feat(docker): update Trivy version to v0.68.1 and add enhanced gate script with logging

Author: adilhusain-s

python-versions/Dockerfile

@@ -4,7 +4,7 @@ ARG BASE_IMAGE=powershell:ubuntu-${UBUNTU_VERSION}
 ARG TARGETARCH
 ARG PYTHON_VERSION=3.13.3
 ARG ACTIONS_PYTHON_VERSIONS=3.13.3-14344076652
-ARG TRIVY_VERSION=v0.58.1
+ARG TRIVY_VERSION=v0.68.1
 
 # ================= BUILDER STAGE =====================
 FROM ${BASE_IMAGE} AS builder
@@ -85,76 +85,8 @@ RUN trivy --download-db-only || true; \
     trivy fs --format json --output /tmp/artifact/trivy-${PYTHON_VERSION}-${TARGETARCH}-vuln.json --scanners vuln ${PYTHON_INSTALL_DIR} || true && \
     trivy fs --format json --output /tmp/artifact/trivy-${PYTHON_VERSION}-${TARGETARCH}-secret.json --scanners secret,misconfig ${PYTHON_INSTALL_DIR} || true
 
-# Enhanced Gate Script with Logging
-COPY <<EOF /usr/local/bin/trivy-gate.sh
-#!/bin/sh
-set +e
-
-# Logging Helper
-log() {
-    echo "[\$(date +'%Y-%m-%d %H:%M:%S')] \$1"
-}
-
-# Inputs
-VULN_JSON=\${1:-/tmp/artifact/trivy-${PYTHON_VERSION}-${TARGETARCH}-vuln.json}
-SECRET_JSON=\${2:-/tmp/artifact/trivy-${PYTHON_VERSION}-${TARGETARCH}-secret.json}
-GATE_RESULT=/tmp/artifact/trivy-gate-result.json
-FLAT_REPORT=/tmp/artifact/trivy-flat-report.json
-
-# Thresholds
-FAIL_ON_CRITICAL=\${FAIL_ON_CRITICAL:-1}
-FAIL_ON_HIGH=\${FAIL_ON_HIGH:-0}
-FAIL_ON_MEDIUM=\${FAIL_ON_MEDIUM:-0}
-FAIL_ON_SECRET=\${FAIL_ON_SECRET:-1}
-
-log "--- Parsing Trivy Results ---"
-
-# 1. FLATTEN THE DATA
-if [ -f "\$VULN_JSON" ]; then
-    log "Flattening vulnerability report..."
-    jq '[.Results[] | .Target as \$t | .Vulnerabilities[]? | . + {"Target": \$t}]' "\$VULN_JSON" > "\$FLAT_REPORT"
-else
-    log "No vulnerability report found. Assuming 0 vulnerabilities."
-    echo "[]" > "\$FLAT_REPORT"
-fi
-
-# 2. ANALYZE SEVERITY
-critical=\$(jq '[.[] | select(.Severity=="CRITICAL")] | length' "\$FLAT_REPORT")
-high=\$(jq '[.[] | select(.Severity=="HIGH")] | length' "\$FLAT_REPORT")
-medium=\$(jq '[.[] | select(.Severity=="MEDIUM")] | length' "\$FLAT_REPORT")
-
-if [ -f "\$SECRET_JSON" ]; then
-    secrets=\$(jq '[.Results[].Secrets[]?] | length' "\$SECRET_JSON" 2>/dev/null || echo 0)
-else
-    secrets=0
-fi
-
-log "Analysis Complete: CRITICAL=\$critical HIGH=\$high MEDIUM=\$medium SECRETS=\$secrets"
-
-# 3. DETAILED LOGGING
-if [ "\$critical" -gt 0 ]; then
-    log "!!! CRITICAL VULNERABILITIES FOUND !!!"
-    jq -r '.[] | select(.Severity=="CRITICAL") | "  - [\$t] \(.PkgName) (\(.VulnerabilityID)) in \(.Target)"' "\$FLAT_REPORT"
-fi
-
-# 4. DECISION LOGIC
-BLOCK=false
-REASON="none"
-
-if [ "\$FAIL_ON_CRITICAL" -eq 1 ] && [ "\$critical" -gt 0 ]; then BLOCK=true; REASON="critical"; fi
-if [ "\$FAIL_ON_HIGH" -eq 1 ] && [ "\$high" -gt 0 ]; then BLOCK=true; REASON="high"; fi
-if [ "\$FAIL_ON_SECRET" -eq 1 ] && [ "\$secrets" -gt 0 ]; then BLOCK=true; REASON="secrets"; fi
-
-printf '{"critical":%d,"high":%d,"medium":%d,"secrets":%d,"block":%s,"reason":"%s"}\n' "\$critical" "\$high" "\$medium" "\$secrets" "\$BLOCK" "\$REASON" > "\$GATE_RESULT"
-
-if [ "\$BLOCK" = "true" ]; then
-    log "GATE FAILED: Blocking due to \$REASON severity."
-    exit 1
-else
-    log "GATE PASSED."
-    exit 0
-fi
-EOF
+# Copy Enhanced Gate Script with Logging
+COPY trivy-gate.sh /usr/local/bin/trivy-gate.sh
 RUN chmod +x /usr/local/bin/trivy-gate.sh
 
