add image scanning

Author: patrickcrocker

pipeline-shellspec.yml

@@ -51,6 +51,50 @@ jobs:
       ccr-test-jobs: 4
       ccr-cf-cli-version: 7
 
+- name: scan-image
+  plan:
+  - in_parallel:
+    - get: cf-cli-resource
+      passed: [test-cf-cli-v6, test-cf-cli-v7]
+    - get: resource-image-dev
+      resource: resource-image-dev
+      passed: [test-cf-cli-v6, test-cf-cli-v7]
+      params:
+        format: oci
+      trigger: true
+    - get: trivy
+      trigger: true
+    - get: trivy-db
+      trigger: true
+      params:
+        globs:
+        - trivy-offline.db.tgz
+  - task: scan
+    image: trivy
+    config:
+      platform: linux
+      inputs:
+      - name: cf-cli-resource
+      - name: resource-image-dev
+        path: image
+      - name: trivy-db
+      run:
+        path: sh
+        args:
+        - -c
+        - |
+          mkdir db
+          tar -xzf trivy-db/trivy-offline.db.tgz -C ./db
+
+          trivy \
+            --cache-dir $(pwd) \
+            image \
+            --severity "HIGH,CRITICAL" \
+            --ignore-unfixed \
+            --exit-code 1 \
+            --input image/image.tar \
+            --skip-files opt/cf-cli-7.4.0/cf7
+
 - name: cleanup-failed-tests
   serial: true
   public: true
@@ -94,3 +138,19 @@ resources:
     tag: dev
     username: ((docker.username))
     password: ((docker.password))
+
+- name: trivy
+  type: registry-image
+  icon: docker
+  source:
+    repository: aquasec/trivy
+    username: ((docker.username))
+    password: ((docker.password))
+
+- name: trivy-db
+  type: github-release
+  icon: database
+  source:
+    owner: aquasecurity
+    repository: trivy-db
+    access_token: ((github_access_token))