sigs.k8s.io/cluster-api@v1.7.1/hack/verify-container-images.sh

sigs.k8s.io/cluster-api@v1.7.1/hack/verify-container-images.sh (about)

     1  #!/bin/bash
     2  
     3  # Copyright 2022 The Kubernetes Authors.
     4  #
     5  # Licensed under the Apache License, Version 2.0 (the "License");
     6  # you may not use this file except in compliance with the License.
     7  # You may obtain a copy of the License at
     8  #
     9  #     http://www.apache.org/licenses/LICENSE-2.0
    10  #
    11  # Unless required by applicable law or agreed to in writing, software
    12  # distributed under the License is distributed on an "AS IS" BASIS,
    13  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14  # See the License for the specific language governing permissions and
    15  # limitations under the License.
    16  
    17  set -o errexit
    18  set -o nounset
    19  set -o pipefail
    20  
    21  if [[ "${TRACE-0}" == "1" ]]; then
    22      set -o xtrace
    23  fi
    24  
    25  VERSION=${1}
    26  GO_ARCH="$(go env GOARCH)"
    27  
    28  REPO_ROOT=$(git rev-parse --show-toplevel)
    29  "${REPO_ROOT}/hack/ensure-trivy.sh" "${VERSION}"
    30  
    31  TRIVY="${REPO_ROOT}/hack/tools/bin/trivy/${VERSION}/trivy"
    32  
    33  # Builds all the container images to be scanned and cleans up changes to ./*manager_image_patch.yaml ./*manager_pull_policy.yaml.
    34  make REGISTRY=gcr.io/k8s-staging-cluster-api PULL_POLICY=IfNotPresent TAG=dev docker-build
    35  make clean-release-git
    36  
    37  # Scan the images
    38  "${TRIVY}" image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/clusterctl-"${GO_ARCH}":dev && R1=$? || R1=$?
    39  "${TRIVY}" image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/test-extension-"${GO_ARCH}":dev && R2=$? || R2=$?
    40  "${TRIVY}" image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/kubeadm-control-plane-controller-"${GO_ARCH}":dev && R3=$? || R3=$?
    41  "${TRIVY}" image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/kubeadm-bootstrap-controller-"${GO_ARCH}":dev && R4=$? || R4=$?
    42  "${TRIVY}" image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/cluster-api-controller-"${GO_ARCH}":dev && R5=$? || R5=$?
    43  "${TRIVY}" image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/capd-manager-"${GO_ARCH}":dev && R6=$? || R6=$?
    44  "${TRIVY}" image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/capim-manager-"${GO_ARCH}":dev && R7=$? || R7=$?
    45  
    46  echo ""
    47  BRed='\033[1;31m'
    48  BGreen='\033[1;32m'
    49  NC='\033[0m' # No
    50  
    51  if [ "$R1" -ne "0" ] || [ "$R2"  -ne "0" ] || [ "$R3" -ne "0" ] || [ "$R4" -ne "0"  ] || [ "$R5" -ne "0"  ] || [ "$R6" -ne "0" ] || [ "$R7" -ne "0" ]
    52  then
    53    echo -e "${BRed}Check container images failed! There are vulnerabilities to be fixed${NC}"
    54    exit 1
    55  fi
    56  
    57  echo -e "${BGreen}Check container images passed! No vulnerability found${NC}"