-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathtrivy-diff
executable file
·55 lines (42 loc) · 1.19 KB
/
trivy-diff
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#!/bin/zsh
if ! command -v trivy &> /dev/null
then
echo "trivy must be installed for this command to work"
exit 1
fi
if ! command -v jq &> /dev/null
then
echo "jq must be installed for this command to work"
exit 2
fi
if ! docker image inspect $1 &> /dev/null
then
echo "Could not find image $1"
exit 3
fi
if ! docker image inspect $2 &> /dev/null
then
echo "Could not find image $2"
exit 4
fi
OLD_OUT=$(trivy -q i -f json $1 &> /dev/null)
if [[ "$?" -ne "0" ]]
then
echo "trivy only supports scanning on tag names - if the diff process failed, please try scanning against a tag"
exit 5
fi
OLD_OUT=$(trivy -q i -f json $1 | jq '.Results[]? | .Vulnerabilities[]? | .VulnerabilityID' | sort | uniq)
NEW_OUT=$(trivy -q i -f json $2 &> /dev/null)
if [[ $? -ne "0" ]]
then
echo "trivy only supports scanning on tag names - if the diff process failed, please try scanning against a tag"
exit 6
fi
NEW_OUT=$(trivy -q i -f json $2 | jq '.Results[]? | .Vulnerabilities[]? | .VulnerabilityID' | sort | uniq)
OLD_OUT=("${(@f)OLD_OUT}")
NEW_OUT=("${(@f)NEW_OUT}")
for new_cve_item in $NEW_OUT
do OLD_OUT=(${OLD_OUT#$new_cve_item})
done
echo "Diff:"
echo "$OLD_OUT"