Loading docs/secu/index.md +1 −0 Original line number Diff line number Diff line Loading @@ -64,6 +64,7 @@ Here are vulnerability reports for each default image used by _to be continuous_ <th>Template</th> <th>Image Variable</th> <th>Default Image</th> <th>Vulnerabilities</th> </tr></thead> <tbody> --8<-- "docs/secu/trivy-reports-body.part.html" Loading process-templates.sh +8 −4 Original line number Diff line number Diff line Loading @@ -257,7 +257,7 @@ function process_default_images() { # features images jq -r '.templates[] | "\(.name)|feat|\(.features[]? | .variables[]? | select(.name | test(".*_IMAGE$")) | "\(.name)|\(.default)")"' "$JSON_OUT" } | awk '!/(\|null$|\$CI_REGISTRY_IMAGE)/{print}' > $IMAGES_OUT } | awk '!/(\|null$|\$CI_REGISTRY_IMAGE)/{print}' | sort -f -t '|' -k3 > $IMAGES_OUT # exclude 'null' images or images containing '$CI_REGISTRY_IMAGE' # 2: build Trivy Reports TOC file Loading @@ -267,7 +267,7 @@ function process_default_images() { var_name=$(echo "$line" | cut -d '|' -f3) touch "docs/secu/trivy-$var_name.md" echo "- $var_name: secu/trivy-$var_name.md" done < $IMAGES_OUT | sort -f | uniq > "$toc_file" done < $IMAGES_OUT | uniq > "$toc_file" # 3: build Trivy Reports index while read -r line Loading @@ -276,9 +276,13 @@ function process_default_images() { img_usage=$(echo "$line" | cut -d '|' -f2) var_name=$(echo "$line" | cut -d '|' -f3) img_uri=$(echo "$line" | cut -d '|' -f4) # create placeholder echo "<td>not fetched</td>" > docs/secu/trivy-${var_name}.part.html # write row in trivy-reports-body.part.html echo "<!-- $var_name --><tr class=\"img-$img_usage\"><td>$tmpl_name</td><td><a href=\"trivy-$var_name\">$var_name</a></td><td><code>$img_uri</code></td></tr>" done < $IMAGES_OUT | sort -f > docs/secu/trivy-reports-body.part.html echo "<!-- $var_name --><tr class=\"img-$img_usage\"><td>$tmpl_name</td><td><a href=\"trivy-$var_name\">$var_name</a></td><td><code>$img_uri</code></td>" echo "--8<-- \"docs/secu/trivy-${var_name}.part.html\"" echo "</tr>" done < $IMAGES_OUT > docs/secu/trivy-reports-body.part.html } function build_aggregated_toc() { Loading scan-images.sh +7 −3 Original line number Diff line number Diff line Loading @@ -44,10 +44,14 @@ do var_name=$(echo "$line" | cut -d '|' -f3) img_uri=$(echo "$line" | cut -d '|' -f4) log_info "--- scanning ($img_usage) \\e[33;1m${var_name}\\e[0m image for \\e[33;1m${tmpl_name}\\e[0m template: \\e[32m${img_uri}\\e[0m" # JSON format trivy image --cache-dir .cache --scanners vuln --format json --exit-code 0 --output "docs/secu/trivy-${var_name}.json" "$img_uri" || log_warn "Failed" # MkDocs format trivy image --cache-dir .cache --scanners vuln --format template --exit-code 0 --template "@trivy-report.tpl" --output "docs/secu/trivy-${var_name}.md" "$img_uri" || log_warn "Failed" trivy convert --format template --template "@trivy-report.tpl" --output "docs/secu/trivy-${var_name}.md" "docs/secu/trivy-${var_name}.json" || log_warn "Failed" # HTML part trivy convert --format template --template "@trivy-report-part.tpl" --output "docs/secu/trivy-${var_name}.part.html" "docs/secu/trivy-${var_name}.json" || log_warn "Failed" # # GitLab format # trivy image --scanners vuln --format template --exit-code 0 --template "@/contrib/gitlab.tpl" --output "reports/trivy-${var_name}.gitlab.json" "$img_uri" || log_warn "failed" # trivy convert --format template --template "@/contrib/gitlab.tpl" --output "reports/trivy-${var_name}.gitlab.json" "docs/secu/trivy-${var_name}.json" || log_warn "failed" # # text format (stdout) # trivy image --scanners vuln --format table --exit-code 0 "$img_uri" || log_warn "failed" # trivy convert --format table "docs/secu/trivy-${var_name}.json" || log_warn "failed" done < ./tbc-default-images.out No newline at end of file trivy-report-part.tpl 0 → 100644 +58 −0 Original line number Diff line number Diff line {{- $critical := 0 }} {{- $high := 0 }} {{- $medium := 0 }} {{- $low := 0 }} {{- $unknown := 0 }} {{- range . }} {{- range .Vulnerabilities }} {{- if eq .Severity "CRITICAL" }} {{- $critical = add $critical 1 }} {{- end }} {{- if eq .Severity "HIGH" }} {{- $high = add $high 1 }} {{- end }} {{- if eq .Severity "MEDIUM" }} {{- $medium = add $medium 1 }} {{- end }} {{- if eq .Severity "LOW" }} {{- $low = add $low 1 }} {{- end }} {{- if eq .Severity "UNKNOWN" }} {{- $unknown = add $unknown 1 }} {{- end }} {{- end }} {{- end }} {{- $max := "" }} {{- if $critical }} {{- $max = "CRITICAL" }} {{- else if $high }} {{- $max = "HIGH" }} {{- else if $medium }} {{- $max = "MEDIUM" }} {{- else if $low }} {{- $max = "LOW" }} {{- else if $unknown }} {{- $max = "UNKNOWN" }} {{- end }} {{- $next := 0 }} <td class="trivy vuln severity-{{ $max }}"> {{- if $critical }} {{- $next = add $high $medium $low $unknown }} {{ $critical }} Critical{{ if $next }},{{ end }} {{- end }} {{- if $high }} {{- $next = add $medium $low $unknown }} {{ $high }} High{{ if $next }},{{ end }} {{- end }} {{- if $medium }} {{- $next = add $low $unknown }} {{ $medium }} Medium{{ if $next }},{{ end }} {{- end }} {{- if $low }} {{- $next = $unknown }} {{ $low }} Low{{ if $next }},{{ end }} {{- end }} {{- if $unknown }} {{ $unknown }} Unknown {{- end }} </td> Loading
docs/secu/index.md +1 −0 Original line number Diff line number Diff line Loading @@ -64,6 +64,7 @@ Here are vulnerability reports for each default image used by _to be continuous_ <th>Template</th> <th>Image Variable</th> <th>Default Image</th> <th>Vulnerabilities</th> </tr></thead> <tbody> --8<-- "docs/secu/trivy-reports-body.part.html" Loading
process-templates.sh +8 −4 Original line number Diff line number Diff line Loading @@ -257,7 +257,7 @@ function process_default_images() { # features images jq -r '.templates[] | "\(.name)|feat|\(.features[]? | .variables[]? | select(.name | test(".*_IMAGE$")) | "\(.name)|\(.default)")"' "$JSON_OUT" } | awk '!/(\|null$|\$CI_REGISTRY_IMAGE)/{print}' > $IMAGES_OUT } | awk '!/(\|null$|\$CI_REGISTRY_IMAGE)/{print}' | sort -f -t '|' -k3 > $IMAGES_OUT # exclude 'null' images or images containing '$CI_REGISTRY_IMAGE' # 2: build Trivy Reports TOC file Loading @@ -267,7 +267,7 @@ function process_default_images() { var_name=$(echo "$line" | cut -d '|' -f3) touch "docs/secu/trivy-$var_name.md" echo "- $var_name: secu/trivy-$var_name.md" done < $IMAGES_OUT | sort -f | uniq > "$toc_file" done < $IMAGES_OUT | uniq > "$toc_file" # 3: build Trivy Reports index while read -r line Loading @@ -276,9 +276,13 @@ function process_default_images() { img_usage=$(echo "$line" | cut -d '|' -f2) var_name=$(echo "$line" | cut -d '|' -f3) img_uri=$(echo "$line" | cut -d '|' -f4) # create placeholder echo "<td>not fetched</td>" > docs/secu/trivy-${var_name}.part.html # write row in trivy-reports-body.part.html echo "<!-- $var_name --><tr class=\"img-$img_usage\"><td>$tmpl_name</td><td><a href=\"trivy-$var_name\">$var_name</a></td><td><code>$img_uri</code></td></tr>" done < $IMAGES_OUT | sort -f > docs/secu/trivy-reports-body.part.html echo "<!-- $var_name --><tr class=\"img-$img_usage\"><td>$tmpl_name</td><td><a href=\"trivy-$var_name\">$var_name</a></td><td><code>$img_uri</code></td>" echo "--8<-- \"docs/secu/trivy-${var_name}.part.html\"" echo "</tr>" done < $IMAGES_OUT > docs/secu/trivy-reports-body.part.html } function build_aggregated_toc() { Loading
