-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathinstall_trivy.sh
More file actions
executable file
·68 lines (55 loc) · 2.05 KB
/
install_trivy.sh
File metadata and controls
executable file
·68 lines (55 loc) · 2.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
#!/usr/bin/env bash
set -euo pipefail
DEFAULT_INSTALL_DIR="/usr/local/bin"
INSTALL_DIR="${INSTALL_DIR:-$DEFAULT_INSTALL_DIR}"
VERSION="${VERSION:-v0.69.3}"
DEFAULT_ARCH="64bit"
ARCH="${ARCH:-$DEFAULT_ARCH}"
RELEASE_NUMBER="${VERSION#v}"
BASE_URL="https://github.com/aquasecurity/trivy/releases/download/${VERSION}"
ARCHIVE="trivy_${RELEASE_NUMBER}_Linux-${ARCH}.tar.gz"
BUNDLE="${ARCHIVE}.sigstore.json"
CERT_IDENTITY="https://github.com/aquasecurity/trivy/.github/workflows/reusable-release.yaml@refs/tags/${VERSION}"
usage() {
cat <<'EOF'
Usage: install_trivy.sh
Downloads the Trivy archive and its sigstore bundle to a temporary directory,
verifies the sigstore bundle following
https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/signature-verification.md,
and installs the trivy binary into INSTALL_DIR (default: /usr/local/bin).
Environment variables:
INSTALL_DIR Directory to install the trivy binary into (default: /usr/local/bin)
VERSION Trivy version tag to install (default: v0.69.3)
ARCH Architecture suffix used in the download (default: 64bit)
EOF
}
if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
usage
exit 0
fi
for cmd in curl cosign; do
if ! command -v "$cmd" >/dev/null 2>&1; then
echo "Error: $cmd is required but not found in PATH" >&2
exit 1
fi
done
TMP_DIR="$(mktemp -d)"
trap 'rm -rf "$TMP_DIR"' EXIT
download() {
local url="${1}" dest="${2}"
echo "Downloading ${dest} ..."
curl -fsSL "${url}" -o "${dest}"
}
ARCHIVE_PATH="${TMP_DIR}/${ARCHIVE}"
BUNDLE_PATH="${TMP_DIR}/${BUNDLE}"
download "${BASE_URL}/${ARCHIVE}" "${ARCHIVE_PATH}"
download "${BASE_URL}/${BUNDLE}" "${BUNDLE_PATH}"
cosign verify-blob-attestation "${ARCHIVE_PATH}" \
--bundle "${BUNDLE_PATH}" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
--certificate-identity "${CERT_IDENTITY}"
echo "Sigstore verification passed"
tar -xzf "${ARCHIVE_PATH}" -C "${TMP_DIR}"
mkdir -p "$INSTALL_DIR"
install -m 0755 "$TMP_DIR/trivy" "${INSTALL_DIR}/trivy"
echo "trivy ${VERSION} installed to ${INSTALL_DIR}"