2020-01-07 06:43:31 -06:00
|
|
|
version: 2.1
|
|
|
|
|
2018-05-21 08:57:57 -05:00
|
|
|
aliases:
|
|
|
|
# Workflow filters
|
2018-07-04 06:09:42 -05:00
|
|
|
- &filter-only-master
|
|
|
|
branches:
|
|
|
|
only: master
|
2020-01-24 02:49:02 -06:00
|
|
|
|
2020-03-28 07:06:21 -05:00
|
|
|
jobs:
|
2020-05-25 11:56:35 -05:00
|
|
|
scan-docker-image:
|
|
|
|
description: "Scans a docker image for vulnerabilities using trivy"
|
|
|
|
parameters:
|
|
|
|
image:
|
|
|
|
type: string
|
|
|
|
tag:
|
|
|
|
type: string
|
2019-09-23 04:34:43 -05:00
|
|
|
docker:
|
|
|
|
- image: circleci/buildpack-deps:stretch
|
|
|
|
steps:
|
|
|
|
- setup_remote_docker
|
|
|
|
- restore_cache:
|
|
|
|
key: vulnerability-db
|
|
|
|
- run:
|
|
|
|
name: Install trivy
|
|
|
|
command: |
|
|
|
|
VERSION=$(
|
|
|
|
curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | \
|
|
|
|
grep '"tag_name":' | \
|
|
|
|
sed -E 's/.*"v([^"]+)".*/\1/'
|
|
|
|
)
|
|
|
|
|
|
|
|
wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz
|
|
|
|
tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz
|
|
|
|
sudo mv trivy /usr/local/bin
|
|
|
|
- run:
|
2020-02-19 09:10:22 -06:00
|
|
|
name: Clear trivy cache
|
|
|
|
command: trivy --clear-cache
|
|
|
|
- run:
|
2020-05-25 11:56:35 -05:00
|
|
|
name: Scan Docker image for unkown/low/medium vulnerabilities
|
|
|
|
command: trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM << parameters.image >>:<< parameters.tag >>
|
2020-04-15 05:07:49 -05:00
|
|
|
- run:
|
2020-05-25 11:56:35 -05:00
|
|
|
name: Scan Docker image for high/critical vulnerabilities
|
|
|
|
command: trivy --exit-code 1 --severity HIGH,CRITICAL << parameters.image >>:<< parameters.tag >>
|
2019-09-23 04:34:43 -05:00
|
|
|
- save_cache:
|
|
|
|
key: vulnerability-db
|
|
|
|
paths:
|
|
|
|
- $HOME/.cache/trivy
|
|
|
|
|
2018-03-09 04:27:00 -06:00
|
|
|
workflows:
|
2019-09-23 04:34:43 -05:00
|
|
|
nightly:
|
|
|
|
triggers:
|
|
|
|
- schedule:
|
|
|
|
cron: "0 0 * * *"
|
|
|
|
filters: *filter-only-master
|
|
|
|
jobs:
|
2020-05-25 11:56:35 -05:00
|
|
|
- scan-docker-image:
|
|
|
|
matrix:
|
|
|
|
parameters:
|
|
|
|
image: [grafana/grafana, grafana/grafana-enterprise]
|
|
|
|
tag: [latest, master, latest-ubuntu, master-ubuntu]
|