From f4c12a44eee97138989b1a69959bb3c461bae4bc Mon Sep 17 00:00:00 2001 From: Brian Downs Date: Tue, 15 Sep 2020 11:43:27 -0700 Subject: [PATCH 1/6] add trivy scans for built images Signed-off-by: Brian Downs --- Dockerfile.dapper | 12 +++++++++++- Makefile | 4 ++++ scripts/image_scan.sh | 20 ++++++++++++++++++++ scripts/package-image | 1 + 4 files changed, 36 insertions(+), 1 deletion(-) create mode 100755 scripts/image_scan.sh diff --git a/Dockerfile.dapper b/Dockerfile.dapper index 8824029fa6..f2e0018bfc 100644 --- a/Dockerfile.dapper +++ b/Dockerfile.dapper @@ -9,6 +9,16 @@ ENV no_proxy=$no_proxy RUN apk -U --no-cache add bash git gcc musl-dev docker vim less file curl wget ca-certificates jq linux-headers zlib-dev tar zip squashfs-tools npm coreutils \ python2 openssl-dev libffi-dev libseccomp libseccomp-dev make libuv-static sqlite-dev sqlite-static libselinux libselinux-dev zlib-dev zlib-static +RUN if [ "$(go env GOARCH)" = "arm64" ]; then \ + wget https://github.com/aquasecurity/trivy/releases/download/v0.7.0/trivy_0.7.0_Linux-ARM64.tar.gz && \ + tar -zxvf trivy_0.7.0_Linux-ARM64.tar.gz && \ + mv trivy /usr/local/bin; \ + else \ + wget https://github.com/aquasecurity/trivy/releases/download/v0.7.0/trivy_0.7.0_Linux-64bit.tar.gz && \ + tar -zxvf trivy_0.7.0_Linux-64bit.tar.gz && \ + mv trivy /usr/local/bin; \ + fi +RUN trivy --download-db-only RUN mkdir -p /go/src/golang.org/x && \ cd /go/src/golang.org/x && git clone https://github.com/golang/tools && cd tools && \ git checkout -b current aa82965741a9fecd12b026fbb3d3c6ed3231b8f8 && \ @@ -19,7 +29,7 @@ ARG DAPPER_HOST_ARCH ENV ARCH $DAPPER_HOST_ARCH RUN if [ "${ARCH}" = 'amd64' ]; then \ - curl -sL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s v1.30.0; \ + curl -sL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s v1.30.0; \ fi ARG SELINUX=true diff --git a/Makefile b/Makefile index 1b2ff55f05..3eca4ec940 100644 --- a/Makefile +++ b/Makefile @@ -33,3 +33,7 @@ build/data: .PHONY: binary-size-check binary-size-check: scripts/binary_size_check.sh + +.PHONY: image-scan +image-scan: + scripts/image_scan.sh $(IMAGE) diff --git a/scripts/image_scan.sh b/scripts/image_scan.sh new file mode 100755 index 0000000000..aa5ece5a72 --- /dev/null +++ b/scripts/image_scan.sh @@ -0,0 +1,20 @@ +#/bin/sh + +set -e + +if [ -n ${DEBUG} ]; then + set -x +fi + +if [ -z $1 ]; then + echo "error: image tag required as argument. exiting..." + exit 1 +fi + +IMAGE=$1 +SEVERITIES="HIGH,CRITICAL" + +docker container run --rm --name=image-scan --volume /var/run/docker.sock:/var/run/docker.sock \ + docker.io/aquasec/trivy:0.10.2 --quiet image --severity ${SEVERITIES} --no-progress --ignore-unfixed ${IMAGE} + +exit 0 diff --git a/scripts/package-image b/scripts/package-image index 0a81622455..9d8b3aeda3 100755 --- a/scripts/package-image +++ b/scripts/package-image @@ -15,4 +15,5 @@ PROXY_OPTS= [ -z "$https_proxy" ] || PROXY_OPTS="$PROXY_OPTS --build-arg https_proxy=$https_proxy" [ -z "$no_proxy" ] || PROXY_OPTS="$PROXY_OPTS --build-arg no_proxy=$no_proxy" docker build ${PROXY_OPTS} -t ${IMAGE} -f package/Dockerfile . +./scripts/image_scan.sh ${IMAGE} echo Built ${IMAGE} From c53f7e99e22283ac36065e40c1223016bb288315 Mon Sep 17 00:00:00 2001 From: Brian Downs Date: Tue, 15 Sep 2020 11:54:34 -0700 Subject: [PATCH 2/6] update error message Signed-off-by: Brian Downs --- scripts/image_scan.