argo-cd/hack/snyk-container-tests.sh

27 lines
688 B
Bash
Raw Normal View History

chore: add Snyk scans to docs (#9856) * chore: generate Snyk reports Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> sarif Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> dashboard Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> cron job Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> more consistent formatting Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> clarification Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> sarif files Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> fix naming, fix doc get text Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> blarn Signed-off-by: CI <michael@crenshaw.dev> ignore errors due to vulns Signed-off-by: CI <michael@crenshaw.dev> specify target branch in script Signed-off-by: CI <michael@crenshaw.dev> don't checkout before running script Signed-off-by: CI <michael@crenshaw.dev> make sure dest dir exists Signed-off-by: CI <michael@crenshaw.dev> fix workflow Signed-off-by: CI <michael@crenshaw.dev> * update scans Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * use latest ignore rules Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * update reports, add link to latest, push to master instead of stable Signed-off-by: CI <michael@crenshaw.dev> * fix for double-digit patch versions Signed-off-by: CI <michael@crenshaw.dev> * clean up testing changes Signed-off-by: CI <michael@crenshaw.dev>
2022-07-27 21:15:00 +00:00
#!/usr/bin/env bash
set -e
set -o pipefail
images=$(grep 'image: ' manifests/install.yaml manifests/namespace-install.yaml manifests/ha/install.yaml | sed 's/.*image: //' | sort | uniq)
failed=false
while IFS= read -r image; do
extra_args=()
chore: add Snyk scans to docs (#9856) * chore: generate Snyk reports Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> sarif Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> dashboard Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> cron job Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> more consistent formatting Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> clarification Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> sarif files Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> fix naming, fix doc get text Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> blarn Signed-off-by: CI <michael@crenshaw.dev> ignore errors due to vulns Signed-off-by: CI <michael@crenshaw.dev> specify target branch in script Signed-off-by: CI <michael@crenshaw.dev> don't checkout before running script Signed-off-by: CI <michael@crenshaw.dev> make sure dest dir exists Signed-off-by: CI <michael@crenshaw.dev> fix workflow Signed-off-by: CI <michael@crenshaw.dev> * update scans Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * use latest ignore rules Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * update reports, add link to latest, push to master instead of stable Signed-off-by: CI <michael@crenshaw.dev> * fix for double-digit patch versions Signed-off-by: CI <michael@crenshaw.dev> * clean up testing changes Signed-off-by: CI <michael@crenshaw.dev>
2022-07-27 21:15:00 +00:00
if echo "$image" | grep "argocd"; then
# Pass the file arg only for the Argo CD image. The file arg also gives us access to sarif output.
extra_args+=("--file=Dockerfile" "--sarif-file-output=/tmp/argocd-image.sarif")
chore: add Snyk scans to docs (#9856) * chore: generate Snyk reports Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> sarif Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> dashboard Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> cron job Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> more consistent formatting Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> clarification Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> sarif files Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> fix naming, fix doc get text Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> blarn Signed-off-by: CI <michael@crenshaw.dev> ignore errors due to vulns Signed-off-by: CI <michael@crenshaw.dev> specify target branch in script Signed-off-by: CI <michael@crenshaw.dev> don't checkout before running script Signed-off-by: CI <michael@crenshaw.dev> make sure dest dir exists Signed-off-by: CI <michael@crenshaw.dev> fix workflow Signed-off-by: CI <michael@crenshaw.dev> * update scans Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * use latest ignore rules Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * update reports, add link to latest, push to master instead of stable Signed-off-by: CI <michael@crenshaw.dev> * fix for double-digit patch versions Signed-off-by: CI <michael@crenshaw.dev> * clean up testing changes Signed-off-by: CI <michael@crenshaw.dev>
2022-07-27 21:15:00 +00:00
fi
set -x
if ! snyk container test "$image" --org=argoproj --severity-threshold=high "${extra_args[@]}"; then
chore: add Snyk scans to docs (#9856) * chore: generate Snyk reports Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> sarif Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> dashboard Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> cron job Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> more consistent formatting Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> clarification Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> sarif files Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> fix naming, fix doc get text Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> blarn Signed-off-by: CI <michael@crenshaw.dev> ignore errors due to vulns Signed-off-by: CI <michael@crenshaw.dev> specify target branch in script Signed-off-by: CI <michael@crenshaw.dev> don't checkout before running script Signed-off-by: CI <michael@crenshaw.dev> make sure dest dir exists Signed-off-by: CI <michael@crenshaw.dev> fix workflow Signed-off-by: CI <michael@crenshaw.dev> * update scans Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * use latest ignore rules Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * update reports, add link to latest, push to master instead of stable Signed-off-by: CI <michael@crenshaw.dev> * fix for double-digit patch versions Signed-off-by: CI <michael@crenshaw.dev> * clean up testing changes Signed-off-by: CI <michael@crenshaw.dev>
2022-07-27 21:15:00 +00:00
failed=true
fi
set +x
done <<< "$images"
if [ "$failed" == "true" ]; then
exit 1
fi