.gitlab-ci.yml

@@ -23,9 +23,12 @@ kics-iac-sast:
         - Dockerfile
 
 .use-docker-in-docker:
-  image: docker:24.0.5
+  image: docker:25.0.5
   services:
-    - docker:24.0.5-dind
+    - name: docker:25.0.5-dind
+      # Default DinD mtu is 1500 while max host mtu is 1460. We need to make sure we use an MTU value smaller than
+      # 1460. For more info see https://gitlab.com/gitlab-org/security-products/analyzers/trivy-k8s-wrapper/-/merge_requests/30#note_1918113246
+      command: ["--mtu=1400"]
   variables:
     DOCKER_DRIVER: overlay2
     DOCKER_TLS_CERTDIR: ""
@@ -37,7 +40,7 @@ kics-iac-sast:
   parallel:
     matrix:
       - ARCH: arm64
-        RUNNER_TAG: arm64
+        RUNNER_TAG: saas-linux-large-arm64
       - ARCH: amd64
         RUNNER_TAG: saas-linux-large-amd64
   tags:

CHANGELOG.md

 # Trivy K8S wrapper changelog
 
+## v0.3.0
+- Add alpine as a base image (!30)
+
 ## v0.2.15
 - Dockerfile is using a non root user (!21)
 

Dockerfile

+# syntax=docker/dockerfile:1
 
 FROM golang:1.20-buster as builder
 
@@ -16,22 +17,34 @@ COPY . ./
 # Build the binary.
 RUN go build -v -o trivyK8Swrapper cmd/trivy/main.go
 
-# This version supports scanning of private images
-FROM aquasec/trivy:0.49.1
+FROM alpine:3.19 AS trivy-download
 
-# gcompat contains libresolv.so.2 which is required by the go binary.
-RUN apk --no-cache add gcompat
+ARG TARGETOS
+ARG TARGETARCH
 
-# create gitlab user and give write access to app dir
-RUN addgroup --gid 1001 gitlab && \
-    adduser -S gitlab -G gitlab
+COPY ./trivy/versions/TRIVY_VERSION .
+COPY ./lib/scripts/setup.sh .
 
-COPY --from=builder --chown=gitlab:gitlab --chmod=700 /app/trivyK8Swrapper /app/trivyK8Swrapper
+RUN ./setup.sh
+
+# This version supports scanning of private images
+FROM alpine:3.19
+
+RUN <<-EOF
+  # gcompat contains libresolv.so.2 which is required by the go binary.
+  apk update && apk upgrade && apk --no-cache add gcompat wget ca-certificates
+  # create gitlab user and give write access to app dir
+  addgroup --gid 1001 gitlab
+  adduser -S gitlab -G gitlab
+EOF
 
 USER gitlab
-ENV HOME "/home/gitlab"
 WORKDIR /home/gitlab
+ENV PATH /home/gitlab:${PATH}
+
+COPY --from=builder --chown=gitlab:gitlab --chmod=700 /app/trivyK8Swrapper /app/trivyK8Swrapper
+COPY --from=trivy-download --chown=gitlab:gitlab --chmod=700 /home/gitlab/opt/trivy/trivy /home/gitlab/trivy
+
 
 CMD /app/trivyK8Swrapper scan --gitlab-agent-ns=${GITLAB_AGENT_NS} --gitlab-agent-id=${GITLAB_AGENT_ID} --namespace=${NAMESPACE} --workloads=${WORKLOADS}
 ENTRYPOINT [""]
-

README.md

@@ -98,4 +98,4 @@ You can debug using VSCode studio. You can use the following configuration:
 
 ## Trivy report size limit
 
-We currently support a Trivy report size limit of `100MB`.
\ No newline at end of file
+We currently support a Trivy report size limit of `100MB`.

lib/scripts/setup.sh

+#!/bin/sh
+
+set -eu
+
+if [ "$TARGETOS" != "linux" ]; then
+	echo "Unsupported operating system: $TARGETOS"
+	exit 1
+fi
+
+get_archive_name() {
+	TRIVY_VERSION="$1"
+
+	case "$TARGETARCH" in
+	"arm64")
+		printf "%s" "trivy_${TRIVY_VERSION}_Linux-ARM64.tar.gz"
+		;;
+	"amd64")
+		printf "%s" "trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
+		;;
+	*)
+		echo "Unsupported architecture: $TARGETARCH"
+		exit 1
+		;;
+	esac
+}
+
+TRIVY_VERSION="$(cat TRIVY_VERSION)"
+TRIVY_ARCHIVE_NAME="$(get_archive_name "${TRIVY_VERSION}")"
+TRIVY_ARCHIVE_LOC="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/${TRIVY_ARCHIVE_NAME}"
+TRIVY_CHECKSUMS_NAME="trivy_${TRIVY_VERSION}_checksums.txt"
+TRIVY_CHECKSUMS_LOC="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/${TRIVY_CHECKSUMS_NAME}"
+
+echo "Creating temp directory"
+mkdir -p /home/gitlab/opt/trivy
+
+echo "Downloading checksums from ${TRIVY_CHECKSUMS_LOC}"
+wget "$TRIVY_CHECKSUMS_LOC"
+
+echo "Downloading binary from ${TRIVY_ARCHIVE_LOC}"
+wget "$TRIVY_ARCHIVE_LOC"
+
+grep "$TRIVY_ARCHIVE_NAME" "$TRIVY_CHECKSUMS_NAME" | sha256sum -c -
+
+echo "Installing Trivy ${TRIVY_VERSION}"
+tar -zxvf "${TRIVY_ARCHIVE_NAME}" -C /home/gitlab/opt/trivy

trivy/versions/TRIVY_VERSION

+0.49.1
\ No newline at end of file