Loading .gitlab-ci.yml +3 −0 Original line number Diff line number Diff line Loading @@ -57,6 +57,9 @@ scan-images: paths: - .cache stage: codegen before_script: # jq is required (to extract info from scan results and generate Triby badge) - apk add --no-cache jq script: - ./scan-images.sh artifacts: Loading scan-images.sh +43 −1 Original line number Diff line number Diff line Loading @@ -55,5 +55,47 @@ do # # text format (stdout) # trivy convert --format table "docs/secu/trivy-${var_name}.json" || log_warn "failed" # clear JSON format rm "docs/secu/trivy-${var_name}.json" # create Trivy badge cp -f trivy-badge-failed.svg "docs/secu/trivy-badge-${var_name}.svg" if [ -f "docs/secu/trivy-${var_name}.json" ] then count_by_severity=$(jq -r '.Results[]?.Vulnerabilities[]?.Severity' "docs/secu/trivy-${var_name}.json" | sort | uniq -c) count_critical=$(echo "$count_by_severity" | awk '/CRITICAL$/{print $1}') count_high=$(echo "$count_by_severity" | awk '/HIGH$/{print $1}') count_medium=$(echo "$count_by_severity" | awk '/MEDIUM$/{print $1}') count_low=$(echo "$count_by_severity" | awk '/LOW$/{print $1}') count_unk=$(echo "$count_by_severity" | awk '/UNKNOWN$/{print $1}') badge_text="" if [ "$count_unk" ]; then badge_text="$count_unk UNK${badge_text:+ | $badge_text}" badge_color="747474" fi if [ "$count_low" ]; then badge_text="$count_low LOW${badge_text:+ | $badge_text}" badge_color="5fbb31" fi if [ "$count_medium" ]; then badge_text="$count_medium MED${badge_text:+ | $badge_text}" badge_color="e9c600" fi if [ "$count_high" ]; then badge_text="$count_high HIGH${badge_text:+ | $badge_text}" badge_color="ff8800" fi if [ "$count_critical" ]; then badge_text="$count_critical CRIT${badge_text:+ | $badge_text}" badge_color="e40000" fi if [ -z "$badge_text" ]; then badge_text="no vuln" badge_color="5fbb31" fi # generate/download badge log_info " ... generating Trivy badge (\\e[32m${badge_text}\\e[0m): https://img.shields.io/badge/%F0%9F%9B%A1_Trivy-${badge_text// /_}-${badge_color}" wget -q "https://img.shields.io/badge/%F0%9F%9B%A1_Trivy-${badge_text// /_}-${badge_color}" -O "docs/secu/trivy-badge-${var_name}.svg" || log_warn "Failed to generate badge" fi # finally remove Tricy JSON report rm -f "docs/secu/trivy-${var_name}.json" done < ./tbc-default-images.out trivy-badge-failed.svg 0 → 100644 +1 −0 Original line number Diff line number Diff line <svg xmlns="http://www.w3.org/2000/svg" width="92" height="20" role="img" aria-label="🛡 Trivy: failed"><title>🛡 Trivy: failed</title><linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><clipPath id="r"><rect width="92" height="20" rx="3" fill="#fff"/></clipPath><g clip-path="url(#r)"><rect width="53" height="20" fill="#555"/><rect x="53" width="39" height="20" fill="#9f9f9f"/><rect width="92" height="20" fill="url(#s)"/></g><g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110"><text aria-hidden="true" x="275" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="430">🛡 Trivy</text><text x="275" y="140" transform="scale(.1)" fill="#fff" textLength="430">🛡 Trivy</text><text aria-hidden="true" x="715" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="290">failed</text><text x="715" y="140" transform="scale(.1)" fill="#fff" textLength="290">failed</text></g></svg> No newline at end of file Loading
.gitlab-ci.yml +3 −0 Original line number Diff line number Diff line Loading @@ -57,6 +57,9 @@ scan-images: paths: - .cache stage: codegen before_script: # jq is required (to extract info from scan results and generate Triby badge) - apk add --no-cache jq script: - ./scan-images.sh artifacts: Loading
scan-images.sh +43 −1 Original line number Diff line number Diff line Loading @@ -55,5 +55,47 @@ do # # text format (stdout) # trivy convert --format table "docs/secu/trivy-${var_name}.json" || log_warn "failed" # clear JSON format rm "docs/secu/trivy-${var_name}.json" # create Trivy badge cp -f trivy-badge-failed.svg "docs/secu/trivy-badge-${var_name}.svg" if [ -f "docs/secu/trivy-${var_name}.json" ] then count_by_severity=$(jq -r '.Results[]?.Vulnerabilities[]?.Severity' "docs/secu/trivy-${var_name}.json" | sort | uniq -c) count_critical=$(echo "$count_by_severity" | awk '/CRITICAL$/{print $1}') count_high=$(echo "$count_by_severity" | awk '/HIGH$/{print $1}') count_medium=$(echo "$count_by_severity" | awk '/MEDIUM$/{print $1}') count_low=$(echo "$count_by_severity" | awk '/LOW$/{print $1}') count_unk=$(echo "$count_by_severity" | awk '/UNKNOWN$/{print $1}') badge_text="" if [ "$count_unk" ]; then badge_text="$count_unk UNK${badge_text:+ | $badge_text}" badge_color="747474" fi if [ "$count_low" ]; then badge_text="$count_low LOW${badge_text:+ | $badge_text}" badge_color="5fbb31" fi if [ "$count_medium" ]; then badge_text="$count_medium MED${badge_text:+ | $badge_text}" badge_color="e9c600" fi if [ "$count_high" ]; then badge_text="$count_high HIGH${badge_text:+ | $badge_text}" badge_color="ff8800" fi if [ "$count_critical" ]; then badge_text="$count_critical CRIT${badge_text:+ | $badge_text}" badge_color="e40000" fi if [ -z "$badge_text" ]; then badge_text="no vuln" badge_color="5fbb31" fi # generate/download badge log_info " ... generating Trivy badge (\\e[32m${badge_text}\\e[0m): https://img.shields.io/badge/%F0%9F%9B%A1_Trivy-${badge_text// /_}-${badge_color}" wget -q "https://img.shields.io/badge/%F0%9F%9B%A1_Trivy-${badge_text// /_}-${badge_color}" -O "docs/secu/trivy-badge-${var_name}.svg" || log_warn "Failed to generate badge" fi # finally remove Tricy JSON report rm -f "docs/secu/trivy-${var_name}.json" done < ./tbc-default-images.out
trivy-badge-failed.svg 0 → 100644 +1 −0 Original line number Diff line number Diff line <svg xmlns="http://www.w3.org/2000/svg" width="92" height="20" role="img" aria-label="🛡 Trivy: failed"><title>🛡 Trivy: failed</title><linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><clipPath id="r"><rect width="92" height="20" rx="3" fill="#fff"/></clipPath><g clip-path="url(#r)"><rect width="53" height="20" fill="#555"/><rect x="53" width="39" height="20" fill="#9f9f9f"/><rect width="92" height="20" fill="url(#s)"/></g><g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110"><text aria-hidden="true" x="275" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="430">🛡 Trivy</text><text x="275" y="140" transform="scale(.1)" fill="#fff" textLength="430">🛡 Trivy</text><text aria-hidden="true" x="715" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="290">failed</text><text x="715" y="140" transform="scale(.1)" fill="#fff" textLength="290">failed</text></g></svg> No newline at end of file
