From 41910c85d1e3add023849f31b3d594de9cede625 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dirk=20M=C3=BCller?= Date: Tue, 15 Aug 2023 15:06:38 +0200 Subject: [PATCH] Scan images using trivy --- tests/test_all.py | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/tests/test_all.py b/tests/test_all.py index e450970f..9a5285c8 100644 --- a/tests/test_all.py +++ b/tests/test_all.py @@ -11,6 +11,7 @@ from pytest_container import get_extra_run_args from pytest_container import MultiStageBuild from pytest_container.container import ContainerData +from pytest_container.runtime import LOCALHOST from bci_tester.data import ALL_CONTAINERS from bci_tester.data import BUSYBOX_CONTAINER @@ -20,6 +21,7 @@ from bci_tester.data import OS_VERSION from bci_tester.data import PCP_CONTAINER from bci_tester.data import POSTGRESQL_CONTAINERS +from bci_tester.runtime_choice import DOCKER_SELECTED CONTAINER_IMAGES = ALL_CONTAINERS @@ -170,6 +172,33 @@ def test_zypper_verify_passes(container_per_test: ContainerData) -> None: ) +@pytest.mark.skipif( + DOCKER_SELECTED, reason="Trivy-Scan images only with podman" +) +@pytest.mark.skipif( + LOCALHOST.system_info.arch not in ("x86_64",), + reason=f"{LOCALHOST.system_info.arch} is not supported to run trivy", +) +def test_trivy_image_scan(host, auto_container: ContainerData) -> None: + """Check that trivy image is able to scan the container.""" + + trivy_container = "docker.io/aquasec/trivy:latest" + baseurl = auto_container.container.baseurl + if not baseurl: + pytest.skip( + reason=f"container {auto_container.container} has no baseurl" + ) + + host.run_expect( + [0], + ( + f"podman run -v trivy:/root {trivy_container} image {baseurl} " + "--exit-code 1 --exit-on-eol 2 -f template " + "--template '@contrib/sarif.tpl'" + ), + ) + + @pytest.mark.parametrize( "container", [