sigs.k8s.io/cluster-api-provider-azure@v1.14.3/hack/verify-container-images.sh

sigs.k8s.io/cluster-api-provider-azure@v1.14.3/hack/verify-container-images.sh (about)

     1  #!/bin/bash
     2  
     3  # Copyright 2023 The Kubernetes Authors.
     4  #
     5  # Licensed under the Apache License, Version 2.0 (the "License");
     6  # you may not use this file except in compliance with the License.
     7  # You may obtain a copy of the License at
     8  #
     9  #     http://www.apache.org/licenses/LICENSE-2.0
    10  #
    11  # Unless required by applicable law or agreed to in writing, software
    12  # distributed under the License is distributed on an "AS IS" BASIS,
    13  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14  # See the License for the specific language governing permissions and
    15  # limitations under the License.
    16  
    17  set -o errexit
    18  set -o nounset
    19  set -o pipefail
    20  
    21  if [[ "${TRACE-0}" == "1" ]]; then
    22      set -o xtrace
    23  fi
    24  
    25  TRIVY_VERSION=0.34.0
    26  
    27  GO_OS="$(go env GOOS)"
    28  if [[ "${GO_OS}" == "linux" ]]; then
    29    TRIVY_OS="Linux"
    30  elif [[ "${GO_OS}" == "darwin"* ]]; then
    31    TRIVY_OS="macOS"
    32  fi
    33  
    34  GO_ARCH="$(go env GOARCH)"
    35  if [[ "${GO_ARCH}" == "amd" ]]; then
    36    TRIVY_ARCH="32bit"
    37  elif [[ "${GO_ARCH}" == "amd64"* ]]; then
    38    TRIVY_ARCH="64bit"
    39  elif [[ "${GO_ARCH}" == "arm" ]]; then
    40    TRIVY_ARCH="ARM"
    41  elif [[ "${GO_ARCH}" == "arm64" ]]; then
    42    TRIVY_ARCH="ARM64"
    43  fi
    44  
    45  TOOL_BIN=hack/tools/bin
    46  mkdir -p ${TOOL_BIN}
    47  
    48  # Downloads trivy scanner
    49  curl -L -o ${TOOL_BIN}/trivy.tar.gz "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${TRIVY_OS}-${TRIVY_ARCH}.tar.gz"
    50  
    51  tar -xf "${TOOL_BIN}/trivy.tar.gz" -C "${TOOL_BIN}" trivy
    52  chmod +x ${TOOL_BIN}/trivy
    53  rm ${TOOL_BIN}/trivy.tar.gz
    54  
    55  # Builds all the container images to be scanned and cleans up changes to ./*manager_image_patch.yaml ./*manager_pull_policy.yaml.
    56  make REGISTRY=gcr.io/k8s-staging-cluster-api-azure PULL_POLICY=IfNotPresent TAG=dev docker-build
    57  make clean-release-git
    58  
    59  # Scan the images
    60  ${TOOL_BIN}/trivy image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api-azure/cluster-api-azure-controller-"${GO_ARCH}":dev && R1=$? || R1=$?
    61  
    62  echo ""
    63  BRed='\033[1;31m'
    64  BGreen='\033[1;32m'
    65  NC='\033[0m' # No
    66  
    67  if [ "$R1" -ne "0" ]
    68  then
    69    echo -e "${BRed}Check container images failed! There are vulnerability to be fixed${NC}"
    70    exit 1
    71  fi
    72  
    73  echo -e "${BGreen}Check container images passed! No vulnerability found${NC}"