playbooks/trivy_docker_scan.yml hinzugefügt

playbooks/trivy_docker_scan.yml

@@ -0,0 +1,30 @@
+---
+- name: Docker Image Security Scan mit Trivy
+  hosts: docker_nodes
+  become: yes
+  tasks:
+    - name: Sicherstellen, dass Trivy installiert ist (Ubuntu)
+      ansible.builtin.shell: |
+        if ! command -v trivy &> /dev/null; then
+          apt-get install -y wget apt-transport-https gnupg lsb-release
+          wget -qO - https://aquasecurity.github.io/trivy-repo/dabest.gpg | gpg --dearmor -o /usr/share/keyrings/trivy.gpg
+          echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | tee -a /etc/apt/sources.list.d/trivy.list
+          apt-get update
+          apt-get install -y trivy
+        fi
+      args:
+        executable: /bin/bash
+
+    - name: Scan eines Test-Images (nginx:latest)
+      ansible.builtin.command:
+        cmd: trivy image --format json --output /tmp/scan_result.json nginx:latest
+      register: scan_output
+
+    - name: Zeige Scan-Zusammenfassung im Log
+      ansible.builtin.command:
+        cmd: trivy image --severity HIGH,CRITICAL nginx:latest
+      register: trivy_summary
+
+    - name: Ergebnis ausgeben
+      ansible.builtin.debug:
+        msg: "{{ trivy_summary.stdout_lines }}"