github.com/GoogleContainerTools/skaffold@v1.39.18/deploy/lts-vuln-monitor/scan.sh

github.com/GoogleContainerTools/skaffold@v1.39.18/deploy/lts-vuln-monitor/scan.sh (about)

     1  #!/bin/bash
     2  # Copyright 2021 The Skaffold Authors
     3  #
     4  # Licensed under the Apache License, Version 2.0 (the "License");
     5  # you may not use this file except in compliance with the License.
     6  # You may obtain a copy of the License at
     7  #
     8  #     http://www.apache.org/licenses/LICENSE-2.0
     9  #
    10  # Unless required by applicable law or agreed to in writing, software
    11  # distributed under the License is distributed on an "AS IS" BASIS,
    12  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  # See the License for the specific language governing permissions and
    14  # limitations under the License.
    15  
    16  # This script scans the vulnerability report that is generated by Container Analysis.
    17  
    18  set -xeo pipefail
    19  # Variables that will be substituted in cloudbuild.yaml.
    20  if [ -z "$PROJECT_ID" ]; then
    21    PROJECT_ID=k8s-skaffold
    22  fi
    23  if [ -z "$_IMAGE" ]; then
    24    _IMAGE="skaffold"
    25  fi
    26  if [ -z "$_TAG_FILTER" ]; then
    27    _TAG_FILTER="v.*lts"
    28  fi
    29  if [ -z "$_SEVERITIES" ]; then
    30    _SEVERITIES="HIGH CRITICAL"
    31  fi
    32  
    33  # If changed, also change the same variable in report.sh.
    34  OS_VULN_FILE=/workspace/os_vuln.txt
    35  BASE_IMAGE="gcr.io/$PROJECT_ID/$_IMAGE"
    36  
    37  append() {
    38    printf "%s\n" $1 >>$2
    39  }
    40  
    41  check_vulnerability(){
    42    base_image=$1
    43    tags_filter=$2
    44    severities=$3
    45    result_file=$4
    46    tags=$5
    47  
    48    if [ -z "$tags" ]; then
    49      tags=$(gcloud container images list-tags "$base_image" --filter="tags~$tags_filter" --format='value(tags)')
    50    fi
    51    grep_args=""
    52    for s in $severities; do
    53      grep_args="$grep_args -e $s"
    54    done
    55    grep_cmd="grep $grep_args"
    56  
    57    for tagsByComma in $tags; do
    58      IFS="," read -ra tagArr <<< "${tagsByComma}"
    59      image=$base_image:${tagArr[0]}
    60      echo "Checking vulnerabilities of image:" $image
    61      gcloud beta container images describe $image  --show-package-vulnerability \
    62       | if eval "$grep_cmd"; then append "$base_image":"$tagsByComma" "$result_file"; fi
    63    done
    64  }
    65  
    66  # Main
    67  # Scans the LTS images
    68  check_vulnerability $BASE_IMAGE "$_TAG_FILTER" "$_SEVERITIES" "$OS_VULN_FILE" "$_TAGS"