rafaeltuelho · July 14, 2025 14:56
diff --git a/task-trivy-image-scan.yaml b/task-trivy-image-scan.yaml
 apiVersion: tekton.dev/v1beta1
 kind: Task
 metadata:
  name: trivy-image-scan
  annotations:
    task.results.format: application/json
    task.results.type: roxctl-image-scan
    task.results.key: SCAN_OUTPUT
    task.output.location: logs
    task.results.container: step-report
    tekton.dev/pipelines.minVersion: "0.12.1"
    tekton.dev/categories: Security
    tekton.dev/tags: CLI, trivy
    tekton.dev/displayName: "trivy scanner"
    tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/390x"
 spec:
  description: >-
    Trivy is a simple and comprehensive scanner for
    vulnerabilities in container images,file systems
    ,and Git repositories, as well as for configuration issues.

    This task can be used to scan for vulnenrabilities on the source code
    in stand alone mode.
  workspaces:
    - name: manifest-dir
    - name: reports
  params:
    - name: ARGS
      description: The Arguments to be passed to Trivy command.
      type: array
    - name: TRIVY_IMAGE
      default: docker.io/aquasec/trivy@sha256:944a044451791617cc0ed2ee4d1942a4f66b790d527fcd0575a6b399ccbc05a1  # 0.43.1
      description: Trivy scanner image to be used
    - name: IMAGE_PATH
      description: Image or Path to be scanned by trivy.
      type: string
    - name: AIR_GAPPED_ENABLED
      default: "false"
      description: a flag enabling Air-Gapped mode
      type: string
  results:
    - description: Output of `trivy image`
      name: SCAN_OUTPUT
  steps:
  - name: trivy-scan
    image: $(params.TRIVY_IMAGE)
    workingDir: $(workspaces.manifest-dir.path)
    script: |
      #!/usr/bin/env sh
        cmd="trivy $* "
        if [ "$(params.AIR_GAPPED_ENABLED)" = "true" ]; then
          echo "Air-Gapped mode enabled"
          TRIVY_TEMP_DIR=$(mktemp -d)
          trivy --cache-dir "$TRIVY_TEMP_DIR" image --download-db-only
          tar -cf ./db.tar.gz -C "$TRIVY_TEMP_DIR/db" metadata.json trivy.db
          rm -rf "$TRIVY_TEMP_DIR"
          mkdir -p "$HOME"/.cache/trivy/db
          tar xvf ./db.tar.gz -C "$HOME"/.cache/trivy/db
          cmd="${cmd}--skip-update "
        fi
        cmd="${cmd}$(params.IMAGE_PATH) > $(workspaces.reports.path)/image-scan"
        echo "Running trivy task with command below"
        echo "$cmd"
        eval "$cmd"
    args:
      - "$(params.ARGS)"

  - name: export-vulnerabilities
    image: 'quay.io/lrangine/crda-maven:11.0'
    script: |
        #!/bin/sh
        jq -rce \
        "{vulnerabilities:{
          critical: (.result.summary.CRITICAL),
          high: (.result.summary.IMPORTANT),
          medium: (.result.summary.MODERATE),
          low: (.result.summary.LOW)
        }}" $(workspaces.reports.path)/image-scan | tee $(results.SCAN_OUTPUT.path)

  - name: report
    image: 'quay.io/lrangine/crda-maven:11.0'
    script: |
        #!/bin/sh
        cat $(workspaces.reports.path)/image-scan
	apiVersion: tekton.dev/v1beta1
	kind: Task
	metadata:
	name: trivy-image-scan
	annotations:
	task.results.format: application/json
	task.results.type: roxctl-image-scan
	task.results.key: SCAN_OUTPUT
	task.output.location: logs
	task.results.container: step-report
	tekton.dev/pipelines.minVersion: "0.12.1"
	tekton.dev/categories: Security
	tekton.dev/tags: CLI, trivy
	tekton.dev/displayName: "trivy scanner"
	tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/390x"
	spec:
	description: >-
	Trivy is a simple and comprehensive scanner for
	vulnerabilities in container images,file systems
	,and Git repositories, as well as for configuration issues.

	This task can be used to scan for vulnenrabilities on the source code
	in stand alone mode.
	workspaces:
	- name: manifest-dir
	- name: reports
	params:
	- name: ARGS
	description: The Arguments to be passed to Trivy command.
	type: array
	- name: TRIVY_IMAGE
	default: docker.io/aquasec/trivy@sha256:944a044451791617cc0ed2ee4d1942a4f66b790d527fcd0575a6b399ccbc05a1 # 0.43.1
	description: Trivy scanner image to be used
	- name: IMAGE_PATH
	description: Image or Path to be scanned by trivy.
	type: string
	- name: AIR_GAPPED_ENABLED
	default: "false"
	description: a flag enabling Air-Gapped mode
	type: string
	results:
	- description: Output of `trivy image`
	name: SCAN_OUTPUT
	steps:
	- name: trivy-scan
	image: $(params.TRIVY_IMAGE)
	workingDir: $(workspaces.manifest-dir.path)
	script: \|
	#!/usr/bin/env sh
	cmd="trivy $* "
	if [ "$(params.AIR_GAPPED_ENABLED)" = "true" ]; then
	echo "Air-Gapped mode enabled"
	TRIVY_TEMP_DIR=$(mktemp -d)
	trivy --cache-dir "$TRIVY_TEMP_DIR" image --download-db-only
	tar -cf ./db.tar.gz -C "$TRIVY_TEMP_DIR/db" metadata.json trivy.db
	rm -rf "$TRIVY_TEMP_DIR"
	mkdir -p "$HOME"/.cache/trivy/db
	tar xvf ./db.tar.gz -C "$HOME"/.cache/trivy/db
	cmd="${cmd}--skip-update "
	fi
	cmd="${cmd}$(params.IMAGE_PATH) > $(workspaces.reports.path)/image-scan"
	echo "Running trivy task with command below"
	echo "$cmd"
	eval "$cmd"
	args:
	- "$(params.ARGS)"

	- name: export-vulnerabilities
	image: 'quay.io/lrangine/crda-maven:11.0'
	script: \|
	#!/bin/sh
	jq -rce \
	"{vulnerabilities:{
	critical: (.result.summary.CRITICAL),
	high: (.result.summary.IMPORTANT),
	medium: (.result.summary.MODERATE),
	low: (.result.summary.LOW)
	}}" $(workspaces.reports.path)/image-scan \| tee $(results.SCAN_OUTPUT.path)

	- name: report
	image: 'quay.io/lrangine/crda-maven:11.0'
	script: \|
	#!/bin/sh
	cat $(workspaces.reports.path)/image-scan