30 lines
1.2 KiB
YAML
30 lines
1.2 KiB
YAML
---
|
|
- name: Docker Image Security Scan mit Trivy
|
|
hosts: docker_nodes
|
|
become: yes
|
|
tasks:
|
|
- name: Sicherstellen, dass Trivy installiert ist (Ubuntu)
|
|
ansible.builtin.shell: |
|
|
if ! command -v trivy &> /dev/null; then
|
|
apt-get install -y wget apt-transport-https gnupg lsb-release
|
|
wget -qO - https://aquasecurity.github.io/trivy-repo/dabest.gpg | gpg --dearmor -o /usr/share/keyrings/trivy.gpg
|
|
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | tee -a /etc/apt/sources.list.d/trivy.list
|
|
apt-get update
|
|
apt-get install -y trivy
|
|
fi
|
|
args:
|
|
executable: /bin/bash
|
|
|
|
- name: Scan eines Test-Images (nginx:latest)
|
|
ansible.builtin.command:
|
|
cmd: trivy image --format json --output /tmp/scan_result.json nginx:latest
|
|
register: scan_output
|
|
|
|
- name: Zeige Scan-Zusammenfassung im Log
|
|
ansible.builtin.command:
|
|
cmd: trivy image --severity HIGH,CRITICAL nginx:latest
|
|
register: trivy_summary
|
|
|
|
- name: Ergebnis ausgeben
|
|
ansible.builtin.debug:
|
|
msg: "{{ trivy_summary.stdout_lines }}" |