mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 13:39:40 +03:00
137 lines
3.6 KiB
Markdown
137 lines
3.6 KiB
Markdown
# Workflows - Docker Image Scanning with Trivy
|
|
|
|
## Workflow 1: Developer Local Scan
|
|
|
|
```
|
|
[Developer builds image] --> [trivy image myapp:latest]
|
|
| |
|
|
v v
|
|
Fix Dockerfile Review findings
|
|
Update deps |
|
|
| +------+------+
|
|
| | |
|
|
v v v
|
|
Rebuild image CRITICAL/HIGH MEDIUM/LOW
|
|
| found? found?
|
|
| | |
|
|
v v v
|
|
Re-scan Fix immediately Add to backlog
|
|
before commit or .trivyignore
|
|
```
|
|
|
|
## Workflow 2: CI/CD Gate Scan
|
|
|
|
```yaml
|
|
# Pipeline stages
|
|
Build --> Scan --> Gate Decision --> Deploy/Block
|
|
|
|
# Gate policy
|
|
CRITICAL: Block deployment, fail pipeline (exit-code 1)
|
|
HIGH: Block deployment to production
|
|
MEDIUM: Warn, allow deployment to staging
|
|
LOW: Informational only
|
|
```
|
|
|
|
## Workflow 3: Registry Continuous Scanning
|
|
|
|
```
|
|
[Images in Registry]
|
|
|
|
|
v
|
|
[Scheduled Trivy Scan (daily/weekly)]
|
|
|
|
|
+--> [New CVE detected in existing image]
|
|
| |
|
|
| v
|
|
| [Create JIRA/GitHub issue]
|
|
| |
|
|
| v
|
|
| [Rebuild and push patched image]
|
|
|
|
|
+--> [No new CVEs]
|
|
|
|
|
v
|
|
[Log clean scan result]
|
|
```
|
|
|
|
## Workflow 4: Full SBOM + Vulnerability Pipeline
|
|
|
|
```bash
|
|
#!/bin/bash
|
|
IMAGE="myapp:v1.0.0"
|
|
|
|
# Step 1: Generate SBOM
|
|
trivy image --format cyclonedx --output sbom.cdx.json "$IMAGE"
|
|
|
|
# Step 2: Vulnerability scan
|
|
trivy image --format json --output vuln-report.json "$IMAGE"
|
|
|
|
# Step 3: License scan
|
|
trivy image --scanners license --format json --output license-report.json "$IMAGE"
|
|
|
|
# Step 4: Secret scan
|
|
trivy image --scanners secret --format json --output secret-report.json "$IMAGE"
|
|
|
|
# Step 5: Config scan (if Dockerfile available)
|
|
trivy config --format json --output config-report.json Dockerfile
|
|
|
|
# Step 6: Generate HTML report
|
|
trivy image --format template \
|
|
--template "@contrib/html.tpl" \
|
|
--output report.html "$IMAGE"
|
|
|
|
# Step 7: Upload to dependency tracking (e.g., Dependency-Track)
|
|
curl -X POST "https://dtrack.example.com/api/v1/bom" \
|
|
-H "X-Api-Key: $DTRACK_API_KEY" \
|
|
-F "project=$PROJECT_UUID" \
|
|
-F "bom=@sbom.cdx.json"
|
|
```
|
|
|
|
## Workflow 5: Multi-Image Fleet Scanning
|
|
|
|
```bash
|
|
#!/bin/bash
|
|
# Scan all images in a Kubernetes cluster
|
|
|
|
# Get unique images
|
|
IMAGES=$(kubectl get pods --all-namespaces -o jsonpath='{range .items[*]}{range .spec.containers[*]}{.image}{"\n"}{end}{end}' | sort -u)
|
|
|
|
echo "Scanning $(echo "$IMAGES" | wc -l) unique images..."
|
|
|
|
for IMAGE in $IMAGES; do
|
|
echo "=== Scanning: $IMAGE ==="
|
|
trivy image --severity CRITICAL,HIGH --exit-code 0 \
|
|
--format json --output "scan_$(echo $IMAGE | tr '/:' '_').json" \
|
|
"$IMAGE" 2>/dev/null
|
|
done
|
|
|
|
# Aggregate results
|
|
echo "Generating aggregate report..."
|
|
python3 aggregate_trivy_results.py scan_*.json > fleet_report.json
|
|
```
|
|
|
|
## Workflow 6: Trivy Operator for Kubernetes
|
|
|
|
```yaml
|
|
# Install Trivy Operator via Helm
|
|
# helm install trivy-operator aquasecurity/trivy-operator \
|
|
# --namespace trivy-system --create-namespace
|
|
|
|
# VulnerabilityReport is created automatically for each workload
|
|
apiVersion: aquasecurity.github.io/v1alpha1
|
|
kind: VulnerabilityReport
|
|
metadata:
|
|
name: pod-myapp-myapp
|
|
namespace: default
|
|
spec:
|
|
scanner:
|
|
name: Trivy
|
|
version: 0.50.0
|
|
report:
|
|
summary:
|
|
criticalCount: 2
|
|
highCount: 5
|
|
mediumCount: 12
|
|
lowCount: 8
|
|
```
|