Skip to content
/ trivy-resource Public
forked from Comcast/trivy-resource

Trivy resource for concourse - Vulnerability scanning of container base image

License

Apache-2.0 license
0 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

hriprsd/trivy-resource

BranchesTags
 
 

Repository files navigation

Trivy Concourse Resource

Scans docker image for os and library vunerabilities using Trivy.

Index

Source Configuration

Behaviour

Parameters

Resource type

Resource

Development

Building Docker image

Screenshots

Note

This resource makes use of Skopeo to download docker images from registry dockerlessly. This is installed from alpine repo. Skopeo is used to have a weightless resource and to operate rootlessly.

Please follow official Trivy documentation to know more about os vulnerability scanning of docker images

Source Configuration

The configurations are split between source and params. The source configurations are earmarked such that they might remain common throughout the pipeline, example output format of resource.

The params on the other hand can be tweaked per call. Example the tar file path to scan

  • type: Optional. Scans either os or library vulns. Library vulns would require package.json or similar. Runs scan for os by default.

  • dashboard: Optional. Ships/POSTs scan results to a dashboard server url provided here.

  • app_name : Optional. The app name to be displayed on dashboard. This is mandatory if shipping scan results to dashboard

  • format: Optional. scan output format, takes value json|table, by default outputs the scan results as table. json as format is mandatory if shipping scan results to dashboard

  • image: Optional, if path parameter defined. Image to be scanned from registry. The specified image will be downloaded as docker archive and scanned, might need credentials if registry pull needs authentication.

  • user: Optional, if path parameter defined. Docker registry username if required

  • password: Optional, if path parameter defined. Docker registry password if required

Behavior

check

Currently, a no-op

in

Currently, a no-op

out: Runs the trivy vuln scanner

Parameters

  • path: Required. Path to OCI image tarball that is to be scanned for vulnerabilities

  • fail: Optional. Fails if vuln matches the given parameter, takes HIGH|CRITICAL|MEDIUM|LOW for values (case-insensitive). Multiple values can be comma separated. By default, runs scan for all the vuln types, and would have exit code 0. If any fail option is specified, will have exit code 1 if there's vulnerabilities found of the type in scan.

Example

These examples are excerpts from the test pipelines. To use this resource, its assumed that the image is built using OCI build task for image_tar scanning. As of now OCI built tar-balls and docker images are supported for scan. Images specified in source config will be downloaded as docker-archive and scanned Image tar can also be created using [docker save] (https://docs.docker.com/engine/reference/commandline/save) command.

Note: Its recommended tagging an image as latest in addition to the normal tagging during each build so that the scan happens on the updated image everytime

Resource Type

- name: trivy
  type: docker-image
  source:
    repository: <docker-registry-namespace>/trivy-resource #registry url and namespace where the resource image is pushed to

Resource

- name: trivy-scan
  type: trivy
  source:
    image: <docker-registry-namespace>/test # image that needs to be scanned
    # Optional
    dashboard: https://<dashboard-api-url-to-post-scan-results>
  check_every: 24h

Note: In order to enable the use of trivy scans, so it can be quality gated via the pipeline, there are a few source configs that are necessary. These just ensure that the pipeline will be interrupted on the finding of vulnerabilities

Plan

Trivy scans after OCI build

jobs:
- name: build-release
  public: true
  plan:
  - in_parallel:
    - get: main-src
      trigger: true
  - task: OCI build
    file: path/to/OCI/build/task # outputs image tar-ball
  on_success:
    put: trivy-scan
    params:
      path: image/image.tar
      fail: HIGH

The above example fails the task (exit code 1) on finding HIGH os vulnerabilities in the OCI tar. Not mentioning anything in the fail parameter would scan for all vulnerabilities and the stage would pass (exit code 0).

####Important: One of image or path is mandatory for the scan to be done.

Sample pipeline

Development

Prerequisites:

  • python is required - version 3.8.10 is tested; earlier versions (3.x.x) may also work
  • docker is required - version 20.10.7 is tested; earlier versions may also work.

To use the newly built image, push it to a docker registry that's accessible to Concourse and configure your pipeline to use it: Make sure to force-recheck the resource type for the new changes to reflect

Building Docker image

To build docker image of the resource, execute the following command. The docker command should be executed on the path that has the Dockerfile

docker build -t <docker-registry>/<namespace>/trivy-resource:<tag>

Please make sure the user is authenticated against the respective docker registry

The build image has to be pushed to registry before using the same in concourse.

docker push <docker-registry>/<namespace>/trivy-resource:<tag>

Docker References:

Docker login, Docker tag, Docker build Docker push

Screenshots

Scans passing in concourse

Scans failing at HIGH vulns in concourse

Nginx downloaded from hub and scanned

About

Trivy resource for concourse - Vulnerability scanning of container base image

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 66.4%
  • Shell 28.4%
  • Dockerfile 5.2%