-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathscan.sh
executable file
·102 lines (96 loc) · 3.45 KB
/
scan.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
touch scanResults
scanResults="scanResults"
vulnerabilitySeverityRating=(CRITICAL HIGH MEDIUM LOW)
metaDataTableFormat='table(vulnerability.effectiveSeverity, vulnerability.cvssScore, vulnerability.packageIssue[0].affectedPackage, vulnerability.packageIssue[0].affectedVersion.name, vulnerability.packageIssue[0].fixedVersion.name, noteName)'
function gcloud() {
command gcloud artifacts docker images scan --format='value(response.scan)' "$containerTag" > scan_id.txt
command gcloud artifacts docker images list-vulnerabilities "$(cat scan_id.txt)" --format="$metaDataTableFormat" > scanResults &&\
echo "Here are the scan results" && \
cat "$scanResults"
}
function resultCount {
if [ -s $scanResults ]; then
CRITICAL=$(grep -c "${vulnerabilitySeverityRating[0]}" < "$scanResults")
HIGH=$(grep -c "${vulnerabilitySeverityRating[1]}" < "$scanResults")
MEDIUM=$(grep -c "${vulnerabilitySeverityRating[2]}" < "$scanResults")
LOW=$(grep -c "${vulnerabilitySeverityRating[3]}" < "$scanResults")
echo "Found vulnerabilities summary:"
echo "CRITICAL: $CRITICAL"
echo "HIGH: $HIGH"
echo "MEDIUM: $MEDIUM"
echo "LOW: $LOW"
jsonString=$( jq -nr \
--arg jqMarkdownMessageGeneral "<$githubUrl|Github Actions Failure - Container Scan>" \
--arg jqMarkdownMessageWhy "This container has vulnerabilities" \
--arg jqMarkdownMessageCritical ":space_invader: CRITICAL : $CRITICAL" \
--arg jqMarkdownMessageHigh ":lobster: HIGH : $HIGH" \
--arg jqMarkdownMessageMedium ":ladybug: MEDIUM : $MEDIUM" \
--arg jqMarkdownMessageLow ":v: LOW : $LOW" \
'{
blocks: [
{
type: "section",
text: {
type: "mrkdwn",
text: $jqMarkdownMessageGeneral
}
},
{
type: "section",
text: {
type: "mrkdwn",
text: $jqMarkdownMessageWhy
}
},
{
type: "section",
text: {
type: "mrkdwn",
text: $jqMarkdownMessageCritical
}
},
{
type: "section",
text: {
type: "mrkdwn",
text: $jqMarkdownMessageHigh
}
},
{
type: "section",
text: {
type: "mrkdwn",
text: $jqMarkdownMessageMedium
}
},
{
type: "section",
text: {
type: "mrkdwn",
text: $jqMarkdownMessageLow
}
}
]
}')
fail
else echo "Scan results returned 0 vulnerabilities"
fi
}
function fail() {
if grep -qE 'CRITICAL|HIGH' $scanResults;
then
echo ""
echo 'Workflow Failed Vulnerability Check' && postMessageSlack && exit 1;
else exit 0
fi
}
function postMessageSlack() {
curl --silent --output /dev/null -X POST -H 'Content-type: application/json' --data "$jsonString" "$slackWebhook"
}
echo "Running container scanning in GCP"
gcloud
echo ""
echo "Counting results and doing fail check"
echo ""
resultCount
echo ""