f6a2007c77
- Added security/audit-all-containers.sh: Automated Trivy scan for all 60+ project images - Added security/hardening/signed-images.md: Guide for Docker Content Trust (DCT) - Updated NODE1 with audit script and started background scan - Results will be saved to /opt/microdao-daarion/logs/audits/ Co-authored-by: Cursor Agent <agent@cursor.sh>
78 lines
2.4 KiB
Bash
Executable File
78 lines
2.4 KiB
Bash
Executable File
#!/bin/bash
|
|
# ============================================
|
|
# Full Container Security Audit — DAARION
|
|
# Version: 1.0.0
|
|
# Created: 2026-01-09
|
|
# Purpose: Scan all project images for vulnerabilities
|
|
# ============================================
|
|
|
|
set -e
|
|
|
|
# Colors
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m'
|
|
|
|
LOG_DIR="/opt/microdao-daarion/logs/audits"
|
|
mkdir -p "$LOG_DIR"
|
|
REPORT_FILE="${LOG_DIR}/audit-$(date +%Y%m%d-%H%M%S).md"
|
|
|
|
echo -e "${BLUE}============================================${NC}"
|
|
echo -e "${BLUE} DAARION Full Container Security Audit${NC}"
|
|
echo -e "${BLUE}============================================${NC}"
|
|
echo ""
|
|
|
|
# Check Trivy
|
|
if ! command -v trivy &> /dev/null; then
|
|
echo -e "${YELLOW}Installing Trivy...${NC}"
|
|
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
|
|
fi
|
|
|
|
# Get all images from all docker-compose files
|
|
IMAGES=$(find . -name 'docker-compose*.yml' -exec docker compose -f {} config --images 2>/dev/null \; | sort -u)
|
|
|
|
echo -e "Found ${YELLOW}$(echo "$IMAGES" | wc -l)${NC} unique images to scan."
|
|
echo "" > "$REPORT_FILE"
|
|
echo "# Security Audit Report - $(date)" >> "$REPORT_FILE"
|
|
echo "" >> "$REPORT_FILE"
|
|
echo "| Image | Critical | High | Status |" >> "$REPORT_FILE"
|
|
echo "|-------|----------|------|--------|" >> "$REPORT_FILE"
|
|
|
|
for IMAGE in $IMAGES; do
|
|
echo -ne "Scanning ${BLUE}${IMAGE}${NC}... "
|
|
|
|
# Run scan
|
|
SCAN_RESULT=$(trivy image --severity CRITICAL,HIGH --format json "$IMAGE" 2>/dev/null)
|
|
|
|
if [ $? -ne 0 ]; then
|
|
echo -e "${RED}FAILED${NC}"
|
|
echo "| $IMAGE | ERR | ERR | ❌ Scan Failed |" >> "$REPORT_FILE"
|
|
continue
|
|
fi
|
|
|
|
CRITICAL=$(echo "$SCAN_RESULT" | grep -o '"Severity":"CRITICAL"' | wc -l)
|
|
HIGH=$(echo "$SCAN_RESULT" | grep -o '"Severity":"HIGH"' | wc -l)
|
|
|
|
if [ "$CRITICAL" -gt 0 ]; then
|
|
STATUS="🔴 CRITICAL"
|
|
elif [ "$HIGH" -gt 0 ]; then
|
|
STATUS="🟡 HIGH"
|
|
else
|
|
STATUS="✅ CLEAN"
|
|
fi
|
|
|
|
echo -e "${STATUS} (C:${CRITICAL}, H:${HIGH})"
|
|
echo "| $IMAGE | $CRITICAL | $HIGH | $STATUS |" >> "$REPORT_FILE"
|
|
done
|
|
|
|
echo ""
|
|
echo -e "${GREEN}Audit completed!${NC}"
|
|
echo -e "Report saved to: ${REPORT_FILE}"
|
|
echo ""
|
|
echo -e "${YELLOW}Top Recommendations:${NC}"
|
|
echo "1. Update base images for services with CRITICAL vulnerabilities."
|
|
echo "2. Rebuild local images with --no-cache."
|
|
echo "3. Use specific versions instead of :latest."
|