-
Notifications
You must be signed in to change notification settings - Fork 2
/
scanWithRetryTask.yml
134 lines (128 loc) · 5.08 KB
/
scanWithRetryTask.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
parameters:
- name : trivyCacheAzureSubscription
type: string
default: ''
displayName: 'Subscription used to retrieve Trivy cache. If left empty, no cache will be used.'
- name : trivyCacheStorageAccount
type: string
default: ''
displayName: 'Storage account name where the Trivy cache is stored'
- name : trivyCacheContainerName
type: string
default: 'trivy-cache'
displayName: 'Container name where the Trivy cache is stored'
- name : trivyCacheBlobName
type: string
default: 'trivy-cache.zip'
displayName: 'Name of the Zip file containing the Trivy cache'
- name: localTrivyCachePath
type: string
default: $(Agent.TempDirectory)/trivy-cache
displayName: 'Folder path containing the Trivy cache'
- name : dockerExtraArguments
type: string
default: ''
displayName: 'Arguments for the docker command'
- name : trivyExtraArguments
type: string
default: ''
displayName: 'Arguments for the trivy command'
- name: trivyIgnoreFile
type: string
default: ''
displayName: 'Path to the trivy ignore file'
- name: displayName
type: string
default: 'Execute scan with retries'
displayName: 'The display name of the task'
steps:
- ${{ if ne(parameters.trivyCacheAzureSubscription, '') }}:
- task: AzureCLI@2
displayName: 'Retrieve Trivy cache'
inputs:
azureSubscription: ${{ parameters.trivyCacheAzureSubscription }}
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
echo "Checking provided parameters..."
if [ -z "${{ parameters.trivyCacheStorageAccount }}" ]; then
echo "Trivy cache storage account name is not provided."
exit 1
fi
if [ -z "${{ parameters.trivyCacheContainerName }}" ]; then
echo "Trivy cache container name is not provided."
exit 1
fi
if [ -z "${{ parameters.trivyCacheBlobName }}" ]; then
echo "Trivy cache blob name is not provided."
exit 1
fi
if [ -z "${{ parameters.localTrivyCachePath }}" ]; then
echo "Local Trivy DB path is not provided."
exit 1
fi
echo "Retrieving blob storage..."
az storage blob download \
--account-name ${{ parameters.trivyCacheStorageAccount }} \
--container-name ${{ parameters.trivyCacheContainerName }} \
--name ${{ parameters.trivyCacheBlobName }} \
--file $(Agent.TempDirectory)/${{ parameters.trivyCacheBlobName }} \
--auth-mode login
echo "Create folder ${{ parameters.localTrivyCachePath }}.."
mkdir -p ${{ parameters.localTrivyCachePath }}
echo "Unzipping blob..."
unzip -o $(Agent.TempDirectory)/${{ parameters.trivyCacheBlobName }} -d ${{ parameters.localTrivyCachePath }}
echo "Blob retrieved and unzipped successfully."
- script: |
retries=10
count=0
if [ -z "${{ parameters.localTrivyCachePath }}" ]; then
echo "Local Trivy DB path is not provided."
exit 1
fi
if [ -n "${{ parameters.trivyIgnoreFile }}" ]; then
ignoreMountArgs="-v ${{ parameters.trivyIgnoreFile }}:/tmp/trivyignore"
ignoreFileTrivyArgs="--ignorefile /tmp/trivyignore"
echo "Using ignore file at ${{ parameters.trivyIgnoreFile }}"
else
ignoreMountArgs=""
ignoreFileTrivyArgs=""
echo "No ignore file specified."
fi
echo "Using local cache at ${{ parameters.localTrivyCachePath }}: "
ls -al ${{ parameters.localTrivyCachePath }}
localCacheMountArgs="-v ${{ parameters.localTrivyCachePath }}:/mnt/trivy/cache"
localCacheTrivyArgs="--cache-dir /mnt/trivy/cache"
# If the cache folder is not empty, use the offline mode
if [ -z "$( ls -A '${{ parameters.localTrivyCachePath }}' )" ]; then
echo "Local cache is empty."
offlineTrivyArgs=""
else
echo "Local cache is not empty, running in offline mode."
offlineTrivyArgs="--skip-db-update --skip-java-db-update --offline-scan --skip-check-update"
fi
command="docker run --rm -v /var/run/docker.sock:/var/run/docker.sock $ignoreMountArgs $localCacheMountArgs ${{ parameters.dockerExtraArguments }} aquasec/trivy:latest $ignoreFileTrivyArgs $localCacheTrivyArgs $offlineTrivyArgs --exit-code 1 --format table --scanners vuln,misconfig,secret ${{ parameters.trivyExtraArguments }}"
echo "Executing '$command' with retries..."
while [ $count -lt $retries ]; do
log_output=$($command 2>&1)
exit_code=$?
echo "$log_output"
if echo "$log_output" | grep "Fatal" | grep "failed to download artifact" | grep -q "failed to download vulnerability DB"; then
count=$((count + 1))
echo "Scan failed due to DB download error. Attempt $count/$retries. Retrying in 10 seconds..."
sleep 10
else
if [ $exit_code -eq 0 ]; then
echo "Scan completed successfully."
break
else
echo "Scan failed due to other errors."
exit 1
fi
fi
done
if [ $count -eq $retries ]; then
echo "Scan failed after $retries attempts due to DB download error."
exit 1
fi
displayName: ${{ parameters.displayName }}