47 lines
1.5 KiB
YAML
47 lines
1.5 KiB
YAML
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: trivy-scanner
|
|
labels:
|
|
app.kubernetes.io/version: "0.2"
|
|
annotations:
|
|
tekton.dev/pipelines.minVersion: "0.12.1"
|
|
tekton.dev/categories: Security
|
|
tekton.dev/tags: CLI, trivy
|
|
tekton.dev/displayName: "trivy scanner"
|
|
tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/390x"
|
|
spec:
|
|
description: >-
|
|
Trivy is a simple and comprehensive scanner for
|
|
vulnerabilities in container images,file systems
|
|
,and Git repositories, as well as for configuration issues.
|
|
|
|
This task can be used to scan for vulnenrabilities on the source code
|
|
in stand alone mode.
|
|
workspaces:
|
|
- name: manifest-dir
|
|
params:
|
|
- name: TRIVY_IMAGE
|
|
default: docker.io/aquasec/trivy@sha256:944a044451791617cc0ed2ee4d1942a4f66b790d527fcd0575a6b399ccbc05a1 # 0.43.1
|
|
description: Trivy scanner image to be used
|
|
- name: IMAGE_PATH
|
|
description: Image or Path to be scanned by trivy.
|
|
type: string
|
|
- name: AIR_GAPPED_ENABLED
|
|
default: "false"
|
|
description: a flag enabling Air-Gapped mode
|
|
type: string
|
|
steps:
|
|
- name: trivy-scan
|
|
image: $(params.TRIVY_IMAGE)
|
|
workingDir: $(workspaces.manifest-dir.path)
|
|
script: |
|
|
#!/usr/bin/env sh
|
|
|
|
echo ""
|
|
echo "== SCAN IMAGE ==================================="
|
|
|
|
echo "Running trivy task with command below"
|
|
trivy image --exit-code 1 --severity CRITICAL --no-progress -o temp_trivy.txt --input $(params.IMAGE_PATH)
|
|
cat temp_trivy.txt
|