#!/bin/bash # ============================================================ # scan-image.sh — Сканування Docker образу перед використанням # ============================================================ # Використання: # ./scan-image.sh postgres:16-alpine # ./scan-image.sh --pull postgres:16-alpine # ============================================================ set -e # Кольори RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' CYAN='\033[0;36m' NC='\033[0m' # Параметри PULL=false IMAGE="" # Парсинг аргументів while [[ $# -gt 0 ]]; do case $1 in --pull|-p) PULL=true shift ;; *) IMAGE="$1" shift ;; esac done if [ -z "$IMAGE" ]; then echo "Usage: $0 [--pull] " echo "Example: $0 postgres:16-alpine" echo " $0 --pull postgres:16-alpine" exit 1 fi echo -e "${CYAN}🔍 Scanning Docker Image: $IMAGE${NC}" echo "========================================" date echo "" # Перевірка Trivy if ! command -v trivy &> /dev/null; then echo -e "${RED}❌ Trivy not installed!${NC}" echo "Install: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin" exit 1 fi # Pull якщо потрібно if [ "$PULL" = true ]; then echo -e "${YELLOW}📥 Pulling image...${NC}" docker pull "$IMAGE" echo "" fi # Отримати digest echo -e "${YELLOW}📋 Image Info:${NC}" DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "$IMAGE" 2>/dev/null || echo "N/A") echo " Digest: $DIGEST" echo "" # Сканування на вразливості echo -e "${YELLOW}🔒 Scanning for vulnerabilities...${NC}" echo "" # Запуск Trivy trivy image --severity HIGH,CRITICAL "$IMAGE" SCAN_EXIT=$? echo "" echo "========================================" if [ $SCAN_EXIT -eq 0 ]; then echo -e "${GREEN}✅ No HIGH/CRITICAL vulnerabilities found${NC}" echo "" echo -e "${GREEN}Safe to use:${NC}" echo " image: $IMAGE" if [ "$DIGEST" != "N/A" ]; then echo "" echo -e "${GREEN}Recommended (pinned by digest):${NC}" echo " image: $DIGEST" fi else echo -e "${RED}❌ Vulnerabilities found!${NC}" echo "" echo "Options:" echo " 1. Use a different image version" echo " 2. Build custom image with patches" echo " 3. Accept risk (not recommended)" exit 1 fi # Додаткова перевірка на malware echo "" echo -e "${YELLOW}🦠 Checking for known malware patterns...${NC}" # Запустити контейнер і перевірити /tmp MALWARE_CHECK=$(docker run --rm "$IMAGE" sh -c "ls -la /tmp 2>/dev/null | grep -E '(httpd|\.perf|mysql|xmrig|kdevtmp)' || echo 'clean'" 2>/dev/null || echo "check_failed") if [ "$MALWARE_CHECK" = "clean" ]; then echo -e "${GREEN}✅ No known malware patterns in /tmp${NC}" elif [ "$MALWARE_CHECK" = "check_failed" ]; then echo -e "${YELLOW}⚠️ Could not check /tmp (image may not have shell)${NC}" else echo -e "${RED}❌ MALWARE DETECTED in /tmp!${NC}" echo "$MALWARE_CHECK" echo "" echo -e "${RED}DO NOT USE THIS IMAGE!${NC}" exit 1 fi echo "" echo -e "${GREEN}🎉 Image scan complete!${NC}"