Merge pull request #3 from RyosukeDTomita/feature/image-scan

install trivy via apt
RyosukeDTomita · Dec 17, 2023 · 5ad4dff · 5ad4dff
2 parents b87fc22 + 382a41e
commit 5ad4dff
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 85 deletions.
diff --git a/copilot/pipelines/react-app-pipeline/buildspec.yml b/copilot/pipelines/react-app-pipeline/buildspec.yml
@@ -8,8 +8,13 @@ phases:
       # Download the copilot linux binary.
       - wget -q https://ecs-cli-v2-release.s3.amazonaws.com/copilot-linux-v1.32.0 -O copilot-linux
       - chmod +x ./copilot-linux
-      # Download trivy.
-      - docker pull ghcr.io/aquasecurity/trivy:canary
+      # Download trivy. https://aquasecurity.github.io/trivy/v0.48/getting-started/installation/
+      - apt-get install wget apt-transport-https gnupg lsb-release
+      - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
+      - echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
+      - apt-get update
+      - apt-get install trivy
+
   build:
     commands:
       - echo "Run your tests"
@@ -66,7 +71,7 @@ phases:
         done;
       - ls -lah ./infrastructure
       # Run trivy scan on the docker images.
-      - docker run --rm -v /var/run/docker.sock:/var/run/docker.sock ghcr.io/aquasecurity/trivy:canary image --vuln-type os --no-progress --format table -o container-scanning-report.txt --severity CRITICAL,HIGH $(jq -r '.services[].image' ./infrastructure/manifest.json)
+      - trivy image --vuln-type os --no-progress --format table -o container-scanning-report.txt --severity CRITICAL,HIGH $(jq -r '.services[].image' ./infrastructure/manifest.json)
       - cat container-scanning-report.txt
 artifacts:
   files:

diff --git a/docker_test.sh b/docker_test.sh
@@ -7,8 +7,8 @@
 # Author: Ryosuke Tomita
 # Date: 2023/12/06
 ##########################################################################
-#docker rmi react-app:latest -f
+docker rmi react-app:latest -f
 docker build -t react-app:latest . --no-cache
-docker run --rm -p 8080:80 react-app:latest # -p containerport:localport
+docker run -p 80:8080 react-app:latest # -p localport:containerport
 
 # open your browser and go to `localhost:80`.
diff --git a/sca-report.sarif b/sca-report.sarif