|
12 | 12 | from pytest_container import get_extra_run_args |
13 | 13 | from pytest_container import MultiStageBuild |
14 | 14 | from pytest_container.container import ContainerData |
| 15 | +from pytest_container.runtime import LOCALHOST |
15 | 16 |
|
16 | 17 | from bci_tester.data import ALL_CONTAINERS |
17 | 18 | from bci_tester.data import BCI_REPO_NAME |
|
24 | 25 | from bci_tester.data import PCP_CONTAINER |
25 | 26 | from bci_tester.data import POSTGRESQL_CONTAINERS |
26 | 27 | from bci_tester.data import TARGET |
| 28 | +from bci_tester.runtime_choice import DOCKER_SELECTED |
27 | 29 |
|
28 | 30 | CONTAINER_IMAGES = ALL_CONTAINERS |
29 | 31 |
|
@@ -260,6 +262,34 @@ def test_zypper_verify_passes(container_per_test: ContainerData) -> None: |
260 | 262 | ) |
261 | 263 |
|
262 | 264 |
|
| 265 | +@pytest.mark.skipif( |
| 266 | + DOCKER_SELECTED, reason="Trivy-Scan images only with podman" |
| 267 | +) |
| 268 | +@pytest.mark.skipif( |
| 269 | + (LOCALHOST.system_info.arch not in ("x86_64",) |
| 270 | + or OS_VERSION in ("15.3", "basalt", "tumbleweed")), |
| 271 | + reason=f"{LOCALHOST.system_info.arch} is not supported to run trivy", |
| 272 | +) |
| 273 | +def test_trivy_image_scan(host, auto_container: ContainerData) -> None: |
| 274 | + """Check that trivy image is able to scan the container.""" |
| 275 | + |
| 276 | + trivy_container = "docker.io/aquasec/trivy:latest" |
| 277 | + baseurl = auto_container.container.baseurl |
| 278 | + if not baseurl: |
| 279 | + pytest.skip( |
| 280 | + reason=f"container {auto_container.container} has no baseurl" |
| 281 | + ) |
| 282 | + |
| 283 | + host.run_expect( |
| 284 | + [0], |
| 285 | + ( |
| 286 | + f"podman run -v trivy:/root {trivy_container} image {baseurl} " |
| 287 | + "--scanners vuln --exit-code 1 --exit-on-eol 2 -f template " |
| 288 | + "--format sarif" |
| 289 | + ), |
| 290 | + ) |
| 291 | + |
| 292 | + |
263 | 293 | @pytest.mark.parametrize( |
264 | 294 | "container", |
265 | 295 | [ |
|
0 commit comments