Docker images vulnerabilities scan with Snyk based on images stored in Sonatype Nexus as private Docker Registry

scan-images.sh

#!/bin/bash

log_file=snyk-scan-$(date '+%s%3N').log
export SNYK_TOKEN=$1
private_docker_registry=$2
nexus_repo_url=$3

log() {
    printf "$(date '+%F %T') - %s\n" "$1"
}

touch $log_file
while read image; do
    log "Checking $private_docker_registry/$image"
    local_digest=$(docker image inspect $private_docker_registry/$image | jq -r .[0].RepoDigests[0] | grep -oP 'sha256:\K\w+')
    log "Local digest: $local_digest"

    image_name="$(echo "$image" | cut -d':' -f1)"
    image_tag="$(echo "$image" | cut -d':' -f2)"
    remote_digest=$(curl -H 'Accept: application/vnd.docker.distribution.manifest.v2+json' -k $nexus_repo_url/v2/$image_name/manifests/$image_tag -I -s | grep docker-content-digest | grep -oP 'sha256:\K\w+')
    log "Remote digest: $remote_digest"

    if [ "$local_digest" != "$remote_digest" ]; then

        log "Start pulling $private_docker_registry/$image"
        docker pull $private_docker_registry/$image
        docker tag $private_docker_registry/$image $image

        log "Start scanning $image"
        snyk container monitor $image

    fi
done <images.txt >>$log_file 2>&1

docker image prune -f
exit 0