-
-
Save usiusi360/8704fbbd1e9e8931db65aea53535c411 to your computer and use it in GitHub Desktop.
Vulnerability scanning of docker image registered in AWS ECR with FutureVuls
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
BASE_URL="XXXXXXXXX.dkr.ecr.ap-northeast-1.amazonaws.com" | |
IGNORE="dev-,stg-" | |
SUFFIX="image" | |
export AWS_DEFAULT_REGION="ap-northeast-1" | |
export AWS_DEFAULT_OUTPUT="json" | |
########## | |
function progress() { | |
logger -i -s -p user.$1 "$2" | |
} | |
function get_repolist() { | |
local arr=( `echo ${IGNORE} | tr -s ',' ' '`) | |
local ignores="" | |
for ignore_str in ${arr[@]}; do | |
ignores="${ignores}|${ignore_str}" | |
done | |
ignores=`echo ${ignores} | sed 's/^|//g'` | |
aws ecr describe-repositories \ | |
| jq -r ".repositories[].repositoryName" \ | |
| sort \ | |
| egrep -v "${ignores}" | |
} | |
function get_latest_tag() { | |
local taglist=() | |
for line in `get_repolist` | |
do | |
local repository_name=${line} | |
local tag=`aws ecr describe-images \ | |
--repository-name ${repository_name} \ | |
--filter '{"tagStatus": "TAGGED"}' \ | |
| jq -r ".imageDetails[] | [.imagePushedAt, .repositoryName, .imageTags[] ] | @csv" \ | |
| sort | sed 's/"//g' | tail -1` | |
taglist+=(${tag}) | |
done | |
echo ${taglist[@]} | |
} | |
function login_ecr() { | |
progress notice "login ecr" | |
login_str=`aws ecr get-login --no-include-email --region ${AWS_DEFAULT_REGION}` | |
if [ $? -ne 0 ]; then | |
progress err "fail login ECR" | |
exit | |
fi | |
${login_str} | |
if [ $? -ne 0 ]; then | |
progress err "fail login ECR" | |
exit | |
fi | |
} | |
function start_container() { | |
login_ecr | |
progress notice "docker pull & docker run" | |
for line in `get_latest_tag` | |
do | |
repository_name=`echo ${line} | cut -d "," -f2` | |
image_tag=`echo ${line} | cut -d "," -f3` | |
progress notice "docker pull [${repository_name}: ${image_tag}]" | |
docker pull ${BASE_URL}/${repository_name}:${image_tag} | |
if [ $? -ne 0 ]; then | |
progress err "fail docker pull" | |
exit | |
fi | |
docker run --detach --rm --name ${SUFFIX}-${repository_name} --entrypoint="" ${BASE_URL}/${repository_name}:${image_tag} tail -f /dev/null | |
if [ $? -ne 0 ]; then | |
progress err "fail docker run" | |
exit | |
fi | |
done | |
} | |
function vuls_scan() { | |
progress notice "start vuls scan" | |
./vuls-saas.sh | |
if [ $? -ne 0 ]; then | |
progress err "fail vuls scan" | |
fi | |
} | |
function stop_container() { | |
progress notice "stop container" | |
docker kill $(docker ps -q -f name=${SUFFIX}-) | |
if [ $? -ne 0 ]; then | |
progress err "fail stop container" | |
fi | |
} | |
function delete_image() { | |
progress notice "delete old container images" | |
duplicate_images=`docker images | cut -d " " -f1 | sort | uniq -d` | |
for line in ${duplicate_images} | |
do | |
docker rmi -f `docker images | grep $line | tail -n +2 | awk '{print $3}'` | |
done | |
} | |
##### MAIN | |
cd $(dirname $0) | |
start_container | |
vuls_scan | |
stop_container | |
delete_image |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
config.toml