Verify Trivy install

3lvia · Apr 25, 2024 · eff76cf · eff76cf
1 parent a9d8490
commit eff76cf
Showing 1 changed file with 43 additions and 3 deletions.
diff --git a/trivy-iac-scan/action.yml b/trivy-iac-scan/action.yml
@@ -52,16 +52,56 @@ runs:
         # Add default set of CVE's to ignore
         echo "AVD-DS-0026" >> '${{ inputs.trivyignore }}'
 
+    - name: Install cosign
+      uses: sigstore/[email protected]
+
     - name: Install Trivy
       shell: bash
       run: |
         # Install Trivy
+        local trivy_tarball="trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
+        local trivy_checksums="trivy_${TRIVY_VERSION}_checksums.txt"
+
+        local trivy_tmp
         trivy_tmp="$(mktemp -d)"
         cd "$trivy_tmp"
-        trivy_tarball="trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
-        wget -q "https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/$trivy_tarball" # TODO: verify checksum & signature
+
+        printf "Downloading Trivy v%s...\n" "$TRIVY_VERSION"
+        wget -q "https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/$trivy_tarball"
+        wget -q "https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/$trivy_tarball.sig"
+        wget -q "https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/$trivy_tarball.pem"
+        printf "Done.\n\n"
+
+        printf "Verifying signature...\n"
+        cosign verify-blob "$trivy_tarball" \
+            --certificate "$trivy_tarball.pem" \
+            --signature "$trivy_tarball.sig" \
+            --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+        printf "Done.\n\n"
+
+        printf "Downloading checksums...\n"
+        wget -q "https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/$trivy_checksums"
+        wget -q "https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/$trivy_checksums.sig"
+        wget -q "https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/$trivy_checksums.pem"
+        printf "Done.\n\n"
+
+        printf "Verifying checksums signature...\n"
+        cosign verify-blob "$trivy_checksums" \
+            --certificate "$trivy_checksums.pem" \
+            --signature "$trivy_checksums.sig" \
+            --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+        printf "Done.\n\n"
+
+        printf "Verifying checksums...\n"
+        echo "$(cat $trivy_checksums | grep $trivy_tarball)" | sha256sum -c
+        printf "Done.\n\n"
+
+        printf "Installing Trivy v%s...\n" "$TRIVY_VERSION"
         tar -xzf "$trivy_tarball"
-        chmod +x trivy && mv trivy /usr/local/bin
+        sudo install -m 755 trivy /usr/local/bin
+        printf "Done.\n\n"
       env:
         TRIVY_VERSION: '0.50.4'