 # Run the Gate and Capture Log

python-versions/trivy-gate.sh

@@ -0,0 +1,69 @@
+#!/bin/sh
+set +e
+
+# Logging Helper
+log() {
+    echo "[$(date +'%Y-%m-%d %H:%M:%S')] $1"
+}
+
+# Inputs
+VULN_JSON=${1:-/tmp/artifact/trivy-${PYTHON_VERSION}-${TARGETARCH}-vuln.json}
+SECRET_JSON=${2:-/tmp/artifact/trivy-${PYTHON_VERSION}-${TARGETARCH}-secret.json}
+GATE_RESULT=/tmp/artifact/trivy-gate-result.json
+FLAT_REPORT=/tmp/artifact/trivy-flat-report.json
+
+# Thresholds
+FAIL_ON_CRITICAL=${FAIL_ON_CRITICAL:-1}
+FAIL_ON_HIGH=${FAIL_ON_HIGH:-0}
+FAIL_ON_MEDIUM=${FAIL_ON_MEDIUM:-0}
+FAIL_ON_SECRET=${FAIL_ON_SECRET:-1}
+
+log "--- Parsing Trivy Results ---"
+
+# 1. FLATTEN THE DATA
+if [ -f "$VULN_JSON" ]; then
+    log "Flattening vulnerability report..."
+    jq '[.Results[] | .Target as $t | .Vulnerabilities[]? | . + {"Target": $t}]' "$VULN_JSON" > "$FLAT_REPORT"
+else
+    log "No vulnerability report found. Assuming 0 vulnerabilities."
+    echo "[]" > "$FLAT_REPORT"
+fi
+
+# 2. ANALYZE SEVERITY
+critical=$(jq '[.[] | select(.Severity=="CRITICAL")] | length' "$FLAT_REPORT")
+high=$(jq '[.[] | select(.Severity=="HIGH")] | length' "$FLAT_REPORT")
+medium=$(jq '[.[] | select(.Severity=="MEDIUM")] | length' "$FLAT_REPORT")
+
+if [ -f "$SECRET_JSON" ]; then
+    secrets=$(jq '[.Results[].Secrets[]?] | length' "$SECRET_JSON" 2>/dev/null || echo 0)
+else
+    secrets=0
+fi
+
+log "Analysis Complete: CRITICAL=$critical HIGH=$high MEDIUM=$medium SECRETS=$secrets"
+
+# 3. DETAILED LOGGING
+if [ "$critical" -gt 0 ]; then
+    log "!!! CRITICAL VULNERABILITIES FOUND !!!"
+    jq -r '.[] | select(.Severity=="CRITICAL") | "  - [$t] \(.PkgName) (\(.VulnerabilityID)) in \(.Target)"' "$FLAT_REPORT"
+fi
+
+# 4. DECISION LOGIC
+BLOCK=false
+REASON="none"
+
+# Check in priority order: CRITICAL > HIGH > MEDIUM > SECRETS
+if [ "$FAIL_ON_CRITICAL" -eq 1 ] && [ "$critical" -gt 0 ]; then BLOCK=true; REASON="critical"; fi
+if [ "$FAIL_ON_HIGH" -eq 1 ] && [ "$high" -gt 0 ] && [ "$REASON" = "none" ]; then BLOCK=true; REASON="high"; fi
+if [ "$FAIL_ON_MEDIUM" -eq 1 ] && [ "$medium" -gt 0 ] && [ "$REASON" = "none" ]; then BLOCK=true; REASON="medium"; fi
+if [ "$FAIL_ON_SECRET" -eq 1 ] && [ "$secrets" -gt 0 ] && [ "$REASON" = "none" ]; then BLOCK=true; REASON="secrets"; fi
+
+printf '{"critical":%d,"high":%d,"medium":%d,"secrets":%d,"block":%s,"reason":"%s"}\n' "$critical" "$high" "$medium" "$secrets" "$BLOCK" "$REASON" > "$GATE_RESULT"
+
+if [ "$BLOCK" = "true" ]; then
+    log "GATE FAILED: Blocking due to $REASON severity."
+    exit 1
+else
+    log "GATE PASSED."
+    exit 0
+fi