added trivy scan

joelwembo · Apr 17, 2024 · 308fa26 · 308fa26
1 parent 71a8080
commit 308fa26
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Use an official Python runtime as a parent image
-FROM python:3.11-slim-bullseye
+FROM python:3.11-slim-bullseye as build
 # Set environment variables
 ENV PYTHONDONTWRITEBYTECODE 1
 ENV PYTHONUNBUFFERED 1

diff --git a/deployments/Jenkins/trivy-image-scan.sh b/deployments/Jenkins/trivy-image-scan.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+#get the image name from Dockerfile file 
+dockerImageName=$(awk 'NR==1 {print $2}' Dockerfile)
+echo $dockerImageName
+
+#-e TRIVY_GITHUB_TOKEN=$token: Sets an environment variable TRIVY_GITHUB_TOKEN with the provided token value. This is used to access private GitHub repositories during vulnerability scanning.
+docker run --rm -v $WORKSPACE:/root/.cache/  -e TRIVY_GITHUB_TOKEN='token_github' aquasec/trivy:0.17.2 -q image --exit-code 1 --severity CRITICAL --light $dockerImageName
+
+    # Trivy scan result processing
+    exit_code=$?
+    echo "Exit Code : $exit_code"
+
+    # Check scan results
+    if [[ "${exit_code}" == 1 ]]; then
+        echo "Image scanning failed. Vulnerabilities found"
+        exit 1;
+    else
+        echo "Image scanning passed. No CRITICAL vulnerabilities found"
+    fi;