thalla/lomavuokraus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add Trivy update reminder and ignore sensitive paths

Browse source
This commit is contained in:
Tero Halla-aho 2025-12-15 21:49:20 +02:00
parent 1fe2da1f66
commit 380c9abf38
3 changed files with 24 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
.trivyignore Normal file
View file

@ -0,0 +1,5 @@
creds/**
reports/**
*.pem
*.key
*.enc

15
deploy/build.sh
View file

@ -33,8 +33,21 @@ echo "Done. Last image: $IMAGE"
# Trivy image scan (if available) # Trivy image scan (if available)
if command -v trivy >/dev/null 2>&1; then if command -v trivy >/dev/null 2>&1; then
MIN_TRIVY_VERSION="0.56.0"
INSTALLED_TRIVY_VERSION="$(trivy --version 2>/dev/null | head -n1 | awk '{print $2}')"
if [[ -n "$INSTALLED_TRIVY_VERSION" ]] && [[ "$(printf '%s\n%s\n' "$MIN_TRIVY_VERSION" "$INSTALLED_TRIVY_VERSION" | sort -V | head -n1)" != "$MIN_TRIVY_VERSION" ]]; then
echo "Trivy version $INSTALLED_TRIVY_VERSION is older than recommended $MIN_TRIVY_VERSION."
echo "Update recommended: brew upgrade trivy # macOS"
echo "or: sudo apt-get install -y trivy # Debian/Ubuntu (Aqua repo)"
echo "or: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin"
fi
echo "Running Trivy scan on $IMAGE ..." echo "Running Trivy scan on $IMAGE ..."
trivy image --exit-code 0 "$IMAGE" || true TRIVY_IGNORE_ARGS=()
if [[ -f ".trivyignore" ]]; then
TRIVY_IGNORE_ARGS+=(--ignorefile .trivyignore)
fi
trivy image --exit-code 0 "${TRIVY_IGNORE_ARGS[@]}" "$IMAGE" || true
else else
echo "Trivy not installed; skipping image scan." echo "Trivy not installed; skipping image scan."
fi fi

6
scripts/run-test-suite.sh
View file

@ -190,7 +190,11 @@ TRIVY_MODE="${TRIVY_MODE:-fs}"
if command -v trivy >/dev/null 2>&1; then if command -v trivy >/dev/null 2>&1; then
log "Running Trivy (${TRIVY_MODE}) on ${TRIVY_TARGET}..." log "Running Trivy (${TRIVY_MODE}) on ${TRIVY_TARGET}..."
TRIVY_TXT="$RUN_DIR/trivy.txt" TRIVY_TXT="$RUN_DIR/trivy.txt"
if trivy "${TRIVY_MODE}" --severity HIGH,CRITICAL --timeout 5m "$TRIVY_TARGET" >"$TRIVY_TXT"; then TRIVY_IGNORE_ARGS=()
if [ -f ".trivyignore" ]; then
TRIVY_IGNORE_ARGS+=(--ignorefile .trivyignore)
fi
if trivy "${TRIVY_MODE}" --severity HIGH,CRITICAL --timeout 5m "${TRIVY_IGNORE_ARGS[@]}" "$TRIVY_TARGET" >"$TRIVY_TXT"; then
record_result "Trivy (${TRIVY_MODE})" "PASS" "<a href=\"trivy.txt\">report</a>" "report: ${TRIVY_TXT}" record_result "Trivy (${TRIVY_MODE})" "PASS" "<a href=\"trivy.txt\">report</a>" "report: ${TRIVY_TXT}"
else else
record_result "Trivy (${TRIVY_MODE})" "FAIL" "<a href=\"trivy.txt\">report</a>" "report: ${TRIVY_TXT}" record_result "Trivy (${TRIVY_MODE})" "FAIL" "<a href=\"trivy.txt\">report</a>" "report: ${TRIVY_TXT}"