diff --git a/platsec.sh b/platsec.sh index a3c3dece..0b593d34 100755 --- a/platsec.sh +++ b/platsec.sh @@ -1,32 +1,57 @@ #!/bin/bash IMAGE_NAME="${1:-$IMAGE_NAME}" -ARTIFACTS_DIR="${2:-vuln-artifacts}" +ARTIFACTS_DIR="${2:-$(pwd)/vuln_artifacts}" +IMAGE_TO_SCAN='' -export CICD_IMAGE_BUILDER_IMAGE_NAME="$IMAGE_NAME" +download_install_script() { -source <(curl -sSL https://raw.githubusercontent.com/RedHatInsights/cicd-tools/main/src/bootstrap.sh) image_builder + local command="$1" + local destination="$2" -IMAGE_TO_SCAN=$(cicd::image_builder::get_full_image_name) + curl -sSfL "https://raw.githubusercontent.com/anchore/${command}/main/install.sh" | sh -s -- -b "$destination" +} -rm -fr $ARTIFACTS_DIR && mkdir -p $ARTIFACTS_DIR +setup() { -function download (){ - curl -sSfL https://raw.githubusercontent.com/anchore/$1/main/install.sh | sh -s -- -b ./bins -} + if [ -z "$IMAGE_NAME" ]; then + echo "You need to provide an image to scan" + return 1 + fi -if ! ./bins/syft; then - download syft -fi + set -e -if ! ./bins/grype; then - download grype -fi + # shellcheck source=/dev/null + source <(curl -sSL https://raw.githubusercontent.com/RedHatInsights/cicd-tools/main/src/bootstrap.sh) image_builder + export CICD_IMAGE_BUILDER_IMAGE_NAME="$IMAGE_NAME" + IMAGE_TO_SCAN=$(cicd::image_builder::get_full_image_name) + set +e + + if ! [ -d "$ARTIFACTS_DIR" ]; then + if ! mkdir -p "$ARTIFACTS_DIR"; then + echo "Error creating artifacts dir: '$ARTIFACTS_DIR'" + return 1 + fi + fi -#install and run syft -./bins/syft -v ${IMAGE_TO_SCAN} > "${ARTIFACTS_DIR}/syft-sbom-results.txt" + local SCRIPTS_DIR + SCRIPTS_DIR=$(mktemp -d) + export PATH="$PATH:$SCRIPTS_DIR" -#install and run grype -./bins/grype -v -o table --scope all-layers ${IMAGE_TO_SCAN} > "${ARTIFACTS_DIR}/grype-vuln-results-full.txt" -./bins/grype -v -o table --only-fixed --fail-on high ${IMAGE_TO_SCAN} > "${ARTIFACTS_DIR}/grype-vuln-results-fixable.txt" + if ! cicd::common::command_is_present "syft"; then + download_install_script syft "$SCRIPTS_DIR" + fi + + if ! cicd::common::command_is_present "grype"; then + download_install_script grype "$SCRIPTS_DIR" + fi +} + +if ! setup; then + echo "Error while initializing" + exit 1 +fi +syft -v "${IMAGE_TO_SCAN}" >"${ARTIFACTS_DIR}/syft-sbom-results.txt" +grype -v -o table --scope all-layers "${IMAGE_TO_SCAN}" >"${ARTIFACTS_DIR}/grype-vuln-results-full.txt" +grype -v -o table --only-fixed --fail-on high "${IMAGE_TO_SCAN}" >"${ARTIFACTS_DIR}/grype-vuln-results-fixable.txt"