github.com/ishita82/trivy-gitaction@v0.0.0-20240206054925-e937cc05f8e3/entrypoint.sh (about) 1 #!/bin/bash 2 set -e 3 while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:z:" o; do 4 case "${o}" in 5 a) 6 export scanType=${OPTARG} 7 ;; 8 b) 9 export format=${OPTARG} 10 ;; 11 c) 12 export template=${OPTARG} 13 ;; 14 d) 15 export exitCode=${OPTARG} 16 ;; 17 e) 18 export ignoreUnfixed=${OPTARG} 19 ;; 20 f) 21 export vulnType=${OPTARG} 22 ;; 23 g) 24 export severity=${OPTARG} 25 ;; 26 h) 27 export output=${OPTARG} 28 ;; 29 i) 30 export imageRef=${OPTARG} 31 ;; 32 j) 33 export scanRef=${OPTARG} 34 ;; 35 k) 36 export skipDirs=${OPTARG} 37 ;; 38 l) 39 export input=${OPTARG} 40 ;; 41 m) 42 export cacheDir=${OPTARG} 43 ;; 44 n) 45 export timeout=${OPTARG} 46 ;; 47 o) 48 export ignorePolicy=${OPTARG} 49 ;; 50 p) 51 export hideProgress=${OPTARG} 52 ;; 53 q) 54 export skipFiles=${OPTARG} 55 ;; 56 r) 57 export listAllPkgs=${OPTARG} 58 ;; 59 s) 60 export scanners=${OPTARG} 61 ;; 62 t) 63 export trivyIgnores=${OPTARG} 64 ;; 65 u) 66 export githubPAT=${OPTARG} 67 ;; 68 v) 69 export trivyConfig=${OPTARG} 70 ;; 71 x) 72 export tfVars=${OPTARG} 73 ;; 74 z) 75 export limitSeveritiesForSARIF=${OPTARG} 76 ;; 77 esac 78 done 79 80 81 scanType=$(echo $scanType | tr -d '\r') 82 export artifactRef="${imageRef}" 83 if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ];then 84 artifactRef=$(echo $scanRef | tr -d '\r') 85 fi 86 input=$(echo $input | tr -d '\r') 87 if [ $input ]; then 88 artifactRef="--input $input" 89 fi 90 #trim leading spaces for boolean params 91 ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r') 92 hideProgress=$(echo $hideProgress | tr -d '\r') 93 limitSeveritiesForSARIF=$(echo $limitSeveritiesForSARIF | tr -d '\r') 94 95 GLOBAL_ARGS="" 96 if [ $cacheDir ];then 97 GLOBAL_ARGS="$GLOBAL_ARGS --cache-dir $cacheDir" 98 fi 99 100 SARIF_ARGS="" 101 ARGS="" 102 format=$(echo $format | xargs) 103 if [ $format ];then 104 ARGS="$ARGS --format $format" 105 fi 106 if [ $template ] ;then 107 ARGS="$ARGS --template $template" 108 fi 109 if [ $exitCode ];then 110 ARGS="$ARGS --exit-code $exitCode" 111 SARIF_ARGS="$SARIF_ARGS --exit-code $exitCode" 112 fi 113 if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then 114 ARGS="$ARGS --ignore-unfixed" 115 SARIF_ARGS="$SARIF_ARGS --ignore-unfixed" 116 fi 117 if [ $vulnType ] && [ "$scanType" != "config" ] && [ "$scanType" != "sbom" ];then 118 ARGS="$ARGS --vuln-type $vulnType" 119 SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType" 120 fi 121 if [ $scanners ];then 122 ARGS="$ARGS --scanners $scanners" 123 SARIF_ARGS="$SARIF_ARGS --scanners $scanners" 124 fi 125 if [ $severity ];then 126 ARGS="$ARGS --severity $severity" 127 fi 128 if [ $output ];then 129 ARGS="$ARGS --output $output" 130 fi 131 if [ $skipDirs ];then 132 for i in $(echo $skipDirs | tr "," "\n") 133 do 134 ARGS="$ARGS --skip-dirs $i" 135 SARIF_ARGS="$SARIF_ARGS --skip-dirs $i" 136 done 137 fi 138 if [ $tfVars ] && [ "$scanType" == "config" ];then 139 ARGS="$ARGS --tf-vars $tfVars" 140 fi 141 142 if [ $trivyIgnores ];then 143 for f in $(echo $trivyIgnores | tr "," "\n") 144 do 145 if [ -f "$f" ]; then 146 echo "Found ignorefile '${f}':" 147 cat "${f}" 148 cat "${f}" >> ./trivyignores 149 else 150 echo "ERROR: cannot find ignorefile '${f}'." 151 exit 1 152 fi 153 done 154 ARGS="$ARGS --ignorefile ./trivyignores" 155 fi 156 if [ $timeout ];then 157 ARGS="$ARGS --timeout $timeout" 158 SARIF_ARGS="$SARIF_ARGS --timeout $timeout" 159 fi 160 if [ $ignorePolicy ];then 161 ARGS="$ARGS --ignore-policy $ignorePolicy" 162 SARIF_ARGS="$SARIF_ARGS --ignore-policy $ignorePolicy" 163 fi 164 if [ "$hideProgress" == "true" ];then 165 ARGS="$ARGS --no-progress" 166 SARIF_ARGS="$SARIF_ARGS --no-progress" 167 fi 168 169 listAllPkgs=$(echo $listAllPkgs | tr -d '\r') 170 if [ "$listAllPkgs" == "true" ];then 171 ARGS="$ARGS --list-all-pkgs" 172 fi 173 if [ "$skipFiles" ];then 174 for i in $(echo $skipFiles | tr "," "\n") 175 do 176 ARGS="$ARGS --skip-files $i" 177 SARIF_ARGS="$SARIF_ARGS --skip-files $i" 178 done 179 fi 180 181 trivyConfig=$(echo $trivyConfig | tr -d '\r') 182 # To make sure that uploda GitHub Dependency Snapshot succeeds, disable the script that fails first. 183 set +e 184 if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then 185 # SARIF is special. We output all vulnerabilities, 186 # regardless of severity level specified in this report. 187 # This is a feature, not a bug :) 188 echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}" 189 trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef} 190 elif [ $trivyConfig ]; then 191 echo "Running Trivy with trivy.yaml config from: " $trivyConfig 192 trivy --config $trivyConfig ${scanType} ${artifactRef} 193 else 194 echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}" 195 echo "Global options: " "${GLOBAL_ARGS}" 196 trivy $GLOBAL_ARGS ${scanType} ${ARGS} ${artifactRef} 197 fi 198 returnCode=$? 199 200 set -e 201 if [[ "${format}" == "github" ]]; then 202 if [[ "$(echo $githubPAT | xargs)" != "" ]]; then 203 printf "\n Uploading GitHub Dependency Snapshot" 204 curl -H 'Accept: application/vnd.github+json' -H "Authorization: token $githubPAT" 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs) 205 else 206 printf "\n Failing GitHub Dependency Snapshot. Missing github-pat" 207 fi 208 fi 209 210 exit $returnCode