From 0eddda2eafe3ae4f2990809a392a4f1e2be39445 Mon Sep 17 00:00:00 2001 From: Daan Schipper <2778477+daanschipper@users.noreply.github.com> Date: Mon, 17 Jun 2024 15:37:06 +0200 Subject: [PATCH] fix: sync stdout buffer to file The trivy command is completed and as it is the main process the entire container is stopped before the stdout buffer is cleared, resulting in malformed output. Fixes #1792. --- pkg/plugins/trivy/image.go | 131 +++++++++--------- pkg/plugins/trivy/plugin_test.go | 34 ++--- .../fixture/cronjob-expected-scan.yaml | 2 +- .../fixture/daemonset-expected-scan.yaml | 2 +- .../testdata/fixture/job-expected-scan.yaml | 2 +- .../testdata/fixture/pod-expected-scan.yaml | 2 +- .../fixture/replicaset-expected-scan.yaml | 2 +- .../replicationcontroller-expected-scan.yaml | 2 +- .../fixture/statefulset-expected-scan.yaml | 2 +- 9 files changed, 91 insertions(+), 88 deletions(-) diff --git a/pkg/plugins/trivy/image.go b/pkg/plugins/trivy/image.go index ff0f1b028..79fad3664 100644 --- a/pkg/plugins/trivy/image.go +++ b/pkg/plugins/trivy/image.go @@ -561,84 +561,87 @@ func getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, imageRef stri command := []string{ "trivy", } - trivyConfig := ctx.GetTrivyOperatorConfig() - compressLogs := trivyConfig.CompressLogs() - c, err := getConfig(ctx) + trivyOperatorConfig := ctx.GetTrivyOperatorConfig() + trivyConfig, err := getConfig(ctx) + if err != nil { return []string{}, []string{} } - slow := Slow(c) - sbomSources := c.GetSbomSources() - skipJavaDBUpdate := SkipJavaDBUpdate(c) - cacheDir := c.GetImageScanCacheDir() - vulnTypeArgs := vulnTypeFilter(ctx) - scanners := Scanners(c) - var vulnTypeFlag string - if len(vulnTypeArgs) == 2 { - vulnTypeFlag = fmt.Sprintf("%s %s ", vulnTypeArgs[0], vulnTypeArgs[1]) + // Arguments first. + args := []string{ + "image", + imageRef, + } + + // Options in alphabetic order. + cacheDir := trivyConfig.GetImageScanCacheDir() + args = append(args, "--cache-dir", cacheDir) + + args = append(args, "--format", "json") + + imcs := imageConfigSecretScanner(trivyOperatorConfig) + if len(imcs) > 0 { + args = append(args, imcs...) + } + + args = append(args, "--quiet") + + sbomSources := trivyConfig.GetSbomSources() + if len(sbomSources) > 0 { + args = append(args, []string{"--sbom-sources", sbomSources}...) } - imcs := imageConfigSecretScanner(trivyConfig) - var imageconfigSecretScannerFlag string - if len(imcs) == 2 { - imageconfigSecretScannerFlag = fmt.Sprintf("%s %s ", imcs[0], imcs[1]) + + scanners := Scanners(trivyConfig) + args = append(args, scanners, getSecurityChecks(ctx)) + + if len(trivyServerURL) > 0 { + args = append(args, []string{"--server", trivyServerURL}...) } + var skipUpdate string - if c.GetClientServerSkipUpdate() && mode == ClientServer { - skipUpdate = SkipDBUpdate(c) + if trivyConfig.GetClientServerSkipUpdate() && mode == ClientServer { + skipUpdate = SkipDBUpdate(trivyConfig) } else if mode != ClientServer { - skipUpdate = SkipDBUpdate(c) + skipUpdate = SkipDBUpdate(trivyConfig) + } + if len(skipUpdate) > 0 { + args = append(args, skipUpdate) } - if !compressLogs { - args := []string{ - "--cache-dir", - cacheDir, - "--quiet", - "image", - scanners, - getSecurityChecks(ctx), - "--format", - "json", - } - if len(trivyServerURL) > 0 { - args = append(args, []string{"--server", trivyServerURL}...) - } - args = append(args, imageRef) - if len(slow) > 0 { - args = append(args, slow) - } - if len(vulnTypeArgs) > 0 { - args = append(args, vulnTypeArgs...) - } - if len(imcs) > 0 { - args = append(args, imcs...) - } - pkgList := getPkgList(ctx) - if len(pkgList) > 0 { - args = append(args, pkgList) - } - if len(sbomSources) > 0 { - args = append(args, []string{"--sbom-sources", sbomSources}...) - } - if len(skipUpdate) > 0 { - args = append(args, skipUpdate) - } - if len(skipJavaDBUpdate) > 0 { - args = append(args, skipJavaDBUpdate) - } + skipJavaDBUpdate := SkipJavaDBUpdate(trivyConfig) + if len(skipJavaDBUpdate) > 0 { + args = append(args, skipJavaDBUpdate) + } - return command, args + slow := Slow(trivyConfig) + if len(slow) > 0 { + args = append(args, slow) } - var serverUrlParms string - if mode == ClientServer { - serverUrlParms = fmt.Sprintf("--server '%s' ", trivyServerURL) + + vulnTypeArgs := vulnTypeFilter(ctx) + if len(vulnTypeArgs) > 0 { + args = append(args, vulnTypeArgs...) } - var sbomSourcesFlag string - if len(sbomSources) > 0 { - sbomSourcesFlag = fmt.Sprintf(" --sbom-sources %s ", sbomSources) + + pkgList := getPkgList(ctx) + if len(pkgList) > 0 { + args = append(args, pkgList) + } + + // Return early when compressing logs is disabled. + compressLogs := trivyOperatorConfig.CompressLogs() + if !compressLogs { + return command, args } - return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s %s %s %s%s --cache-dir %s --quiet %s --format json %s> /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), imageconfigSecretScannerFlag, vulnTypeFlag, skipUpdate, skipJavaDBUpdate, sbomSourcesFlag, cacheDir, getPkgList(ctx), serverUrlParms, resultFileName, resultFileName)} + + // Add command to args as it is now need to pipe output to compress. + args = append(command, args...) + // Add compress arguments. + // Sync is required to flush buffer to stdout before exiting. + args = append(args, fmt.Sprintf(`> /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64 && sync`, resultFileName, resultFileName)) + + return []string{"/bin/sh"}, append([]string{"-c"}, strings.Join(args, " ")) } func GetSbomScanCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, sbomFile string, trivyServerURL string, resultFileName string) ([]string, []string) { diff --git a/pkg/plugins/trivy/plugin_test.go b/pkg/plugins/trivy/plugin_test.go index 8258fbeaf..a2ecd4488 100644 --- a/pkg/plugins/trivy/plugin_test.go +++ b/pkg/plugins/trivy/plugin_test.go @@ -345,7 +345,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -633,7 +633,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { }, Args: []string{ "-c", - "trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image poc.myregistry.harbor.com.pl/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -921,7 +921,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { }, Args: []string{ "-c", - "trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image poc.myregistry.harbor.com.pl/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --quiet --security-checks vuln --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -1229,7 +1229,7 @@ CVE-2019-1543`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -1542,7 +1542,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -1834,7 +1834,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'mirror.io/library/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image mirror.io/library/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -2122,7 +2122,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -2354,7 +2354,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -2583,7 +2583,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -2817,7 +2817,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'https://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image poc.myregistry.harbor.com.pl/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --server https://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -3051,7 +3051,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image poc.myregistry.harbor.com.pl/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --quiet --security-checks vuln --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -3305,7 +3305,7 @@ CVE-2019-1543`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -3565,7 +3565,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -3800,7 +3800,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -5416,7 +5416,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow '000000000000.dkr.ecr.eu-west-1.amazonaws.com/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image 000000000000.dkr.ecr.eu-west-1.amazonaws.com/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -5731,7 +5731,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -6048,7 +6048,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'mirror.io/library/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image mirror.io/library/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ diff --git a/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml b/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml index 21991c7ba..c5abe8ff2 100644 --- a/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'busybox:1.28' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_hello.json && bzip2 -c /tmp/scan/result_hello.json | base64 + - trivy image busybox:1.28 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_hello.json && bzip2 -c /tmp/scan/result_hello.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml b/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml index 694b9ab57..26686445a 100644 --- a/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'quay.io/fluentd_elasticsearch/fluentd:v2.5.2' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_fluentd-elasticsearch.json && bzip2 -c /tmp/scan/result_fluentd-elasticsearch.json | base64 + - trivy image quay.io/fluentd_elasticsearch/fluentd:v2.5.2 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_fluentd-elasticsearch.json && bzip2 -c /tmp/scan/result_fluentd-elasticsearch.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/job-expected-scan.yaml b/tests/envtest/testdata/fixture/job-expected-scan.yaml index beef61500..1d2f7fd94 100644 --- a/tests/envtest/testdata/fixture/job-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/job-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'perl:5.34' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_pi.json && bzip2 -c /tmp/scan/result_pi.json | base64 + - trivy image perl:5.34 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_pi.json && bzip2 -c /tmp/scan/result_pi.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/pod-expected-scan.yaml b/tests/envtest/testdata/fixture/pod-expected-scan.yaml index b75434c50..510f2722d 100644 --- a/tests/envtest/testdata/fixture/pod-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/pod-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'app-image:app-image-tag' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_app.json && bzip2 -c /tmp/scan/result_app.json | base64 + - trivy image app-image:app-image-tag --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_app.json && bzip2 -c /tmp/scan/result_app.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml b/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml index 9466cadc4..5bbcb8f57 100644 --- a/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'wordpress:4.9' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_wordpress.json && bzip2 -c /tmp/scan/result_wordpress.json | base64 + - trivy image wordpress:4.9 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_wordpress.json && bzip2 -c /tmp/scan/result_wordpress.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml b/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml index 7830e60e0..bca3ad535 100644 --- a/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'nginx' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 + - trivy image nginx --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml b/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml index fb56b69eb..8dcf22e88 100644 --- a/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'k8s.gcr.io/nginx-slim:0.8' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 + - trivy image k8s.gcr.io/nginx-slim:0.8 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync command: - /bin/sh env: