fixed an issue with report generation
This commit is contained in:
@@ -14,7 +14,7 @@ The AI will:
|
||||
1. Read `containers.local.txt` to get the list of images to audit
|
||||
2. For each image — pull it, run all checks below, and evaluate results
|
||||
3. For each finding — report CRITICAL, HIGH, MEDIUM, LOW, or INFO
|
||||
4. Generate a timestamped report file in the `reports/` directory
|
||||
4. Generate output in `reports/audit-<YYYY-MM-DD>/` — one overview file plus a subfolder per image containing the detail report and SBOM
|
||||
5. Remove the image from the local host after scanning **unless** it is currently active (`docker ps`)
|
||||
6. At the end, give an overall environment summary
|
||||
|
||||
@@ -63,17 +63,26 @@ Repeat this entire procedure for **every** `image:tag` entry in `containers.loca
|
||||
|
||||
Run: `docker ps --format '{{.Image}}'`
|
||||
|
||||
- If the image is in the active list → mark as **ACTIVE**, skip Step 6 (do not remove)
|
||||
- If the image is in the active list → mark as **ACTIVE**, skip Step 8 (do not remove)
|
||||
- If not active → mark as **NOT ACTIVE**, will be removed after scan
|
||||
|
||||
### Step 2 — Pull the Image
|
||||
### Step 2 — Create Output Directory
|
||||
|
||||
Before scanning, derive the image's output folder and create it:
|
||||
|
||||
- `<image-name>` = image name only, no tag, slashes replaced with `-` (e.g. `nginx`, `myrepo-myapp`)
|
||||
- Create folder: `reports/audit-<YYYY-MM-DD>/<image-name>/`
|
||||
|
||||
All files for this image (detail report, SBOM) go into this folder.
|
||||
|
||||
### Step 3 — Pull the Image
|
||||
|
||||
Run: `docker pull <image:tag>`
|
||||
|
||||
- If pull fails → mark as WARN (image may be private, unavailable, or tag deleted) and skip to next image
|
||||
- Note the image digest and creation date
|
||||
|
||||
### Step 3 — CVE Scan (Trivy)
|
||||
### Step 4 — CVE Scan (Trivy)
|
||||
|
||||
Run: `trivy image --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --format json <image:tag>`
|
||||
|
||||
@@ -91,15 +100,15 @@ Report findings grouped by severity:
|
||||
- Summarise MEDIUM/LOW as counts only unless the user asks for detail
|
||||
- Flag any CVE with a known public exploit (Trivy marks these with `--ignore-unfixed` info)
|
||||
|
||||
### Step 4 — CVE Scan (Grype)
|
||||
### Step 5 — CVE Scan (Grype)
|
||||
|
||||
Run: `grype <image:tag> --output json`
|
||||
|
||||
- Cross-reference with Trivy results — note any findings unique to Grype that Trivy missed
|
||||
- Report new findings in the same severity table format as Step 3
|
||||
- Report new findings in the same severity table format as Step 4
|
||||
- If Grype and Trivy agree, note "Confirmed by both scanners"
|
||||
|
||||
### Step 5 — Dockerfile Static Analysis (Hadolint)
|
||||
### Step 6 — Dockerfile Static Analysis (Hadolint)
|
||||
|
||||
Locate the Dockerfile for this image if available in the current working directory or a subdirectory.
|
||||
|
||||
@@ -129,8 +138,8 @@ Run each of the following and report all findings:
|
||||
- Flag any unknown or restrictive licenses (GPL in a closed deployment, etc.)
|
||||
|
||||
**SBOM generation:**
|
||||
`trivy image --format cyclonedx --output reports/sbom-<image-name>-<date>.json <image:tag>`
|
||||
- Generate and save an SBOM for the image — no pass/fail, this is for records
|
||||
`trivy image --format cyclonedx --output reports/audit-<YYYY-MM-DD>/<image-name>/sbom-<image-name>-<tag>.json <image:tag>`
|
||||
- Generate and save an SBOM into the image's subfolder — no pass/fail, this is for records
|
||||
|
||||
### Step 8 — Image Cleanup
|
||||
|
||||
|
||||
Reference in New Issue
Block a user