add scan image tasks

Author: patrickcrocker

ci/tasks/extract-trivy-db

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+echo "unpacking vulnerability db"
+
+TRIVY_TEMP_DIR=$(mktemp -d)
+trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
+tar -cf ./trivy-db/db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
+rm -rf $TRIVY_TEMP_DIR

ci/tasks/extract-trivy-db.yml

@@ -0,0 +1,15 @@
+---
+platform: linux
+
+image_resource:
+  type: registry-image
+  source: {repository: aquasecurity/trivy}
+
+inputs:
+- name: cf-cli-resource
+
+outputs:
+- name: trivy-db
+
+run:
+  path: cf-cli-resource/tasks/extract-trivy-db

ci/tasks/scan-image

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+set -e
+
+echo "unpacking vulnerability db"
+cache_dir=`pwd`
+mkdir -p "${cache_dir}/db"
+tar -xvf trivy-db/db.tar.gz -C "${cache_dir}/db"
+
+ignore_policy=""
+if [ -f "$IGNORE_POLICY_FILE" ]; then
+  ignore_policy="--ignore-policy $IGNORE_POLICY_FILE"
+fi
+
+echo "scanning base os"
+trivy \
+  --cache-dir "${cache_dir}" \
+  --quiet \
+  image \
+  --severity "HIGH,CRITICAL" \
+  --ignore-unfixed \
+  --exit-code 1 \
+  --input image/image.tar \
+  $ignore_policy

ci/tasks/scan-image.yml

@@ -0,0 +1,17 @@
+---
+platform: linux
+
+image_resource:
+  type: registry-image
+  source: {repository: aquasec/trivy}
+
+inputs:
+- name: cf-cli-resource
+- name: image
+- name: trivy-db
+
+params:
+  IGNORE_POLICY_FILE:
+
+run:
+  path: cf-cli-resource/tasks/scan-image