diff --git a/.circleci/config.yml b/.circleci/config.yml index 1a186bb..cd6b979 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,7 +1,6 @@ version: 2.1 orbs: - # Replace this with your own! trivy-orb: fifteen5/trivy-orb@<> orb-tools: circleci/orb-tools@10.0 bats: circleci/bats@1.0 @@ -30,9 +29,9 @@ jobs: steps: - checkout # "greet" is a sample command packaged with this orb config. - # This sample integration test will run as long as the greet command exists. Once you remove the greet command you should remove this line. + # This sample integration test will greet as long as the run command exists. Once you remove the run command you should remove this line. # Push new changes first, before adding new tests to your config. - - trivy-orb/greet + - trivy-orb/scan workflows: # Prior to producing a development orb (which requires credentials) basic validation, linting, and even unit testing can be performed. diff --git a/.gitignore b/.gitignore index 19eafbb..bc69d0b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,6 @@ # orb.yml is "packed" from source, and not published directly from the repository. -orb.yml \ No newline at end of file +orb.yml + +# personal vscode files +*.code-workspace +personal \ No newline at end of file diff --git a/README.md b/README.md index c7f5c1b..0bb0401 100644 --- a/README.md +++ b/README.md @@ -1,19 +1,10 @@ -# Orb Project Template +# Trivy orb -[![CircleCI Build Status](https://circleci.com/gh/15five/trivy-orb.svg?style=shield "CircleCI Build Status")](https://circleci.com/gh/15five/trivy-orb) [![CircleCI Orb Version](https://badges.circleci.com/orbs/fifteen5/trivy-orb.svg)](https://circleci.com/orbs/registry/orb/fifteen5/trivy-orb) [![GitHub License](https://img.shields.io/badge/license-MIT-lightgrey.svg)](https://raw.githubusercontent.com/15five/trivy-orb/master/LICENSE) [![CircleCI Community](https://img.shields.io/badge/community-CircleCI%20Discuss-343434.svg)](https://discuss.circleci.com/c/ecosystem/orbs) +[![CircleCI Build Status](https://circleci.com/gh/15five/trivy-orb.svg?style=shield "CircleCI Build Status")](https://circleci.com/gh/15five/trivy-orb) [![CircleCI Orb Version](https://badges.circleci.com/orbs/fifteen5/trivy-orb.svg)](https://circleci.com/orbs/registry/orb/fifteen5/trivy-orb) [![GitHub License](https://img.shields.io/badge/license-MIT-lightgrey.svg)](https://raw.githubusercontent.com/15five/trivy-orb/master/LICENSE) +A [Circleci](https://circleci.com) orb for running [Trivy](https://github.com/aquasecurity/trivy), a vulnerability scanner for docker images and more. - -A starter template for orb projects. Build, test, and publish orbs automatically on CircleCI with [Orb-Tools](https://circleci.com/orbs/registry/orb/circleci/orb-tools). - -Additional READMEs are available in each directory. - - - -## Resources - -[CircleCI Orb Registry Page](https://circleci.com/orbs/registry/orb/fifteen5/trivy-orb) - The official registry page of this orb for all versions, executors, commands, and jobs described. -[CircleCI Orb Docs](https://circleci.com/docs/2.0/orb-intro/#section=configuration) - Docs for using and creating CircleCI Orbs. +The orb can be found here: [CircleCI Orb Registry Page](https://circleci.com/orbs/registry/orb/fifteen5/trivy-orb) ### How to Contribute @@ -37,5 +28,3 @@ Example: `[semver:major]` * On merge, after manual approval, the orb will automatically be published to the Orb Registry. -For further questions/comments about this or other orbs, visit the Orb Category of [CircleCI Discuss](https://discuss.circleci.com/c/orbs). - diff --git a/src/@orb.yml b/src/@orb.yml index 2e8ae44..ac22ce7 100755 --- a/src/@orb.yml +++ b/src/@orb.yml @@ -1,14 +1,13 @@ version: 2.1 description: > - Sample orb description + Orb for running Trivy, a security scanner # What will your orb allow users to accomplish? # Descriptions should be short, simple, and informative. # This information