eps-devcontainers/src/base/.devcontainer/Mk/trivy.mk at a64095c7dd50b20383c91a2833ada59d8ad57c91 · NHSDigital/eps-devcontainers · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
.PHONY: trivy-license-check trivy-generate-sbom trivy-scan-python trivy-scan-node trivy-scan-go trivy-scan-java

trivy-license-check:
	mkdir -p .trivy_out/
	@if [ -f poetry.lock ]; then \
		poetry self add poetry-plugin-export; \
		poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt; \
	fi
	@if [ -f src/go.sum ]; then \
		cd src && go mod vendor; \
	fi
	VIRTUAL_ENV=./.venv/ trivy fs . \
		--scanners license \
		--severity HIGH,CRITICAL \
		--config trivy.yaml \
		--include-dev-deps \
		--pkg-types library \
		--exit-code 1 \
		--output .trivy_out/license_scan.txt \
		--format table
	@if [ -f poetry.lock ]; then rm -f requirements.txt; fi
	@if [ -f src/go.sum ]; then rm -rf src/vendor; fi

trivy-generate-sbom:
	mkdir -p .trivy_out/
	trivy fs . \
		--scanners vuln \
		--config trivy.yaml \
		--include-dev-deps \
		--exit-code 0 \
		--output .trivy_out/sbom.cdx.json \
		--format cyclonedx

trivy-scan-python:
	mkdir -p .trivy_out/
	trivy fs . \
		--scanners vuln \
		--severity HIGH,CRITICAL \
		--config trivy.yaml \
		--include-dev-deps \
		--exit-code 1 \
		--skip-files "**/package-lock.json,**/go.mod,**/pom.xml" \
		--output .trivy_out/dependency_results_python.txt \
		--format table

trivy-scan-node:
	mkdir -p .trivy_out/
	trivy fs . \
		--scanners vuln \
		--severity HIGH,CRITICAL \
		--config trivy.yaml \
		--include-dev-deps \
		--exit-code 1 \
		--skip-files "**/poetry.lock,**/go.mod,**/pom.xml" \
		--output .trivy_out/dependency_results_node.txt \
		--format table

trivy-scan-go:
	mkdir -p .trivy_out/
	trivy fs . \
		--scanners vuln \
		--severity HIGH,CRITICAL \
		--config trivy.yaml \
		--include-dev-deps \
		--exit-code 1 \
		--skip-files "**/poetry.lock,**/package-lock.json,**/pom.xml" \
		--output .trivy_out/dependency_results_go.txt \
		--format table

trivy-scan-java:
	mkdir -p .trivy_out/
	trivy fs . \
		--scanners vuln \
		--severity HIGH,CRITICAL \
		--config trivy.yaml \
		--include-dev-deps \
		--exit-code 1 \
		--skip-files "**/poetry.lock,**/package-lock.json,**/go.mod" \
		--output .trivy_out/dependency_results_java.txt \
		--format table

trivy-scan-docker: guard-DOCKER_IMAGE
	mkdir -p .trivy_out/
	trivy image $${DOCKER_IMAGE} \
		--scanners vuln \
		--severity HIGH,CRITICAL \
		--config trivy.yaml \
		--include-dev-deps \
		--exit-code 1 \
		--pkg-types os,library \
		--output .trivy_out/dependency_results_docker.txt \
		--format table