Skip to content

Add container image scanning script #1903

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 2 commits into
base: stackhpc/2025.1
Choose a base branch
from
Draft

Add container image scanning script #1903

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f28afd4
Add container image scanning script
Alex-Welsh Sep 8, 2025
e05d1df
wip
Alex-Welsh Sep 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions releasenotes/notes/wazuh-scan-images-script-f9eff2f21768f969.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
features:
- |
Added ``wazuh-scan-images.sh``, a script to scan container images for
vulnerabilities. In a future release, this script can be integrated into
Wazuh for continuous scanning.
50 changes: 50 additions & 0 deletions tools/wazuh-scan-images.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
#!/bin/bash

# SBOM directory path
SBOM_DIR="/opt/kayobe/stackhpc/sboms"
Copy link

@gemini-code-assist gemini-code-assist bot Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The SBOM directory path is hardcoded. This reduces the script's flexibility. It's better to allow this to be configured via an environment variable, with the current path as a default.

Suggested change
SBOM_DIR="/opt/kayobe/stackhpc/sboms"
SBOM_DIR="${SBOM_DIR:-/opt/kayobe/stackhpc/sboms}"


# Ensure the SBOM directory exists
mkdir -p "$SBOM_DIR"

# Ensure the custom output template exists
if [[ ! -f "$SBOM_DIR/trivy-custom.tmpl" ]]; then
cat <<'EOL' > "$SBOM_DIR/trivy-custom.tmpl"
{{- range $ri, $r := . -}}
{{- range $vi, $v := .Vulnerabilities -}}
"{{ $v.PkgName }}","{{$v.InstalledVersion }}","{{ $v.VulnerabilityID }}","{{$v.Severity }}","{{$v.Title }}"
{{- end -}}
{{- end -}}
EOL
fi

echo "Package","Version Installed","Vulnerability ID","Severity","Title"

# Loop through each container image and process its SBOM
docker image ls --format "{{.Repository}}:{{.Tag}}:{{.Image ID}}" | sort | uniq | while read -r image; do
# Split image ID
image_id=$(echo "$image" | awk -F: '{print $NF}')

# Generate SBOM filename
sbom_file="$SBOM_DIR/$(echo "$image" | tr '/:' '_').sbom"

# Generate SBOM if missing
if [[ ! -f "$sbom_file" ]]; then
echo "Generating SBOM for $image"
if ! trivy image --quiet --format spdx-json --output "$sbom_file" "$image_id"; then
echo "Failed to generate SBOM for $image. Skipping."
continue
fi
fi

echo "Scanning SBOM: $sbom_file"
# Scan SBOM and prepend image info to each output line
trivy sbom \
--scanners vuln \
--severity CRITICAL,HIGH \
--ignore-unfixed \
--quiet \
--format template \
--template "@$SBOM_DIR/trivy-custom.tmpl" \
"$sbom_file" | \
awk -v img="$image" '{print "Trivy:\"" img "\"," $0}'
done
Loading