From 8e71ce9cb097eb84c52bb75243cd22ad2aa1a3ae Mon Sep 17 00:00:00 2001 From: Daan Schipper <2778477+daanschipper@users.noreply.github.com> Date: Mon, 17 Jun 2024 15:37:06 +0200 Subject: [PATCH] fix: sync stdout buffer to file The trivy command is completed and as it is the main process the entire container is stopped before the stdout buffer is cleared, resulting in malformed output. Fixes #1792. --- pkg/plugins/trivy/image.go | 131 +++++++++--------- pkg/plugins/trivy/plugin_test.go | 34 ++--- tests/envtest/controller_test.go | 1 - .../fixture/cronjob-expected-scan.yaml | 2 +- .../fixture/daemonset-expected-scan.yaml | 2 +- .../testdata/fixture/job-expected-scan.yaml | 2 +- .../testdata/fixture/pod-expected-scan.yaml | 2 +- .../fixture/replicaset-expected-scan.yaml | 2 +- .../replicationcontroller-expected-scan.yaml | 2 +- .../fixture/statefulset-expected-scan.yaml | 2 +- 10 files changed, 91 insertions(+), 89 deletions(-) diff --git a/pkg/plugins/trivy/image.go b/pkg/plugins/trivy/image.go index ff0f1b0288..79fad36648 100644 --- a/pkg/plugins/trivy/image.go +++ b/pkg/plugins/trivy/image.go @@ -561,84 +561,87 @@ func getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, imageRef stri command := []string{ "trivy", } - trivyConfig := ctx.GetTrivyOperatorConfig() - compressLogs := trivyConfig.CompressLogs() - c, err := getConfig(ctx) + trivyOperatorConfig := ctx.GetTrivyOperatorConfig() + trivyConfig, err := getConfig(ctx) + if err != nil { return []string{}, []string{} } - slow := Slow(c) - sbomSources := c.GetSbomSources() - skipJavaDBUpdate := SkipJavaDBUpdate(c) - cacheDir := c.GetImageScanCacheDir() - vulnTypeArgs := vulnTypeFilter(ctx) - scanners := Scanners(c) - var vulnTypeFlag string - if len(vulnTypeArgs) == 2 { - vulnTypeFlag = fmt.Sprintf("%s %s ", vulnTypeArgs[0], vulnTypeArgs[1]) + // Arguments first. + args := []string{ + "image", + imageRef, + } + + // Options in alphabetic order. + cacheDir := trivyConfig.GetImageScanCacheDir() + args = append(args, "--cache-dir", cacheDir) + + args = append(args, "--format", "json") + + imcs := imageConfigSecretScanner(trivyOperatorConfig) + if len(imcs) > 0 { + args = append(args, imcs...) + } + + args = append(args, "--quiet") + + sbomSources := trivyConfig.GetSbomSources() + if len(sbomSources) > 0 { + args = append(args, []string{"--sbom-sources", sbomSources}...) } - imcs := imageConfigSecretScanner(trivyConfig) - var imageconfigSecretScannerFlag string - if len(imcs) == 2 { - imageconfigSecretScannerFlag = fmt.Sprintf("%s %s ", imcs[0], imcs[1]) + + scanners := Scanners(trivyConfig) + args = append(args, scanners, getSecurityChecks(ctx)) + + if len(trivyServerURL) > 0 { + args = append(args, []string{"--server", trivyServerURL}...) } + var skipUpdate string - if c.GetClientServerSkipUpdate() && mode == ClientServer { - skipUpdate = SkipDBUpdate(c) + if trivyConfig.GetClientServerSkipUpdate() && mode == ClientServer { + skipUpdate = SkipDBUpdate(trivyConfig) } else if mode != ClientServer { - skipUpdate = SkipDBUpdate(c) + skipUpdate = SkipDBUpdate(trivyConfig) + } + if len(skipUpdate) > 0 { + args = append(args, skipUpdate) } - if !compressLogs { - args := []string{ - "--cache-dir", - cacheDir, - "--quiet", - "image", - scanners, - getSecurityChecks(ctx), - "--format", - "json", - } - if len(trivyServerURL) > 0 { - args = append(args, []string{"--server", trivyServerURL}...) - } - args = append(args, imageRef) - if len(slow) > 0 { - args = append(args, slow) - } - if len(vulnTypeArgs) > 0 { - args = append(args, vulnTypeArgs...) - } - if len(imcs) > 0 { - args = append(args, imcs...) - } - pkgList := getPkgList(ctx) - if len(pkgList) > 0 { - args = append(args, pkgList) - } - if len(sbomSources) > 0 { - args = append(args, []string{"--sbom-sources", sbomSources}...) - } - if len(skipUpdate) > 0 { - args = append(args, skipUpdate) - } - if len(skipJavaDBUpdate) > 0 { - args = append(args, skipJavaDBUpdate) - } + skipJavaDBUpdate := SkipJavaDBUpdate(trivyConfig) + if len(skipJavaDBUpdate) > 0 { + args = append(args, skipJavaDBUpdate) + } - return command, args + slow := Slow(trivyConfig) + if len(slow) > 0 { + args = append(args, slow) } - var serverUrlParms string - if mode == ClientServer { - serverUrlParms = fmt.Sprintf("--server '%s' ", trivyServerURL) + + vulnTypeArgs := vulnTypeFilter(ctx) + if len(vulnTypeArgs) > 0 { + args = append(args, vulnTypeArgs...) } - var