will be displayed in the orb registry and is not mandatory. display: - home_url: "https://www.website.com/docs" - source_url: "https://www.github.com/EXAMPLE_ORG/EXAMPLE_PROJECT" + source_url: "https://github.com/15five/trivy-orb" # If your orb requires other orbs, you can import them like this. Otherwise remove the "orbs" stanza. # orbs: diff --git a/src/commands/README.md b/src/commands/README.md index bd3b6b0..fa5cbee 100644 --- a/src/commands/README.md +++ b/src/commands/README.md @@ -4,7 +4,7 @@ Easily add and author [Reusable Commands](https://circleci.com/docs/2.0/reusing- Each _YAML_ file within this directory will be treated as an orb command, with a name which matches its filename. -View the included _[greet.yml](./greet.yml)_ example. +For example: ```yaml description: > @@ -17,7 +17,7 @@ parameters: default: "Hello" description: "Select a proper greeting" steps: - - run: + - greeting: name: Hello World command: echo << parameters.greeting >> world ``` diff --git a/src/commands/greet.yml b/src/commands/greet.yml deleted file mode 100755 index f4e2205..0000000 --- a/src/commands/greet.yml +++ /dev/null @@ -1,15 +0,0 @@ -description: > - This command echos "Hello World" using file inclusion. -# What will this command do? -# Descriptions should be short, simple, and clear. -parameters: - to: - type: string - default: "World" - description: "Hello to whom?" -steps: - - run: - environment: - PARAM_TO: <> - name: Hello Greeting - command: <> diff --git a/src/commands/scan.yml b/src/commands/scan.yml new file mode 100755 index 0000000..5cd0183 --- /dev/null +++ b/src/commands/scan.yml @@ -0,0 +1,25 @@ +description: > + This command runs Trivy. +parameters: + version: + type: string + default: "0.19.2" + description: "Version of trivy to download" + install_location: + type: string + default: . + description: "Where to install Trivy" + args: + type: string + default: "-h" + description: "Arguments to pass into trivy. See https://aquasecurity.github.io/trivy/v0.19.2/getting-started/cli." +steps: + - run: + environment: + PARAM_VERSION: <> + PARAM_BINDIR: <> + name: Install Trivy + command: <> + - run: + name: Run Trivy + command: ./trivy <> diff --git a/src/examples/example.yml b/src/examples/example.yml index a2cdaab..a82c6c9 100755 --- a/src/examples/example.yml +++ b/src/examples/example.yml @@ -6,8 +6,9 @@ description: > usage: version: 2.1 orbs: - : /@1.2.3 + trivy: fifteen5/trivy@1.0.0 workflows: use-my-orb: jobs: - - / + - trivy/scan: + args: --no-progress --exit-code 1 image busybox diff --git a/src/executors/default.yml b/src/executors/default.yml index 61e9948..ad80b1e 100755 --- a/src/executors/default.yml +++ b/src/executors/default.yml @@ -1,11 +1,10 @@ description: > - This is a sample executor using Docker and Node. + Executor for trivy docker: - - image: 'cimg/node:<>' + - image: 'cimg/base:<>' parameters: tag: - default: lts + default: "2021.07" description: > - Pick a specific circleci/node image variant: - https://hub.docker.com/r/cimg/node/tags + Tag for 'cimg/base' docker container type: string diff --git a/src/jobs/README.md b/src/jobs/README.md index 5dddab9..336ab40 100644 --- a/src/jobs/README.md +++ b/src/jobs/README.md @@ -6,7 +6,7 @@ Each _YAML_ file within this directory will be treated as an orb job, with a nam Jobs may invoke orb commands and other steps to fully automate tasks with minimal user configuration. -View the included _[hello.yml](./hello.yml)_ example. +For example: ```yaml @@ -20,7 +20,7 @@ parameters: default: "Hello" description: "Select a proper greeting" steps: - - greet: + - scan: greeting: << parameters.greeting >> ``` diff --git a/src/jobs/hello.yml b/src/jobs/hello.yml deleted file mode 100755 index f7ec411..0000000 --- a/src/jobs/hello.yml +++ /dev/null @@ -1,15 +0,0 @@ -description: > - Sample description -# What will this job do? -# Descriptions should be short, simple, and