chore: enhance Trivy scan script with Docker image pull and cleanup options

2026-02-20 03:12:02 +00:00
parent efbbf46a7a
commit 1a477f90f4
2 changed files with 14 additions and 2 deletions
--- a/.github/skills/security-scan-trivy-scripts/run.sh
+++ b/.github/skills/security-scan-trivy-scripts/run.sh
@@ -26,6 +26,7 @@ validate_docker_environment || error_exit "Docker is required but not available"
 # Set defaults
 set_default_env "TRIVY_SEVERITY" "CRITICAL,HIGH,MEDIUM"
 set_default_env "TRIVY_TIMEOUT" "10m"
+set_default_env "TRIVY_DOCKER_RM" "true"

 # Parse arguments
 # Default scanners exclude misconfig to avoid non-actionable policy bundle issues
@@ -88,8 +89,19 @@ for d in "${SKIP_DIRS[@]}"; do
    SKIP_DIR_FLAGS+=("--skip-dirs" "/app/${d}")
 done

+log_step "PREPARE" "Pulling latest Trivy Docker image"
+if ! docker pull aquasec/trivy:latest >/dev/null; then
+    log_error "Failed to pull Docker image aquasec/trivy:latest"
+    exit 1
+fi
+
 # Run Trivy via Docker
-if docker run --rm \
+DOCKER_RUN_ARGS=(run)
+if [[ "${TRIVY_DOCKER_RM}" == "true" ]]; then
+    DOCKER_RUN_ARGS+=(--rm)
+fi
+
+if docker "${DOCKER_RUN_ARGS[@]}" \
    -v "$(pwd):/app:ro" \
    -e "TRIVY_SEVERITY=${TRIVY_SEVERITY}" \
    -e "TRIVY_TIMEOUT=${TRIVY_TIMEOUT}" \
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -454,7 +454,7 @@
        {
            "label": "Security: Trivy Scan",
            "type": "shell",
-            "command": ".github/skills/scripts/skill-runner.sh security-scan-trivy",
+            "command": "TRIVY_DOCKER_RM=false .github/skills/scripts/skill-runner.sh security-scan-trivy",
            "group": "test",
            "problemMatcher": []
        },