tekton pipeline에 trivy scan task를 추가해보자.
Task
tekton hub에서 trivy scanner yaml을 복사해서 Task를 생성한다. https://hub.tekton.dev/tekton/task/trivy-scanner
Tekton Hub
hub.tekton.dev
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
annotations:
tekton.dev/categories: Security
tekton.dev/displayName: trivy scanner
tekton.dev/pipelines.minVersion: 0.12.1
tekton.dev/platforms: 'linux/amd64,linux/arm64,linux/ppc64le,linux/390x'
tekton.dev/tags: 'CLI, trivy'
name: trivy-scanner
labels:
app.kubernetes.io/version: '0.2'
spec:
description: >-
Trivy is a simple and comprehensive scanner for vulnerabilities in container
images,file systems ,and Git repositories, as well as for configuration
issues.
This task can be used to scan for vulnenrabilities on the source code in
stand alone mode.
params:
- default: >-
docker.io/aquasec/trivy@sha256:b88012e2a0a309d6a8a00463d4e63e5e513377fb74eccbc8f9b0f8f81940ebeb # 최신버전인 0.58.0으로 변경
description: Trivy scanner image to be used
name: TRIVY_IMAGE
type: string
- description: Image or Path to be scanned by trivy.
name: IMAGE_PATH
type: string
- default: 'false'
description: a flag enabling Air-Gapped mode
name: AIR_GAPPED_ENABLED
type: string
- description: The Arguments to be passed to Trivy command.
name: ARGS
type: array
steps:
- args:
- $(params.ARGS)
image: $(params.TRIVY_IMAGE)
name: trivy-scan
resources: {}
script: |
#!/usr/bin/env sh
cmd="trivy $* "
if [ "$(params.AIR_GAPPED_ENABLED)" = "true" ]; then
echo "Air-Gapped mode enabled"
TRIVY_TEMP_DIR=$(mktemp -d)
trivy --cache-dir "$TRIVY_TEMP_DIR" image --download-db-only
tar -cf ./db.tar.gz -C "$TRIVY_TEMP_DIR/db" metadata.json trivy.db
rm -rf "$TRIVY_TEMP_DIR"
mkdir -p "$HOME"/.cache/trivy/db
tar xvf ./db.tar.gz -C "$HOME"/.cache/trivy/db
cmd="${cmd}--skip-update "
fi
cmd="${cmd}$(params.IMAGE_PATH)"
echo "Running trivy task with command below"
echo "$cmd"
eval "$cmd"
workingDir: $(workspaces.source.path)
workspaces: #openshift면 workspace 추가
- name: source
pipeline
pipeline에서는 params로 ARGS=- image와 IMAGE_PATH=대상이미지 를 넘겨주기만 하면 된다.
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: image-pipeline
spec:
params:
- default: 'true'
name: ENABLE_VULNERABILITY #scan여부
type: string
- default: node-22-alpine
name: APP_NAME
type: string
tasks:
- name: trivy-task
params:
- name: ARGS
value:
- image
- name: IMAGE_PATH
value: >-
node-22-alpine@sha256:c3e40c1b244e9d02a527b7b2e8de97cc71b4b4e182589d029aa162cfbd83ecd3
#대상 이미지 정보
runAfter:
- image-build
taskRef:
kind: Task
name: trivy-scanner
when:
- input: $(params.ENABLE_VULNERABILITY)
operator: in
values:
- 'true'
workspaces:
- name: source
workspace: workspace
workspaces:
- name: workspace
실행결과를 보면
step-trivy-scan
Running trivy task with command below
trivy image node-22-alpine@sha256:c3e40c1b244e9d02a527b7b2e8de97cc71b4b4e182589d029aa162cfbd83ecd3
2024-12-20T01:00:06Z INFO [vulndb] Need to update DB
2024-12-20T01:00:06Z INFO [vulndb] Downloading vulnerability DB...
2024-12-20T01:00:06Z INFO [vulndb] Downloading artifact... repo="mirror.gcr.io/aquasec/trivy-db:2"
175.25 KiB / 57.80 MiB [>____________________________________________________________] 0.30% ? p/s ?735.19 KiB / 57.80 MiB [>____________________________________________________________] 1.24% ? p/s ?4.28 MiB / 57.80 MiB [---->__________________________________________________________] 7.40% ? p/s ?7.87 MiB / 57.80 MiB [------>__________________________________________] 13.62% 12.85 MiB p/s ETA 3s11.76 MiB / 57.80 MiB [--------->______________________________________] 20.35% 12.85 MiB p/s ETA 3s15.60 MiB / 57.80 MiB [------------>___________________________________] 26.98% 12.85 MiB p/s ETA 3s19.38 MiB / 57.80 MiB [---------------->_______________________________] 33.52% 13.26 MiB p/s ETA 2s23.19 MiB / 57.80 MiB [------------------->____________________________] 40.12% 13.26 MiB p/s ETA 2s27.00 MiB / 57.80 MiB [---------------------->_________________________] 46.71% 13.26 MiB p/s ETA 2s30.79 MiB / 57.80 MiB [------------------------->______________________] 53.28% 13.63 MiB p/s ETA 1s33.89 MiB / 57.80 MiB [---------------------------->___________________] 58.63% 13.63 MiB p/s ETA 1s37.70 MiB / 57.80 MiB [------------------------------->________________] 65.22% 13.63 MiB p/s ETA 1s41.48 MiB / 57.80 MiB [---------------------------------->_____________] 71.76% 13.90 MiB p/s ETA 1s45.13 MiB / 57.80 MiB [------------------------------------->__________] 78.08% 13.90 MiB p/s ETA 0s48.59 MiB / 57.80 MiB [---------------------------------------->_______] 84.06% 13.90 MiB p/s ETA 0s51.63 MiB / 57.80 MiB [------------------------------------------>_____] 89.33% 14.10 MiB p/s ETA 0s55.35 MiB / 57.80 MiB [--------------------------------------------->__] 95.76% 14.10 MiB p/s ETA 0s57.80 MiB / 57.80 MiB [---------------------------------------------->] 100.00% 14.10 MiB p/s ETA 0s57.80 MiB / 57.80 MiB [---------------------------------------------->] 100.00% 13.85 MiB p/s ETA 0s57.80 MiB / 57.80 MiB [---------------------------------------------->] 100.00% 13.85 MiB p/s ETA 0s57.80 MiB / 57.80 MiB [---------------------------------------------->] 100.00% 13.85 MiB p/s ETA 0s57.80 MiB / 57.80 MiB [---------------------------------------------->] 100.00% 12.96 MiB p/s ETA 0s57.80 MiB / 57.80 MiB [---------------------------------------------->] 100.00% 12.96 MiB p/s ETA 0s57.80 MiB / 57.80 MiB [---------------------------------------------->] 100.00% 12.96 MiB p/s ETA 0s57.80 MiB / 57.80 MiB [---------------------------------------------->] 100.00% 12.12 MiB p/s ETA 0s57.80 MiB / 57.80 MiB [---------------------------------------------->] 100.00% 12.12 MiB p/s ETA 0s57.80 MiB / 57.80 MiB [-------------------------------------------------] 100.00% 11.32 MiB p/s 5.3s2024-12-20T01:00:14Z INFO [vulndb] Artifact successfully downloaded repo="mirror.gcr.io/aquasec/trivy-db:2"
2024-12-20T01:00:14Z INFO [vuln] Vulnerability scanning is enabled
2024-12-20T01:00:14Z INFO [secret] Secret scanning is enabled
2024-12-20T01:00:14Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-20T01:00:14Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-20T01:00:16Z INFO Detected OS family="alpine" version="3.21.0"
2024-12-20T01:00:16Z WARN This OS version is not on the EOL list family="alpine" version="3.21"
2024-12-20T01:00:16Z INFO [alpine] Detecting vulnerabilities... os_version="3.21" repository="3.21" pkg_num=17
2024-12-20T01:00:16Z INFO Number of language-specific files num=1
2024-12-20T01:00:16Z INFO [node-pkg] Detecting vulnerabilities...
node-22-alpine@sha256:c3e40c1b244e9d02a527b7b2e8de97cc71b4b4e182589d029aa162cfbd83ecd3 (alpine 3.21.0)
==============================================================================================================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
2024-12-20T01:00:16Z INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
Node.js (node-pkg)
==================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ cross-spawn (package.json) │ CVE-2024-21538 │ HIGH │ fixed │ 7.0.3 │ 7.0.5, 6.0.6 │ cross-spawn: regular expression denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-21538 │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘728x90
'CloudNative > Provisioning' 카테고리의 다른 글
| edge 에 발담그기 (0) | 2025.03.15 |
|---|---|
| vault (1) | 2024.11.23 |
| nexus cli file upload (0) | 2024.10.25 |
| nexus gradle repository (1) | 2024.10.18 |
| jupyterhub + nexus pypi repository (1) | 2024.04.26 |