GH-16354 remove Snyk and add Trivy

h2oai · Aug 7, 2024 · 2577fe2 · 2577fe2
1 parent 04188e5
commit 2577fe2
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 10 deletions.
diff --git a/docker/prisma/Dockerfile b/docker/prisma/Dockerfile
@@ -1,5 +1,5 @@
 FROM alpine:latest
-RUN apk update && apk upgrade &&  apk add openjdk8 nodejs npm git
+RUN apk update && apk upgrade &&  apk add openjdk8 nodejs npm git curl
 
 ENV DIRECTORIES=".config .npm .cache .local"
 
@@ -8,6 +8,6 @@ RUN for dir in $DIRECTORIES; do \
       chown -R 2117:2117 /$dir; \
     done 
 
-RUN npm install snyk -g
+RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
 
 CMD ["/bin/bash"]
diff --git a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan
@@ -13,13 +13,11 @@ def setPrismaScanningStages(assemblyType, stageIndex) {
             sh "docker build . -t ${assemblyImage} -f ./docker/prisma/Dockerfile.${assemblyType}jars"
         }
     }
-    stage ("${stageIndex}.B. Scan ${assemblyType} jar using Snyk") {
-        withCredentials([string(credentialsId: 'H2O_3_SNYK_TOKEN_JENKINS_TEXT', variable: 'SNYK_TOKEN')]) {
-            script {
-                sh "./snyk container test ${assemblyImage} --file=./docker/prisma/Dockerfile.${assemblyType}jars --severity-threshold=medium --app-vulns --nested-jars-depth=4 | tee ${assemblyImage}-snyk.out || true"
-            }
-            archiveArtifacts artifacts: "${assemblyImage}-snyk.out"
+    stage ("${stageIndex}.B. Scan ${assemblyType} jar using Trivy") {
+        script {
+            sh "./trivy image --pkg-types library ${assemblyImage} --output ${assemblyImage}-trivy.out"
         }
+        archiveArtifacts artifacts: "${assemblyImage}-trivy.out"
     }
     stage("${stageIndex}.C. Scan ${assemblyType} jar using Prisma") {
         script {
@@ -62,8 +60,9 @@ pipeline {
                     dir("docker/prisma"){
                         dockerImage = docker.build("node-java","-f Dockerfile .")
                     }
-                    sh "curl --compressed https://static.snyk.io/cli/latest/snyk-linux -o snyk"
-                    sh "chmod +x ./snyk"
+                    sh "wget https://github.com/aquasecurity/trivy/releases/download/v0.54.1/trivy_0.54.1_Linux-64bit.tar.gz"
+                    sh "tar -zxvf trivy_0.54.1_Linux-64bit.tar.gz"
+                    sh "chmod +x ./trivy"
                 }
 
             }