From f28afd43424277e821302ba96fa5ea1bf389ebe8 Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Mon, 8 Sep 2025 15:55:06 +0100 Subject: [PATCH 1/2] Add container image scanning script Added tools/wazuh-scan-images.sh to scan all the container images running on a host. The script will be used in the future to scan images on a schedule using Wazuh. --- ...h-scan-images-script-f9eff2f21768f969.yaml | 6 +++ tools/wazuh-scan-images.sh | 44 +++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 releasenotes/notes/wazuh-scan-images-script-f9eff2f21768f969.yaml create mode 100644 tools/wazuh-scan-images.sh diff --git a/releasenotes/notes/wazuh-scan-images-script-f9eff2f21768f969.yaml b/releasenotes/notes/wazuh-scan-images-script-f9eff2f21768f969.yaml new file mode 100644 index 0000000000..8b914309ee --- /dev/null +++ b/releasenotes/notes/wazuh-scan-images-script-f9eff2f21768f969.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Added ``wazuh-scan-images.sh``, a script to scan container images for + vulnerabilities. In a future release, this script can be integrated into + Wazuh for continuous scanning. diff --git a/tools/wazuh-scan-images.sh b/tools/wazuh-scan-images.sh new file mode 100644 index 0000000000..b42d66f3c0 --- /dev/null +++ b/tools/wazuh-scan-images.sh @@ -0,0 +1,44 @@ +#!/bin/bash + +# SBOM directory path +SBOM_DIR="/opt/kayobe/stackhpc/sboms" + +# Ensure the SBOM directory exists +mkdir -p "$SBOM_DIR" + +# Ensure the custom output template exists +cat < "$SBOM_DIR/trivy-custom.tmpl" +"Package","Version Installed","Vulnerability ID","Severity","Title" +{{- range \$ri, \$r := . }} +{{- range \$vi, \$v := .Vulnerabilities }} +"{{ $v.PkgName }}","{{$v.InstalledVersion }}","{{ $v.VulnerabilityID }}","{{$v.Severity }}","{{$v.Title }}" +{{- end}} +{{- end }} +EOL + +# Loop through each container image and process its SBOM +docker image ls --format "{{.Repository}}:{{.Tag}}" | sort | uniq | while read -r image; do + # Generate SBOM filename + sbom_file="$SBOM_DIR/$(echo "$image" | tr '/:' '_').sbom" + + # Generate SBOM if missing + if [[ ! -f "$sbom_file" ]]; then + echo "Generating SBOM for $image" + if ! trivy image --quiet --format spdx-json --output "$sbom_file" "$image"; then + echo "Failed to generate SBOM for $image. Skipping." + continue + fi + fi + + echo "Scanning SBOM: $sbom_file" + # Scan SBOM and prepend image info to each output line + trivy sbom \ + --scanners vuln \ + --severity CRITICAL,HIGH \ + --ignore-unfixed \ + --quiet \ + --format template \ + --template "@$SBOM_DIR/trivy-custom.tmpl" \ + "$sbom_file" | \ + awk -v img="$image" '{print "Trivy:\"" img "\"," $0}' +done From e05d1dfc26aa50d222915516d0cead92e38b007a Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Mon, 22 Sep 2025 09:08:09 +0100 Subject: [PATCH 2/2] wip --- tools/wazuh-scan-images.sh | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/tools/wazuh-scan-images.sh b/tools/wazuh-scan-images.sh index b42d66f3c0..b1a1a28b79 100644 --- a/tools/wazuh-scan-images.sh +++ b/tools/wazuh-scan-images.sh @@ -7,24 +7,30 @@ SBOM_DIR="/opt/kayobe/stackhpc/sboms" mkdir -p "$SBOM_DIR" # Ensure the custom output template exists -cat < "$SBOM_DIR/trivy-custom.tmpl" -"Package","Version Installed","Vulnerability ID","Severity","Title" -{{- range \$ri, \$r := . }} -{{- range \$vi, \$v := .Vulnerabilities }} +if [[ ! -f "$SBOM_DIR/trivy-custom.tmpl" ]]; then +cat <<'EOL' > "$SBOM_DIR/trivy-custom.tmpl" +{{- range $ri, $r := . -}} +{{- range $vi, $v := .Vulnerabilities -}} "{{ $v.PkgName }}","{{$v.InstalledVersion }}","{{ $v.VulnerabilityID }}","{{$v.Severity }}","{{$v.Title }}" -{{- end}} -{{- end }} +{{- end -}} +{{- end -}} EOL +fi + +echo "Package","Version Installed","Vulnerability ID","Severity","Title" # Loop through each container image and process its SBOM -docker image ls --format "{{.Repository}}:{{.Tag}}" | sort | uniq | while read -r image; do +docker image ls --format "{{.Repository}}:{{.Tag}}:{{.Image ID}}" | sort | uniq | while read -r image; do + # Split image ID + image_id=$(echo "$image" | awk -F: '{print $NF}') + # Generate SBOM filename sbom_file="$SBOM_DIR/$(echo "$image" | tr '/:' '_').sbom" # Generate SBOM if missing if [[ ! -f "$sbom_file" ]]; then echo "Generating SBOM for $image" - if ! trivy image --quiet --format spdx-json --output "$sbom_file" "$image"; then + if ! trivy image --quiet --format spdx-json --output "$sbom_file" "$image_id"; then echo "Failed to generate SBOM for $image. Skipping." continue fi