mse-tekton/kustomization/base/tekton/task/common/trivy.yaml

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: trivy-scanner
  labels:
    app.kubernetes.io/version: "0.2"
  annotations:
    tekton.dev/pipelines.minVersion: "0.12.1"
    tekton.dev/categories: Security
    tekton.dev/tags: CLI, trivy
    tekton.dev/displayName: "trivy scanner"
    tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/390x"
spec:
  description: >-
    Trivy is a simple and comprehensive scanner for
    vulnerabilities in container images,file systems
    ,and Git repositories, as well as for configuration issues.

    This task can be used to scan for vulnenrabilities on the source code
    in stand alone mode.
  workspaces:
    - name: manifest-dir
  params:
    - name: TRIVY_IMAGE
      default: docker.io/aquasec/trivy@sha256:944a044451791617cc0ed2ee4d1942a4f66b790d527fcd0575a6b399ccbc05a1  # 0.43.1
      description: Trivy scanner image to be used
    - name: IMAGE_PATH
      description: Image or Path to be scanned by trivy.
      type: string
    - name: AIR_GAPPED_ENABLED
      default: "false"
      description: a flag enabling Air-Gapped mode
      type: string
  steps:
    - name: trivy-scan
      image: $(params.TRIVY_IMAGE)
      workingDir: $(workspaces.manifest-dir.path)
      script: |
        #!/usr/bin/env sh

          echo ""
          echo "== SCAN IMAGE ==================================="

          cmd="trivy $* "
          if [ "$(params.AIR_GAPPED_ENABLED)" = "true" ]; then
            echo "Air-Gapped mode enabled"
            TRIVY_TEMP_DIR=$(mktemp -d)
            trivy --cache-dir "$TRIVY_TEMP_DIR" image --download-db-only
            tar -cf ./db.tar.gz -C "$TRIVY_TEMP_DIR/db" metadata.json trivy.db
            rm -rf "$TRIVY_TEMP_DIR"
            mkdir -p "$HOME"/.cache/trivy/db
            tar xvf ./db.tar.gz -C "$HOME"/.cache/trivy/db

            cmd="${cmd}--skip-update "
          fi

          cmd="${cmd}$(params.IMAGE_PATH)"
          echo "Running trivy task with command below"
          echo "$cmd"
          eval "$cmd"
          cat temp_trivy.txt

      args:
        - "image"
        - "--exit-code"
        - "1"
        - "--severity"
        - "CRITICAL"
        - "--no-progress"
        - "-o"
        - "temp_trivy.json"
        - "--input"