Add trivy image scan

Signed-off-by: Ivan Valdes <[email protected]>

Author: ivanvc

Makefile

@@ -186,6 +186,16 @@ ifeq (, $(shell which golangci-lint))
 	$(shell curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(GOPATH)/bin $(GOLANGCI_LINT_VERSION))
 endif
 
+TRIVY_VERSION = $(shell cd tools/mod && go list -m -f {{.Version}} github.com/aquasecurity/trivy)
+.PHONY: install-trivy
+install-trivy: bin/trivy
+bin/trivy:
+	curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./bin $(TRIVY_VERSION)
+
+.PHONY: run-trivy-image-scan
+run-trivy-image-scan: install-trivy
+	./scripts/scan_latest_released_image.sh
+
 .PHONY: install-lazyfs
 install-lazyfs: bin/lazyfs
 bin/lazyfs:

scripts/scan_latest_released_image.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# Default image registry to use.
+REGISTRY=${REGISTRY:-gcr.io/etcd-development/etcd}
+
+# Default severity levels to report.
+SEVERITY=${SEVERITY:-HIGH,CRITICAL}
+
+source ./scripts/test_lib.sh
+
+if ! command -v trivy >/dev/null; then
+  log_error "Error: Cannot find trivy. Please follow the installation instructions at: https://trivy.dev/latest/getting-started/"
+  exit 1
+fi
+
+# Returns the latest tag for the given branch.
+function latest_branch_tag {
+  local branch=$1
+  local minor="${branch#release-}"
+
+  git -c 'versionsort.suffix=-' \
+    ls-remote --exit-code --refs --sort='version:refname' --tags origin "v${minor}"'*' \
+    | tail --lines=1 \
+    | cut --delimiter='/' --fields=3
+}
+
+function main {
+  local current_branch
+  current_branch=$(git rev-parse --abbrev-ref HEAD)
+  if [[ ! "${current_branch}" =~ ^release-[0-9]+.[0-9]+$ ]]; then
+    log_error "Error: This script is intended to be run only on stable release branches (current branch: ${current_branch})."
+    return 1
+  fi
+
+  local latest_tag
+  latest_tag=$(latest_branch_tag "$current_branch")
+
+  trivy image --severity "${SEVERITY}" "${REGISTRY}:${latest_tag}"
+}
+
+main