dandri/MeshChatX
1
0
Fork 0
mirror of https://git.quad4.io/RNS-Things/MeshChatX.git synced 2026-04-26 00:12:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
cabac7d982ab16d2f04bcf6bac4512cd0df43c5d
MeshChatX/scripts/ci/setup-trivy.sh

75 lines
3.0 KiB
Bash
Raw Blame History

#!/bin/sh
# Install Trivy .deb for CI (scan / docker workflows). Upstream path: Sigstore on
# trivy_${VER}_checksums.txt, SHA256 of the .deb against that file, then Sigstore on the .deb.
# Custom mirror: TRIVY_DEB_URL and TRIVY_DEB_SHA256 (sha256sum -c format, hex only).
set -eu
COSIGN_VERSION="${COSIGN_VERSION:-3.0.6}"
TRIVY_VERSION="${TRIVY_VERSION:-0.69.3}"
TRIVY_RELEASE_BASE="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}"
# Keyless signing identity for aquasecurity/trivy reusable release workflow (any semver tag).
TRIVY_CERT_IDENTITY_RE='^https://github.com/aquasecurity/trivy/\.github/workflows/reusable-release\.yaml@refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$'
TRIVY_CERT_ISSUER_RE='^https://token\.actions\.githubusercontent\.com$'
ensure_cosign() {
if command -v cosign >/dev/null 2>&1; then
return 0
fi
sh scripts/ci/setup-cosign.sh "${COSIGN_VERSION}"
}
verify_upstream_deb() {
deb_arch="$1"
DEB_BASE="trivy_${TRIVY_VERSION}_${deb_arch}.deb"
ensure_cosign
export COSIGN_YES="${COSIGN_YES:-true}"
curl -fsSL -o /tmp/trivy_checksums.txt "${TRIVY_RELEASE_BASE}/trivy_${TRIVY_VERSION}_checksums.txt"
curl -fsSL -o /tmp/trivy_checksums.sigstore.json "${TRIVY_RELEASE_BASE}/trivy_${TRIVY_VERSION}_checksums.txt.sigstore.json"
cosign verify-blob /tmp/trivy_checksums.txt --bundle /tmp/trivy_checksums.sigstore.json \
--certificate-identity-regexp="${TRIVY_CERT_IDENTITY_RE}" \
--certificate-oidc-issuer-regexp="${TRIVY_CERT_ISSUER_RE}"
EXPECTED_SHA="$(awk -v f="${DEB_BASE}" '$2 == f { print $1; exit }' /tmp/trivy_checksums.txt)"
if [ -z "${EXPECTED_SHA}" ]; then
echo "setup-trivy.sh: no SHA256 line for ${DEB_BASE} in checksums.txt" >&2
exit 1
fi
curl -fsSL -o /tmp/trivy.deb "${TRIVY_RELEASE_BASE}/${DEB_BASE}"
echo "${EXPECTED_SHA} /tmp/trivy.deb" | sha256sum -c
curl -fsSL -o /tmp/trivy.deb.sigstore.json "${TRIVY_RELEASE_BASE}/${DEB_BASE}.sigstore.json"
cosign verify-blob /tmp/trivy.deb --bundle /tmp/trivy.deb.sigstore.json \
--certificate-identity-regexp="${TRIVY_CERT_IDENTITY_RE}" \
--certificate-oidc-issuer-regexp="${TRIVY_CERT_ISSUER_RE}"
rm -f /tmp/trivy_checksums.txt /tmp/trivy_checksums.sigstore.json /tmp/trivy.deb.sigstore.json
}
if [ -n "${TRIVY_DEB_URL:-}" ]; then
if [ -z "${TRIVY_DEB_SHA256:-}" ]; then
echo "setup-trivy.sh: TRIVY_DEB_URL requires TRIVY_DEB_SHA256" >&2
exit 1
fi
curl -fsSL -o /tmp/trivy.deb "${TRIVY_DEB_URL}"
echo "${TRIVY_DEB_SHA256} /tmp/trivy.deb" | sha256sum -c
else
arch="$(uname -m)"
deb_arch=
case "$arch" in
x86_64|amd64) deb_arch=Linux-64bit ;;
aarch64|arm64) deb_arch=Linux-ARM64 ;;
armv7l|armv6l|armhf) deb_arch=Linux-ARM ;;
*)
echo "setup-trivy.sh: unsupported uname -m: ${arch} (set TRIVY_DEB_URL)" >&2
exit 1
;;
esac
verify_upstream_deb "${deb_arch}"
fi
sh scripts/ci/exec-priv.sh dpkg -i /tmp/trivy.deb || sh scripts/ci/exec-priv.sh apt-get install -f -y
trivy --version
Reference in New Issue View Git Blame Copy Permalink