diff --git a/.circleci/config.yml b/.circleci/config.yml index f4f591c29..44f50da7c 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -191,7 +191,16 @@ jobs: - set_environment_variables - setup_remote_docker - run: ./.circleci/scripts/install-trivy.sh - - run: ./scripts/scan-all.sh + - set_tags + - run: + name: Scan for vulnerabilities + command: | + if [ "$CIRCLE_BRANCH" != "main" ] + then + ./scripts/scan-all.sh $CIRCLE_BRANCH "${CHANGED[*]}" + else + ./scripts/scan-all.sh + fi - run: | if ! git diff --exit-code fairwinds-insights.yaml; then echo "Please run `SKIP_TRIVY=true ./scripts/scan-all.sh` to regenerate fairwinds-insights.yaml" @@ -337,3 +346,4 @@ workflows: - main jobs: - build_and_push_plugins + - scan_for_vulnerabilities diff --git a/scripts/scan-all.sh b/scripts/scan-all.sh index 4571bb510..24f505842 100755 --- a/scripts/scan-all.sh +++ b/scripts/scan-all.sh @@ -1,6 +1,11 @@ #! /bin/bash set -eo pipefail +declare branch_name=$1 +declare -a changed_plugins=($2) + +branch_name=$(echo $branch_name | sed 's/\//-/g') + # Hard-coding four external images we own. Versions taken from insights-agent. Need to find a better solution here. images=(quay.io/fairwinds/polaris:9.0 quay.io/fairwinds/nova:v3.9 us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5.19 us-docker.pkg.dev/fairwinds-ops/oss/goldilocks:v4.11) have_vulns=() @@ -27,11 +32,46 @@ for name in "${images[@]}"; do echo -e " - $name" >> ./fairwinds-insights.yaml done +declare -A changed_plugins_map +for plugin in "${changed_plugins[@]}"; do + changed_plugins_map[$plugin]=1 +done + +# create a map to match images in images array to the plugin name +declare -A plugin_map +plugin_map["quay.io/fairwinds/insights-admission-controller"]="admission" +plugin_map["quay.io/fairwinds/aws-costs"]="aws-costs" +plugin_map["quay.io/fairwinds/insights-ci"]="ci" +plugin_map["quay.io/fairwinds/cloud-costs"]="cloud-costs" +plugin_map["quay.io/fairwinds/falco-agent"]="falco" +plugin_map["quay.io/fairwinds/fw-kube-bench-aggregator"]="kube-bench-aggregator" +plugin_map["quay.io/fairwinds/fw-kube-bench"]="kube-bench" +plugin_map["quay.io/fairwinds/kubectl"]="kubectl" +plugin_map["quay.io/fairwinds/fw-kubesec"]="kubesec" +plugin_map["quay.io/fairwinds/kyverno"]="kyverno" +plugin_map["quay.io/fairwinds/fw-opa"]="opa" +plugin_map["quay.io/fairwinds/postgres-partman"]="postgres" +plugin_map["quay.io/fairwinds/prometheus-collector"]="postgres-partman" +plugin_map["quay.io/fairwinds/rbac-reporter"]="rbac-reporter" +plugin_map["quay.io/fairwinds/right-sizer"]="right-sizer" +plugin_map["quay.io/fairwinds/fw-trivy"]="trivy" +plugin_map["quay.io/fairwinds/insights-uploader"]="uploader" +plugin_map["quay.io/fairwinds/insights-utils"]="utils" +plugin_map["quay.io/fairwinds/workloads"]="workloads" + echo "scanning all images" for name in "${images[@]}"; do if [[ $SKIP_TRIVY == "true" ]]; then break fi + + name_without_tag=$(echo $name | sed "s/:.*//") + if [[ -n ${plugin_map[$name_without_tag]} ]]; then + if [[ -n ${changed_plugins_map[${plugin_map[$name_without_tag]}]} ]]; then + name=$(echo $name_without_tag:$branch_name) + fi + fi + echo "scanning $name" docker pull $name