sbomSourcesFlag string - if len(sbomSources) > 0 { - sbomSourcesFlag = fmt.Sprintf(" --sbom-sources %s ", sbomSources) + + pkgList := getPkgList(ctx) + if len(pkgList) > 0 { + args = append(args, pkgList) + } + + // Return early when compressing logs is disabled. + compressLogs := trivyOperatorConfig.CompressLogs() + if !compressLogs { + return command, args } - return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s %s %s %s%s --cache-dir %s --quiet %s --format json %s> /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), imageconfigSecretScannerFlag, vulnTypeFlag, skipUpdate, skipJavaDBUpdate, sbomSourcesFlag, cacheDir, getPkgList(ctx), serverUrlParms, resultFileName, resultFileName)} + + // Add command to args as it is now need to pipe output to compress. + args = append(command, args...) + // Add compress arguments. + // Sync is required to flush buffer to stdout before exiting. + args = append(args, fmt.Sprintf(`> /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64 && sync`, resultFileName, resultFileName)) + + return []string{"/bin/sh"}, append([]string{"-c"}, strings.Join(args, " ")) } func GetSbomScanCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, sbomFile string, trivyServerURL string, resultFileName string) ([]string, []string) { diff --git a/pkg/plugins/trivy/plugin_test.go b/pkg/plugins/trivy/plugin_test.go index 8258fbeaf6..a2ecd44887 100644 --- a/pkg/plugins/trivy/plugin_test.go +++ b/pkg/plugins/trivy/plugin_test.go @@ -345,7 +345,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -633,7 +633,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { }, Args: []string{ "-c", - "trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image poc.myregistry.harbor.com.pl/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -921,7 +921,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { }, Args: []string{ "-c", - "trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image poc.myregistry.harbor.com.pl/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --quiet --security-checks vuln --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -1229,7 +1229,7 @@ CVE-2019-1543`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -1542,7 +1542,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -1834,7 +1834,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'mirror.io/library/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image mirror.io/library/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -2122,7 +2122,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -2354,7 +2354,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -2583,7 +2583,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -2817,7 +2817,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'https://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image poc.myregistry.harbor.com.pl/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --server https://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -3051,7 +3051,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'poc.myregistry.harbor.com.pl/nginx:1.16' --security-checks vuln --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image poc.myregistry.harbor.com.pl/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --quiet --security-checks vuln --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -3305,7 +3305,7 @@ CVE-2019-1543`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -3565,7 +3565,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -3800,7 +3800,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --cache-dir /tmp/trivy/.cache --quiet --format json --server 'http://trivy.trivy:4954' > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --server http://trivy.trivy:4954 --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -5416,7 +5416,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow '000000000000.dkr.ecr.eu-west-1.amazonaws.com/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image 000000000000.dkr.ecr.eu-west-1.amazonaws.com/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -5731,7 +5731,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -6048,7 +6048,7 @@ default ignore = false`, }, Args: []string{ "-c", - "trivy image --slow 'mirror.io/library/nginx:1.16' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64", + "trivy image mirror.io/library/nginx:1.16 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ diff --git a/tests/envtest/controller_test.go b/tests/envtest/controller_test.go index 9b87a2fd22..e41d6e6ff6 100644 --- a/tests/envtest/controller_test.go +++ b/tests/envtest/controller_test.go @@ -5,7 +5,6 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" - "path" "time" diff --git a/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml b/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml index 21991c7ba1..c5abe8ff24 100644 --- a/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/cronjob-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'busybox:1.28' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_hello.json && bzip2 -c /tmp/scan/result_hello.json | base64 + - trivy image busybox:1.28 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_hello.json && bzip2 -c /tmp/scan/result_hello.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml b/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml index 694b9ab57c..26686445a3 100644 --- a/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/daemonset-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'quay.io/fluentd_elasticsearch/fluentd:v2.5.2' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_fluentd-elasticsearch.json && bzip2 -c /tmp/scan/result_fluentd-elasticsearch.json | base64 + - trivy image quay.io/fluentd_elasticsearch/fluentd:v2.5.2 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_fluentd-elasticsearch.json && bzip2 -c /tmp/scan/result_fluentd-elasticsearch.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/job-expected-scan.yaml b/tests/envtest/testdata/fixture/job-expected-scan.yaml index beef615009..1d2f7fd940 100644 --- a/tests/envtest/testdata/fixture/job-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/job-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'perl:5.34' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_pi.json && bzip2 -c /tmp/scan/result_pi.json | base64 + - trivy image perl:5.34 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_pi.json && bzip2 -c /tmp/scan/result_pi.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/pod-expected-scan.yaml b/tests/envtest/testdata/fixture/pod-expected-scan.yaml index b75434c50e..510f2722df 100644 --- a/tests/envtest/testdata/fixture/pod-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/pod-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'app-image:app-image-tag' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_app.json && bzip2 -c /tmp/scan/result_app.json | base64 + - trivy image app-image:app-image-tag --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_app.json && bzip2 -c /tmp/scan/result_app.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml b/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml index 9466cadc42..5bbcb8f571 100644 --- a/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/replicaset-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'wordpress:4.9' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_wordpress.json && bzip2 -c /tmp/scan/result_wordpress.json | base64 + - trivy image wordpress:4.9 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_wordpress.json && bzip2 -c /tmp/scan/result_wordpress.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml b/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml index 7830e60e0c..bca3ad5351 100644 --- a/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'nginx' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 + - trivy image nginx --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync command: - /bin/sh env: diff --git a/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml b/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml index fb56b69eb0..8dcf22e884 100644 --- a/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml +++ b/tests/envtest/testdata/fixture/statefulset-expected-scan.yaml @@ -47,7 +47,7 @@ spec: containers: - args: - -c - - trivy image --slow 'k8s.gcr.io/nginx-slim:0.8' --security-checks vuln,secret --image-config-scanners secret --skip-update --cache-dir /tmp/trivy/.cache --quiet --format json > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 + - trivy image k8s.gcr.io/nginx-slim:0.8 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --quiet --security-checks vuln,secret --skip-update --slow > /tmp/scan/result_nginx.json && bzip2 -c /tmp/scan/result_nginx.json | base64 && sync command: - /bin/sh env: