diff --git a/pkg/plugins/trivy/image.go b/pkg/plugins/trivy/image.go index 1d7950543..c5dbdd283 100644 --- a/pkg/plugins/trivy/image.go +++ b/pkg/plugins/trivy/image.go @@ -585,87 +585,85 @@ func initContainerEnvVar(trivyConfigName string, config Config) []corev1.EnvVar } func getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, imageRef, trivyServerURL, resultFileName string) ([]string, []string) { - command := []string{ - "trivy", - } - trivyConfig := ctx.GetTrivyOperatorConfig() - compressLogs := trivyConfig.CompressLogs() - c, err := getConfig(ctx) + trivyOperatorConfig := ctx.GetTrivyOperatorConfig() + trivyConfig, err := getConfig(ctx) + if err != nil { return []string{}, []string{} } - slow := Slow(c) - sbomSources := c.GetSbomSources() - skipJavaDBUpdate := SkipJavaDBUpdate(c) - cacheDir := c.GetImageScanCacheDir() - vulnTypeArgs := vulnTypeFilter(ctx) - scanners := Scanners(c) - var vulnTypeFlag string - if len(vulnTypeArgs) == 2 { - vulnTypeFlag = fmt.Sprintf("%s %s ", vulnTypeArgs[0], vulnTypeArgs[1]) + // Arguments first. + args := []string{ + "image", + imageRef, } - imcs := imageConfigSecretScanner(trivyConfig) - var imageconfigSecretScannerFlag string - if len(imcs) == 2 { - imageconfigSecretScannerFlag = fmt.Sprintf("%s %s ", imcs[0], imcs[1]) + + // Options in alphabetic order. + cacheDir := trivyConfig.GetImageScanCacheDir() + args = append(args, "--cache-dir", cacheDir, "--format", "json") + + imcs := imageConfigSecretScanner(trivyOperatorConfig) + if len(imcs) > 0 { + args = append(args, imcs...) } + + args = append(args, "--quiet") + + sbomSources := trivyConfig.GetSbomSources() + if sbomSources != "" { + args = append(args, []string{"--sbom-sources", sbomSources}...) + } + + scanners := Scanners(trivyConfig) + args = append(args, scanners, getSecurityChecks(ctx)) + + if trivyServerURL != "" { + args = append(args, []string{"--server", trivyServerURL}...) + } + var skipUpdate string - if c.GetClientServerSkipUpdate() && mode == ClientServer { - skipUpdate = SkipDBUpdate(c) + if trivyConfig.GetClientServerSkipUpdate() && mode == ClientServer { + skipUpdate = SkipDBUpdate(trivyConfig) } else if mode != ClientServer { - skipUpdate = SkipDBUpdate(c) + skipUpdate = SkipDBUpdate(trivyConfig) + } + if skipUpdate != "" { + args = append(args, skipUpdate) } - if !compressLogs { - args := []string{ - "--cache-dir", - cacheDir, - "--quiet", - "image", - scanners, - getSecurityChecks(ctx), - "--format", - "json", - } - if trivyServerURL != "" { - args = append(args, []string{"--server", trivyServerURL}...) - } - args = append(args, imageRef) - if slow != "" { - args = append(args, slow) - } - if len(vulnTypeArgs) > 0 { - args = append(args, vulnTypeArgs...) - } - if len(imcs) > 0 { - args = append(args, imcs...) - } - pkgList := getPkgList(ctx) - if pkgList != "" { - args = append(args, pkgList) - } - if sbomSources != "" { - args = append(args, []string{"--sbom-sources", sbomSources}...) - } - if skipUpdate != "" { - args = append(args, skipUpdate) - } - if skipJavaDBUpdate != "" { - args = append(args, skipJavaDBUpdate) - } + skipJavaDBUpdate := SkipJavaDBUpdate(trivyConfig) + if skipJavaDBUpdate != "" { + args = append(args, skipJavaDBUpdate) + } - return command, args + slow := Slow(trivyConfig) + if slow != "" { + args = append(args, slow) } - var serverUrlParms string - if mode == ClientServer { - serverUrlParms = fmt.Sprintf("--server '%s' ", trivyServerURL) + + vulnTypeArgs := vulnTypeFilter(ctx) + if len(vulnTypeArgs) > 0 { + args = append(args, vulnTypeArgs...) } - var sbomSourcesFlag string - if sbomSources != "" { - sbomSourcesFlag = fmt.Sprintf(" --sbom-sources %s ", sbomSources) + + pkgList := getPkgList(ctx) + if pkgList != "" { + args = append(args, pkgList) + } + + // Return early when compressing logs is disabled. + compressLogs := trivyOperatorConfig.CompressLogs() + if !compressLogs { + return []string{"trivy"}, args } - return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s %s %s %s%s --cache-dir %s --quiet %s --format json %s> /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), imageconfigSecretScannerFlag, vulnTypeFlag, skipUpdate, skipJavaDBUpdate, sbomSourcesFlag, cacheDir, getPkgList(ctx), serverUrlParms, resultFileName, resultFileName)} + + // Add command to args as it is now need to pipe output to compress. + args = append([]string{"trivy"}, args...) + // Add compress arguments. + // Sync is required to flush buffer to stdout before exiting. + args = append(args, fmt.Sprintf(`> /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64 && sync`, resultFileName, resultFileName)) + + return []string{"/bin/sh"}, append([]string{"-c"}, strings.Join(args, " ")) } func GetSbomScanCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, sbomFile, trivyServerURL, resultFileName string) ([]string, []string) { @@ -720,7 +718,7 @@ func GetSbomScanCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, sbomF if mode == ClientServer { serverUrlParms = fmt.Sprintf("--server '%s' ", trivyServerURL) } - return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy sbom %s %s %s %s --cache-dir /tmp/trivy/.cache --quiet --format json %s> /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, sbomFile, vulnTypeFlag, skipUpdate, serverUrlParms, resultFileName, resultFileName)} + return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy sbom %s %s %s %s --cache-dir /tmp/trivy/.cache --quiet --format json %s> /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64 && sync`, slow, sbomFile, vulnTypeFlag, skipUpdate, serverUrlParms, resultFileName, resultFileName)} } func vulnTypeFilter(ctx trivyoperator.PluginContext) []string { diff --git a/pkg/plugins/trivy/image_test.go b/pkg/plugins/trivy/image_test.go index 856cf1ad5..5d73b2e07 100644 --- a/pkg/plugins/trivy/image_test.go +++ b/pkg/plugins/trivy/image_test.go @@ -79,7 +79,7 @@ func TestGetSbomScanCommandAndArgs(t *testing.T) { serverUrl: "", resultFileName: "output.json", compressedLogs: "true", - wantArgs: []string{"-c", "trivy sbom --slow /tmp/scan/bom.json --skip-db-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/output.json && bzip2 -c /tmp/scan/output.json | base64"}, + wantArgs: []string{"-c", "trivy sbom --slow /tmp/scan/bom.json --skip-db-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/output.json && bzip2 -c /tmp/scan/output.json | base64 && sync"}, wantCmd: []string{"/bin/sh"}, }, { @@ -99,7 +99,7 @@ func TestGetSbomScanCommandAndArgs(t *testing.T) { serverUrl: "http://trivy-server:8080", resultFileName: "output.json", compressedLogs: "true", - wantArgs: []string{"-c", "trivy sbom --slow /tmp/scan/bom.json --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy-server:8080' > /tmp/scan/output.json && bzip2 -c /tmp/scan/output.json | base64"}, + wantArgs: []string{"-c", "trivy sbom --slow /tmp/scan/bom.json --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy-server:8080' > /tmp/scan/output.json && bzip2 -c /tmp/scan/output.json | base64 && sync"}, wantCmd: []string{"/bin/sh"}, }, { diff --git a/pkg/plugins/trivy/plugin_test.go b/pkg/plugins/trivy/plugin_test.go index 7cad4633c..ad0b8a719 100644 --- a/pkg/plugins/trivy/plugin_test.go +++ b/pkg/plugins/trivy/plugin_test.go @@ -342,7 +342,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -630,7 +630,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { }, Args: []string{ "-c", - "trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image poc.myregistry.harbor.com.pl/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -918,7 +918,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { }, Args: []string{ "-c", - "trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image poc.myregistry.harbor.com.pl/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --quiet --security-checks vuln --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -1226,7 +1226,7 @@ CVE-2019-1543`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -1539,7 +1539,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -1831,7 +1831,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'mirror.io/library/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image mirror.io/library/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -2119,7 +2119,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -2351,7 +2351,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -2580,7 +2580,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -2814,7 +2814,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'https://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image poc.myregistry.harbor.com.pl/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --server https://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -3048,7 +3048,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image poc.myregistry.harbor.com.pl/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --quiet --security-checks vuln --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -3302,7 +3302,7 @@ CVE-2019-1543`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -3562,7 +3562,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -3797,7 +3797,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -5413,7 +5413,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow '000000000000.dkr.ecr.eu-west-1.amazonaws.com/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image 000000000000.dkr.ecr.eu-west-1.amazonaws.com/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -5728,7 +5728,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -6045,7 +6045,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'mirror.io/library/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image mirror.io/library/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ diff --git a/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml b/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml index 54b800441..db897baf5 100644 --- a/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'busybox:1.28' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_hello.json && bzip2 -c /tmp/scan/result_hello.json | base64 + - trivy image busybox:1.28 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_hello.json && bzip2 -c /tmp/scan/result_hello.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml b/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml index 944149ff1..58d71f0c9 100644 --- a/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'quay.io/fluentd_elasticsearch/fluentd:v2.5.2' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_fluentd-elasticsearch.json && bzip2 -c /tmp/scan/result_fluentd-elasticsearch.json | base64 + - trivy image quay.io/fluentd_elasticsearch/fluentd:v2.5.2 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_fluentd-elasticsearch.json && bzip2 -c /tmp/scan/result_fluentd-elasticsearch.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/job-expected-scan.yaml b/tests/envtest/testdata/fixture/job-expected-scan.yaml index 8f7f0aa96..70ae55199 100644 --- a/tests/envtest/testdata/fixture/job-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/job-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'perl:5.34' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_pi.json && bzip2 -c /tmp/scan/result_pi.json | base64 + - trivy image perl:5.34 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_pi.json && bzip2 -c /tmp/scan/result_pi.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/pod-expected-scan.yaml b/tests/envtest/testdata/fixture/pod-expected-scan.yaml index f19ff835a..4b9a1f181 100644 --- a/tests/envtest/testdata/fixture/pod-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/pod-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'app-image:app-image-tag' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_app.json && bzip2 -c /tmp/scan/result_app.json | base64 + - trivy image app-image:app-image-tag --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_app.json && bzip2 -c /tmp/scan/result_app.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml b/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml index ef948cdf4..3d58cf276 100644 --- a/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'wordpress:4.9' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_wordpress.json && bzip2 -c /tmp/scan/result_wordpress.json | base64 + - trivy image wordpress:4.9 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_wordpress.json && bzip2 -c /tmp/scan/result_wordpress.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml b/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml index 3b0f023c2..561a82dfd 100644 --- a/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'nginx' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 + - trivy image nginx --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml b/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml index e1ff6d098..236e80321 100644 --- a/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'k8s.gcr.io/nginx-slim:0.8' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 + - trivy image k8s.gcr.io/nginx-slim:0.8 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync command: - /bin/sh env: