" "$line")
140-
# Check if results exist in the scan file (before processing)
141-
is_json_empty=$(jq -r '.Results // false' "${file_reports_dir}/${image_name_scan}_scan.json")
142-
143-
if [[ "$is_json_empty" == "false" ]]; then
144-
echo "No vulnerabilities found in $image_name:$image_tag"
145-
else
146-
# Filter results to include only elements with vulnerabilities
147-
results=$(jq -r '.Results? | .[] | select(.Vulnerabilities) | .Vulnerabilities | length > 0' "${file_reports_dir}/${image_name_scan}_scan.json")
148-
if [[ "$results" == "" || "$results" == "false" ]]; then
149-
echo "The vulnerability detection may be insufficient because security updates are not provided for $image_name:$image_tag"
150-
else
151-
# Count the number of vulnerabilities by severity
152-
severity_counts=$(jq 'reduce (.Results[].Vulnerabilities? // [])[] as $v ({"LOW": 0, "MEDIUM": 0, "HIGH": 0, "CRITICAL": 0}; .[$v.Severity]+=1)' "${file_reports_dir}/${image_name_scan}_scan.json")
153-
report=$(jq -n --arg image "$line" --argjson counts "$severity_counts" '{image: $image, severity_counts: $counts}')
154-
echo "$report" > "${severity_count}/${image_name_scan}_severity_report.json"
155-
fi
156-
fi
132+
echo "Scanning $image_name_scan"
157133

134+
trivy image --format json --output "${file_reports_dir}/${image_name_scan}_scan.json" "$line"
135+
if [ $? -ne 0 ]; then
136+
echo "Error scanning $image_name:$image_tag"
158137
else
159-
# Trivy scan failed, handle the error (optional)
160-
echo "Error scanning $image_name:$image_tag: $trivy_output"
138+
# Check if results exist in the scan file (before processing)
139+
is_json_empty=$(jq -r '.Results // false' "${file_reports_dir}/${image_name_scan}_scan.json")
140+
141+
if [[ "$is_json_empty" == "false" ]]; then
142+
echo "No vulnerabilities found in $image_name:$image_tag"
143+
else
144+
# Filter results to include only elements with vulnerabilities
145+
results=$(jq -r '.Results? | .[] | select(.Vulnerabilities) | .Vulnerabilities | length > 0' "${file_reports_dir}/${image_name_scan}_scan.json")
146+
if [[ "$results" == "" || "$results" == "false" ]]; then
147+
echo "The vulnerability detection may be insufficient because security updates are not provided for $image_name:$image_tag"
148+
else
149+
# Count the number of vulnerabilities by severity
150+
severity_counts=$(jq 'reduce (.Results[].Vulnerabilities? // [])[] as $v ({"LOW": 0, "MEDIUM": 0, "HIGH": 0, "CRITICAL": 0}; .[$v.Severity]+=1)' "${file_reports_dir}/${image_name_scan}_scan.json")
151+
report=$(jq -n --arg image "$line" --argjson counts "$severity_counts" '{image: $image, severity_counts: $counts}')
152+
echo "$report" > "${severity_count}/${image_name_scan}_severity_report.json"
153+
fi
154+
fi
161155
fi
162156

163157
done < "$file"
@@ -207,7 +201,7 @@ for file in "$severity_dir"/*.json; do
207201
# Process the JSON file
208202
data=$(jq -r '.data[] | {LOW: .severity_counts.LOW, MEDIUM: .severity_counts.MEDIUM, HIGH: .severity_counts.HIGH, CRITICAL: .severity_counts.CRITICAL}' "$file")
209203

210-
# Check if data is empty (no severity counts)
204+
# Check if data is empty
211205
if [[ -z "$data" ]]; then
212206
data="{\"LOW\": 0, \"MEDIUM\": 0, \"HIGH\": 0, \"CRITICAL\": 0}"
213207
fi
@@ -241,7 +235,6 @@ for file in "$severity_dir"/*.json; do
241235
all_data="{\"$filename\": $file_data,\"total\": { \"images\": $total_images, \"LOW\": $total_low, \"MEDIUM\": $total_medium, \"HIGH\": $total_high, \"CRITICAL\": $total_critical }}"
242236
merged_data=$(jq -s '.[0] * .[1]' <(echo "$merged_data") <(echo "$all_data"))
243237

244-
245238
done
246239

247240
# Write the final output to a file

0 commit comments

Comments
 (0)