From cabac7d982ab16d2f04bcf6bac4512cd0df43c5d Mon Sep 17 00:00:00 2001 From: Ivan Date: Fri, 24 Apr 2026 14:04:30 -0500 Subject: [PATCH] feat(ci): update Trivy setup script with upstream verification and cosign integration --- scripts/ci/setup-trivy.sh | 71 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 69 insertions(+), 2 deletions(-) diff --git a/scripts/ci/setup-trivy.sh b/scripts/ci/setup-trivy.sh index 114fc13..191a802 100644 --- a/scripts/ci/setup-trivy.sh +++ b/scripts/ci/setup-trivy.sh @@ -1,7 +1,74 @@ #!/bin/sh -# Install Trivy .deb for CI (same package as scan / docker workflows). +# Install Trivy .deb for CI (scan / docker workflows). Upstream path: Sigstore on +# trivy_${VER}_checksums.txt, SHA256 of the .deb against that file, then Sigstore on the .deb. +# Custom mirror: TRIVY_DEB_URL and TRIVY_DEB_SHA256 (sha256sum -c format, hex only). set -eu -curl -fsSL -o /tmp/trivy.deb https://git.quad4.io/Quad4-Software/Trivy-Assets/raw/commit/fdfe96b77d2f7b7f5a90cea00af5024c9f728f17/trivy_0.69.3_Linux-64bit.deb +COSIGN_VERSION="${COSIGN_VERSION:-3.0.6}" +TRIVY_VERSION="${TRIVY_VERSION:-0.69.3}" +TRIVY_RELEASE_BASE="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}" +# Keyless signing identity for aquasecurity/trivy reusable release workflow (any semver tag). +TRIVY_CERT_IDENTITY_RE='^https://github.com/aquasecurity/trivy/\.github/workflows/reusable-release\.yaml@refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$' +TRIVY_CERT_ISSUER_RE='^https://token\.actions\.githubusercontent\.com$' + +ensure_cosign() { + if command -v cosign >/dev/null 2>&1; then + return 0 + fi + sh scripts/ci/setup-cosign.sh "${COSIGN_VERSION}" +} + +verify_upstream_deb() { + deb_arch="$1" + DEB_BASE="trivy_${TRIVY_VERSION}_${deb_arch}.deb" + + ensure_cosign + export COSIGN_YES="${COSIGN_YES:-true}" + + curl -fsSL -o /tmp/trivy_checksums.txt "${TRIVY_RELEASE_BASE}/trivy_${TRIVY_VERSION}_checksums.txt" + curl -fsSL -o /tmp/trivy_checksums.sigstore.json "${TRIVY_RELEASE_BASE}/trivy_${TRIVY_VERSION}_checksums.txt.sigstore.json" + cosign verify-blob /tmp/trivy_checksums.txt --bundle /tmp/trivy_checksums.sigstore.json \ + --certificate-identity-regexp="${TRIVY_CERT_IDENTITY_RE}" \ + --certificate-oidc-issuer-regexp="${TRIVY_CERT_ISSUER_RE}" + + EXPECTED_SHA="$(awk -v f="${DEB_BASE}" '$2 == f { print $1; exit }' /tmp/trivy_checksums.txt)" + if [ -z "${EXPECTED_SHA}" ]; then + echo "setup-trivy.sh: no SHA256 line for ${DEB_BASE} in checksums.txt" >&2 + exit 1 + fi + + curl -fsSL -o /tmp/trivy.deb "${TRIVY_RELEASE_BASE}/${DEB_BASE}" + echo "${EXPECTED_SHA} /tmp/trivy.deb" | sha256sum -c + + curl -fsSL -o /tmp/trivy.deb.sigstore.json "${TRIVY_RELEASE_BASE}/${DEB_BASE}.sigstore.json" + cosign verify-blob /tmp/trivy.deb --bundle /tmp/trivy.deb.sigstore.json \ + --certificate-identity-regexp="${TRIVY_CERT_IDENTITY_RE}" \ + --certificate-oidc-issuer-regexp="${TRIVY_CERT_ISSUER_RE}" + + rm -f /tmp/trivy_checksums.txt /tmp/trivy_checksums.sigstore.json /tmp/trivy.deb.sigstore.json +} + +if [ -n "${TRIVY_DEB_URL:-}" ]; then + if [ -z "${TRIVY_DEB_SHA256:-}" ]; then + echo "setup-trivy.sh: TRIVY_DEB_URL requires TRIVY_DEB_SHA256" >&2 + exit 1 + fi + curl -fsSL -o /tmp/trivy.deb "${TRIVY_DEB_URL}" + echo "${TRIVY_DEB_SHA256} /tmp/trivy.deb" | sha256sum -c +else + arch="$(uname -m)" + deb_arch= + case "$arch" in + x86_64|amd64) deb_arch=Linux-64bit ;; + aarch64|arm64) deb_arch=Linux-ARM64 ;; + armv7l|armv6l|armhf) deb_arch=Linux-ARM ;; + *) + echo "setup-trivy.sh: unsupported uname -m: ${arch} (set TRIVY_DEB_URL)" >&2 + exit 1 + ;; + esac + verify_upstream_deb "${deb_arch}" +fi + sh scripts/ci/exec-priv.sh dpkg -i /tmp/trivy.deb || sh scripts/ci/exec-priv.sh apt-get install -f -y trivy --version