50 lines
1.6 KiB
YAML
50 lines
1.6 KiB
YAML
---
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: ClusterTask
|
|
metadata:
|
|
name: trivy-scanner
|
|
labels:
|
|
app.kubernetes.io/version: "0.1"
|
|
annotations:
|
|
tekton.dev/pipelines.minVersion: "0.12.1"
|
|
tekton.dev/categories: Security
|
|
tekton.dev/tags: CLI, trivy
|
|
tekton.dev/displayName: "trivy scanner"
|
|
tekton.dev/platforms: "linux/amd64"
|
|
spec:
|
|
description: >-
|
|
Trivy is a simple and comprehensive scanner for
|
|
vulnerabilities in container images,file systems
|
|
,and Git repositories, as well as for configuration issues.
|
|
|
|
This task can be used to scan for vulnenrabilities on the source code
|
|
in stand alone mode.
|
|
workspaces:
|
|
- name: manifest-dir
|
|
params:
|
|
- name: ARGS
|
|
description: The Arguments to be passed to Trivy command.
|
|
type: array
|
|
- name: TRIVY_IMAGE
|
|
default: docker.io/aquasec/trivy@sha256:dea76d4b50c75125cada676a87ac23de2b7ba4374752c6f908253c3b839201d9
|
|
description: Trivy scanner image to be used
|
|
- name: IMAGE_PATH
|
|
description: Image or Path to be scanned by trivy.
|
|
type: string
|
|
results:
|
|
- name: scan
|
|
description: scan result
|
|
steps:
|
|
- name: trivy-scan
|
|
image: $(params.TRIVY_IMAGE)
|
|
workingDir: $(workspaces.manifest-dir.path)
|
|
script: |
|
|
#!/usr/bin/env sh
|
|
export TRIVY_NON_SSL=true
|
|
cmd="trivy --cache-dir . $* --severity HIGH,CRITICAL --output scan.txt --skip-update $(params.IMAGE_PATH)"
|
|
echo "Running trivy task with command below"
|
|
echo "$cmd"
|
|
eval "$cmd"
|
|
printf "%s" "$(cat ./scan.txt)" > "$(results.scan.path)"
|
|
args:
|
|
- "$(params.ARGS)" |