scan-images.sh +7 −3 Original line number Diff line number Diff line Loading @@ -44,10 +44,14 @@ do var_name=$(echo "$line" | cut -d '|' -f3) img_uri=$(echo "$line" | cut -d '|' -f4) log_info "--- scanning ($img_usage) \\e[33;1m${var_name}\\e[0m image for \\e[33;1m${tmpl_name}\\e[0m template: \\e[32m${img_uri}\\e[0m" # JSON format trivy image --cache-dir .cache --scanners vuln --format json --exit-code 0 --output "docs/secu/trivy-${var_name}.json" "$img_uri" || log_warn "Failed" # MkDocs format trivy image --cache-dir .cache --scanners vuln --format template --exit-code 0 --template "@trivy-report.tpl" --output "docs/secu/trivy-${var_name}.md" "$img_uri" || log_warn "Failed" trivy convert --format template --template "@trivy-report.tpl" --output "docs/secu/trivy-${var_name}.md" "docs/secu/trivy-${var_name}.json" || log_warn "Failed" # HTML part trivy convert --format template --template "@trivy-report-part.tpl" --output "docs/secu/trivy-${var_name}.part.html" "docs/secu/trivy-${var_name}.json" || log_warn "Failed" # # GitLab format # trivy image --scanners vuln --format template --exit-code 0 --template "@/contrib/gitlab.tpl" --output "reports/trivy-${var_name}.gitlab.json" "$img_uri" || log_warn "failed" # trivy convert --format template --template "@/contrib/gitlab.tpl" --output "reports/trivy-${var_name}.gitlab.json" "docs/secu/trivy-${var_name}.json" || log_warn "failed" # # text format (stdout) # trivy image --scanners vuln --format table --exit-code 0 "$img_uri" || log_warn "failed" # trivy convert --format table "docs/secu/trivy-${var_name}.json" || log_warn "failed" done < ./tbc-default-images.out No newline at end of file
trivy-report-part.tpl 0 → 100644 +58 −0 Original line number Diff line number Diff line {{- $critical := 0 }} {{- $high := 0 }} {{- $medium := 0 }} {{- $low := 0 }} {{- $unknown := 0 }} {{- range . }} {{- range .Vulnerabilities }} {{- if eq .Severity "CRITICAL" }} {{- $critical = add $critical 1 }} {{- end }} {{- if eq .Severity "HIGH" }} {{- $high = add $high 1 }} {{- end }} {{- if eq .Severity "MEDIUM" }} {{- $medium = add $medium 1 }} {{- end }} {{- if eq .Severity "LOW" }} {{- $low = add $low 1 }} {{- end }} {{- if eq .Severity "UNKNOWN" }} {{- $unknown = add $unknown 1 }} {{- end }} {{- end }} {{- end }} {{- $max := "" }} {{- if $critical }} {{- $max = "CRITICAL" }} {{- else if $high }} {{- $max = "HIGH" }} {{- else if $medium }} {{- $max = "MEDIUM" }} {{- else if $low }} {{- $max = "LOW" }} {{- else if $unknown }} {{- $max = "UNKNOWN" }} {{- end }} {{- $next := 0 }} <td class="trivy vuln severity-{{ $max }}"> {{- if $critical }} {{- $next = add $high $medium $low $unknown }} {{ $critical }} Critical{{ if $next }},{{ end }} {{- end }} {{- if $high }} {{- $next = add $medium $low $unknown }} {{ $high }} High{{ if $next }},{{ end }} {{- end }} {{- if $medium }} {{- $next = add $low $unknown }} {{ $medium }} Medium{{ if $next }},{{ end }} {{- end }} {{- if $low }} {{- $next = $unknown }} {{ $low }} Low{{ if $next }},{{ end }} {{- end }} {{- if $unknown }} {{ $unknown }} Unknown {{- end }} </td>