clear. - -executor: default - -parameters: - to: - type: string - default: "World" - description: "Hello to whom?" -steps: - - greet: - to: << parameters.to >> diff --git a/src/jobs/junit_run.yml b/src/jobs/junit_run.yml new file mode 100644 index 0000000..ae2d24c --- /dev/null +++ b/src/jobs/junit_run.yml @@ -0,0 +1,26 @@ +# Thanks to https://circleci.com/developer/orbs/orb/signavio/trivy +description: "Run Trivy with JUnit test results" +parameters: + version: + type: string + default: "0.19.2" + description: "Version of trivy to download" + install_location: + type: string + default: . + description: "Where to install Trivy" + args: + type: string + default: "-h" + description: "Arguments to pass into trivy. See https://aquasecurity.github.io/trivy/v0.19.2/getting-started/cli. Note that several args are already specified (see source)" + output-folder-path: + description: Output folder path. + type: string + default: 'trivy-scan-results' +steps: + - scan: + args: --no-progress=true --exit-code=1 --format=template --template='@junit.tpl' --output=<>/junit.xml <> + - store_test_results: + path: <> + - store_artifacts: + path: <> \ No newline at end of file diff --git a/src/jobs/scan.yml b/src/jobs/scan.yml new file mode 100755 index 0000000..8209a57 --- /dev/null +++ b/src/jobs/scan.yml @@ -0,0 +1,24 @@ +description: > + Runs Trivy +# What will this job do? +# Descriptions should be short, simple, and clear. + +executor: default + +parameters: + version: + type: string + default: "0.19.2" + description: "Version of trivy to download" + install_location: + type: string + default: . + description: "Where to install Trivy" + args: + type: string + default: "-h" + description: "Arguments to pass into trivy. See https://aquasecurity.github.io/trivy/v0.19.2/getting-started/cli." +steps: + - scan: + version: << parameters.version >> + args: << parameters.args >> diff --git a/src/scripts/greet.sh b/src/scripts/greet.sh deleted file mode 100644 index e6febce..0000000 --- a/src/scripts/greet.sh +++ /dev/null @@ -1,10 +0,0 @@ -Greet() { - echo Hello "${PARAM_TO}" -} - -# Will not run if sourced for bats-core tests. -# View src/tests for more information. -ORB_TEST_ENV="bats-core" -if [ "${0#*$ORB_TEST_ENV}" == "$0" ]; then - Greet -fi diff --git a/src/scripts/install.sh b/src/scripts/install.sh new file mode 100644 index 0000000..5460454 --- /dev/null +++ b/src/scripts/install.sh @@ -0,0 +1,13 @@ +Install() { + echo Installing Trivy v"${PARAM_VERSION}" to "${PARAM_BINDIR}" + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b "${PARAM_BINDIR}" v"${PARAM_VERSION}" + mkdir -p /tmp + curl https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/junit.tpl -o /tmp/junit.tpl +} + +# Will not run if sourced for bats-core tests. +# View src/tests for more information. +ORB_TEST_ENV="bats-core" +if [ "${0#*$ORB_TEST_ENV}" == "$0" ]; then + Install +fi diff --git a/src/tests/greet.bats b/src/tests/greet.bats deleted file mode 100644 index a7bfbe0..0000000 --- a/src/tests/greet.bats +++ /dev/null @@ -1,13 +0,0 @@ -# Runs prior to every test -setup() { - # Load our script file. - source ./src/scripts/greet.sh -} - -@test '1: Greet the world' { - # Mock environment variables or functions by exporting them (after the script has been sourced) - export PARAM_TO="World" - # Capture the output of our "Greet" function - result=$(Greet) - [ "$result" == "Hello World" ] -} \ No newline at end of file diff --git a/src/tests/install.bats b/src/tests/install.bats new file mode 100644 index 0000000..bdc1c5b --- /dev/null +++ b/src/tests/install.bats @@ -0,0 +1,14 @@ +# Runs prior to every test +setup() { + # Load our script file. + source ./src/scripts/install.sh +} + +@test '1: Installs correctly' { + # mock params + export PARAM_VERSION=0.19.2 + export PARAM_BINDIR=. + # Capture the output of our "Install" function + result=$(Install) + ./trivy -h +} \ No newline at end of file