#!/bin/bash # ============================================ # Full Container Security Audit — DAARION # Version: 1.0.0 # Created: 2026-01-09 # Purpose: Scan all project images for vulnerabilities # ============================================ set -e # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' LOG_DIR="/opt/microdao-daarion/logs/audits" mkdir -p "$LOG_DIR" REPORT_FILE="${LOG_DIR}/audit-$(date +%Y%m%d-%H%M%S).md" echo -e "${BLUE}============================================${NC}" echo -e "${BLUE} DAARION Full Container Security Audit${NC}" echo -e "${BLUE}============================================${NC}" echo "" # Check Trivy if ! command -v trivy &> /dev/null; then echo -e "${YELLOW}Installing Trivy...${NC}" curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin fi # Get all images from all docker-compose files IMAGES=$(find . -name 'docker-compose*.yml' -exec docker compose -f {} config --images 2>/dev/null \; | sort -u) echo -e "Found ${YELLOW}$(echo "$IMAGES" | wc -l)${NC} unique images to scan." echo "" > "$REPORT_FILE" echo "# Security Audit Report - $(date)" >> "$REPORT_FILE" echo "" >> "$REPORT_FILE" echo "| Image | Critical | High | Status |" >> "$REPORT_FILE" echo "|-------|----------|------|--------|" >> "$REPORT_FILE" for IMAGE in $IMAGES; do echo -ne "Scanning ${BLUE}${IMAGE}${NC}... " # Run scan SCAN_RESULT=$(trivy image --severity CRITICAL,HIGH --format json "$IMAGE" 2>/dev/null) if [ $? -ne 0 ]; then echo -e "${RED}FAILED${NC}" echo "| $IMAGE | ERR | ERR | ❌ Scan Failed |" >> "$REPORT_FILE" continue fi CRITICAL=$(echo "$SCAN_RESULT" | grep -o '"Severity":"CRITICAL"' | wc -l) HIGH=$(echo "$SCAN_RESULT" | grep -o '"Severity":"HIGH"' | wc -l) if [ "$CRITICAL" -gt 0 ]; then STATUS="🔴 CRITICAL" elif [ "$HIGH" -gt 0 ]; then STATUS="🟡 HIGH" else STATUS="✅ CLEAN" fi echo -e "${STATUS} (C:${CRITICAL}, H:${HIGH})" echo "| $IMAGE | $CRITICAL | $HIGH | $STATUS |" >> "$REPORT_FILE" done echo "" echo -e "${GREEN}Audit completed!${NC}" echo -e "Report saved to: ${REPORT_FILE}" echo "" echo -e "${YELLOW}Top Recommendations:${NC}" echo "1. Update base images for services with CRITICAL vulnerabilities." echo "2. Rebuild local images with --no-cache." echo "3. Use specific versions instead of :latest."