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/image_scan.sh b/scripts/image_scan.sh index aa5ece5a72..dc0c103597 100755 --- a/scripts/image_scan.sh +++ b/scripts/image_scan.sh @@ -7,7 +7,7 @@ if [ -n ${DEBUG} ]; then fi if [ -z $1 ]; then - echo "error: image tag required as argument. exiting..." + echo "error: image name required as argument. exiting..." exit 1 fi From 75209a7ec76f4bcc4edb7027f6879a92ea565c9f Mon Sep 17 00:00:00 2001 From: Brian Downs Date: Tue, 15 Sep 2020 12:28:46 -0700 Subject: [PATCH 3/6] add support for arm Signed-off-by: Brian Downs --- Dockerfile.dapper | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Dockerfile.dapper b/Dockerfile.dapper index f2e0018bfc..9e93773f7c 100644 --- a/Dockerfile.dapper +++ b/Dockerfile.dapper @@ -13,6 +13,10 @@ RUN if [ "$(go env GOARCH)" = "arm64" ]; then \ wget https://github.com/aquasecurity/trivy/releases/download/v0.7.0/trivy_0.7.0_Linux-ARM64.tar.gz && \ tar -zxvf trivy_0.7.0_Linux-ARM64.tar.gz && \ mv trivy /usr/local/bin; \ + else if [ "$(go env GOARCH)" = "arm" ]; then \ + wget https://github.com/aquasecurity/trivy/releases/download/v0.7.0/trivy_0.7.0_Linux-ARM.tar.gz && \ + tar -zxvf trivy_0.7.0_Linux-ARM.tar.gz && \ + mv trivy /usr/local/bin; \ else \ wget https://github.com/aquasecurity/trivy/releases/download/v0.7.0/trivy_0.7.0_Linux-64bit.tar.gz && \ tar -zxvf trivy_0.7.0_Linux-64bit.tar.gz && \ From 3a2aff67da4b44415867213870a76a479d1c2fd1 Mon Sep 17 00:00:00 2001 From: Brian Downs Date: Tue, 15 Sep 2020 12:31:57 -0700 Subject: [PATCH 4/6] update shell if syntax Signed-off-by: Brian Downs --- Dockerfile.dapper | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile.dapper b/Dockerfile.dapper index 9e93773f7c..bb331a7b3b 100644 --- a/Dockerfile.dapper +++ b/Dockerfile.dapper @@ -9,13 +9,13 @@ ENV no_proxy=$no_proxy RUN apk -U --no-cache add bash git gcc musl-dev docker vim less file curl wget ca-certificates jq linux-headers zlib-dev tar zip squashfs-tools npm coreutils \ python2 openssl-dev libffi-dev libseccomp libseccomp-dev make libuv-static sqlite-dev sqlite-static libselinux libselinux-dev zlib-dev zlib-static -RUN if [ "$(go env GOARCH)" = "arm64" ]; then \ +RUN if [ "$(go env GOARCH)" = "arm64" ]; then \ wget https://github.com/aquasecurity/trivy/releases/download/v0.7.0/trivy_0.7.0_Linux-ARM64.tar.gz && \ tar -zxvf trivy_0.7.0_Linux-ARM64.tar.gz && \ mv trivy /usr/local/bin; \ - else if [ "$(go env GOARCH)" = "arm" ]; then \ + elif [ "$(go env GOARCH)" = "arm" ]; then \ wget https://github.com/aquasecurity/trivy/releases/download/v0.7.0/trivy_0.7.0_Linux-ARM.tar.gz && \ - tar -zxvf trivy_0.7.0_Linux-ARM.tar.gz && \ + tar -zxvf trivy_0.7.0_Linux-ARM.tar.gz && \ mv trivy /usr/local/bin; \ else \ wget https://github.com/aquasecurity/trivy/releases/download/v0.7.0/trivy_0.7.0_Linux-64bit.tar.gz && \ From 74ce99f5ff1eb2a6d371a24f12caa87faa455e7e Mon Sep 17 00:00:00 2001 From: Brian Downs Date: Wed, 16 Sep 2020 13:37:42 -0700 Subject: [PATCH 5/6] remove use of docker image for arch purposes Signed-off-by: Brian Downs --- scripts/image_scan.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/scripts/image_scan.sh b/scripts/image_scan.sh index dc0c103597..605374350f 100755 --- a/scripts/image_scan.sh +++ b/scripts/image_scan.sh @@ -14,7 +14,6 @@ fi IMAGE=$1 SEVERITIES="HIGH,CRITICAL" -docker container run --rm --name=image-scan --volume /var/run/docker.sock:/var/run/docker.sock \ - docker.io/aquasec/trivy:0.10.2 --quiet image --severity ${SEVERITIES} --no-progress --ignore-unfixed ${IMAGE} +trivy --quiet image --severity ${SEVERITIES} --no-progress --ignore-unfixed ${IMAGE} exit 0 From 20a83272143911bfd5a7588dab02df909f1ab79b Mon Sep 17 00:00:00 2001 From: Brian Downs Date: Wed, 16 Sep 2020 13:49:51 -0700 Subject: [PATCH 6/6] use latest trivy version Signed-off-by: Brian Downs --- Dockerfile.dapper | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/Dockerfile.dapper b/Dockerfile.dapper index bb331a7b3b..c30fae86b9 100644 --- a/Dockerfile.dapper +++ b/Dockerfile.dapper @@ -9,18 +9,18 @@ ENV no_proxy=$no_proxy RUN apk -U --no-cache add bash git gcc musl-dev docker vim less file curl wget ca-certificates jq linux-headers zlib-dev tar zip squashfs-tools npm coreutils \ python2 openssl-dev libffi-dev libseccomp libseccomp-dev make libuv-static sqlite-dev sqlite-static libselinux libselinux-dev zlib-dev zlib-static -RUN if [ "$(go env GOARCH)" = "arm64" ]; then \ - wget https://github.com/aquasecurity/trivy/releases/download/v0.7.0/trivy_0.7.0_Linux-ARM64.tar.gz && \ - tar -zxvf trivy_0.7.0_Linux-ARM64.tar.gz && \ - mv trivy /usr/local/bin; \ - elif [ "$(go env GOARCH)" = "arm" ]; then \ - wget https://github.com/aquasecurity/trivy/releases/download/v0.7.0/trivy_0.7.0_Linux-ARM.tar.gz && \ - tar -zxvf trivy_0.7.0_Linux-ARM.tar.gz && \ - mv trivy /usr/local/bin; \ - else \ - wget https://github.com/aquasecurity/trivy/releases/download/v0.7.0/trivy_0.7.0_Linux-64bit.tar.gz && \ - tar -zxvf trivy_0.7.0_Linux-64bit.tar.gz && \ - mv trivy /usr/local/bin; \ +RUN if [ "$(go env GOARCH)" = "arm64" ]; then \ + wget https://github.com/aquasecurity/trivy/releases/download/v0.11.0/trivy_0.11.0_Linux-ARM64.tar.gz && \ + tar -zxvf trivy_0.11.0_Linux-ARM64.tar.gz && \ + mv trivy /usr/local/bin; \ + elif [ "$(go env GOARCH)" = "arm" ]; then \ + wget https://github.com/aquasecurity/trivy/releases/download/v0.11.0/trivy_0.11.0_Linux-ARM.tar.gz && \ + tar -zxvf trivy_0.11.0_Linux-ARM.tar.gz && \ + mv trivy /usr/local/bin; \ + else \ + wget https://github.com/aquasecurity/trivy/releases/download/v0.11.0/trivy_0.11.0_Linux-64bit.tar.gz && \ + tar -zxvf trivy_0.11.0_Linux-64bit.tar.gz && \ + mv trivy /usr/local/bin; \ fi RUN trivy --download-db-only RUN mkdir -p /go/src/golang.org/x && \