scan.sh

#!/bin/bash

# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0

# usage:
#   scan.sh <1:repo> <2:tag> <3:workingdir> <4:nvuser> <5:nvpass> <6:nvcontroller>
# example:
#   scan.sh localhost:5000/demo-app 9d911191 ./ scanner P@ssw0rd neuvector.example.com

RC=0

docker run --name neuvector.scanner --rm \
    -e SCANNER_REPOSITORY=$1 \
    -e SCANNER_TAG=$2 \
    -e SCANNER_ON_DEMAND=true \
    -e SCANNER_SCAN_LAYERS=true \
    -e SCANNER_CTRL_API_USERNAME=$4 \
    -e SCANNER_CTRL_API_PASSWORD=$5 \
    -e CLUSTER_JOIN_ADDR=$6 \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v $3:/var/neuvector  \
    neuvector/scanner

RC=$?

if [ $RC -eq 0 ]; then

    SCANREPORT=./scan_result.json

    VUL_NUM=`cat ${SCANREPORT} | jq '.report.vulnerabilities | length'`
    FOUND_HIGH=`cat ${SCANREPORT} | jq '.report.vulnerabilities[] | select(.severity == "High") | .severity' | wc -l`
    FOUND_MEDIUM=`cat ${SCANREPORT} | jq '.report.vulnerabilities[] | select(.severity == "Medium") | .severity' | wc -l`
    FOUND_LOW=`cat ${SCANREPORT} | jq '.report.vulnerabilities[] | select(.severity == "Low") | .severity' | wc -l`

    echo Total number of vulnerabilities: $VUL_NUM
    echo Severity HIGH: $FOUND_HIGH
    echo Severity MEDIUM: $FOUND_MEDIUM
    echo Severity LOW: $FOUND_LOW
    echo Affected packages:
    jq '[.report.vulnerabilities | group_by(.package_name) | .[] | {package_name: .[0].package_name, vuln_name: [.[].name]}]' $SCANREPORT

    if [ $FOUND_HIGH -gt 0 ]; then
        echo FAILED
        RC=1
    else
        echo PASSED
        RC=0
    fi

else
    echo SCAN FAILED
fi

echo return code: $RC
exit $RC