@@ -27,11 +27,13 @@ docker image ls --filter "reference=ark.stackhpc.com/stackhpc-dev/$1-*:$2" > $1-
2727images=$( grep --invert-match --no-filename ^REPOSITORY $1 -scanned-container-images.txt | sed ' s/ \+/:/g' | cut -f 1,2 -d:)
2828
2929# Ensure output files exist
30- touch image-scan-output/clean-images.txt image-scan-output/dirty-images.txt
30+ touch image-scan-output/clean-images.txt image-scan-output/dirty-images.txt image-scan-output/critical-images.txt
3131
3232# If Trivy detects no vulnerabilities, add the image name to clean-images.txt.
3333# If there are vulnerabilities detected, add it to dirty-images.txt and
3434# generate a csv summary
35+ # If the image contains at least one critical vulnerabilities, add it to
36+ # critical-images.txt
3537for image in $images ; do
3638 filename=$( basename $image | sed ' s/:/\./g' )
3739 if $( trivy image \
@@ -51,13 +53,13 @@ for image in $images; do
5153 else
5254 # Add the image to the dirty list
5355 echo " ${image} " >> image-scan-output/dirty-images.txt
54-
56+
5557 # Write a header for the summary CSV
5658 echo ' "PkgName","PkgPath","PkgID","VulnerabilityID","FixedVersion","PrimaryURL","Severity"' > image-scan-output/${filename} .summary.csv
5759
5860 # Write the summary CSV data
59- jq -r ' .Results[]
60- | select(.Vulnerabilities)
61+ jq -r ' .Results[]
62+ | select(.Vulnerabilities)
6163 | .Vulnerabilities
6264 # Ignore packages with "kernel" in the PkgName
6365 | map(select(.PkgName | test("kernel") | not ))
@@ -72,8 +74,13 @@ for image in $images; do
7274 .[0].PrimaryURL,
7375 .[0].Severity
7476 ]
75- )
76- | .[]
77+ )
78+ | .[]
7779 | @csv' image-scan-output/${filename} .json >> image-scan-output/${filename} .summary.csv
80+
81+ if [ $( grep " CRITICAL" ${filename} .summary.csv -c) -gt 0 ]; then
82+ # If the image contains critical vulnerabilities, add the image to critical list
83+ echo " ${image} " >> image-scan-output/critical-images.txt
84+ fi
7885 fi
7986done
0 commit comments