chore(scripts): add verify-trivy script for version and checksum validation

adilhusain-s · adilhusain-s · commit b6e4b2b39fe2 · 2026-04-29T10:30:01.000Z
Signed-off-by: Adilhusain Shaikh &lt;Adilhusain.Shaikh@ibm.com&gt;
diff --git a/Makefile b/Makefile
@@ -139,17 +139,11 @@ verify-gate:
 
 verify-trivy-version:
 	@echo "--- Verifying Trivy release $(TRIVY_VERSION) ---"
-	@curl -fsSL "https://api.github.com/repos/aquasecurity/trivy/releases/tags/$(TRIVY_VERSION)" >/dev/null || \
-		(echo "ERROR: Trivy release $(TRIVY_VERSION) not found. Set a valid TRIVY_VERSION (or update .trivyversion, e.g. v0.70.0)." && exit 1)
+	@./scripts/verify-trivy.sh tag "$(TRIVY_VERSION)"
 
 verify-trivy-checksums:
 	@echo "--- Verifying pinned Trivy checksums for $(TRIVY_VERSION) ---"
-	@trivy_version="$(TRIVY_VERSION)"; trivy_version="$${trivy_version#v}"; \
-	for arch in 64bit ARM64 PPC64LE s390x; do \
-		asset="trivy_$${trivy_version}_Linux-$${arch}.tar.gz"; \
-		awk -v asset="$${asset}" '{sub(/\r$$/, "", $$2)} $$2 == asset && $$1 ~ /^[0-9a-f]{64}$$/ {found=1} END {exit found ? 0 : 1}' python-versions/trivy-checksums.txt || \
-			(echo "ERROR: Missing pinned checksum for $${asset} in python-versions/trivy-checksums.txt" && exit 1); \
-	done
+	@./scripts/verify-trivy.sh checksums "$(TRIVY_VERSION)"
 # 3. Build Base PowerShell Image
 powershell: $(PS_PREREQS)
 	@echo "--- Building PowerShell Base Image ---"
diff --git a/scripts/verify-trivy.sh b/scripts/verify-trivy.sh
@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+usage() {
+  echo "Usage: $0 {tag|checksums} <TRIVY_VERSION>" >&2
+  exit 2
+}
+
+if [ $# -lt 2 ]; then
+  usage
+fi
+
+cmd="$1"; shift
+TRIVY_VERSION="$1"
+
+case "$cmd" in
+  tag)
+    # Use GitHub token when available to avoid unauthenticated rate limits in CI
+    url="https://api.github.com/repos/aquasecurity/trivy/releases/tags/${TRIVY_VERSION}"
+    if [ -n "${GITHUB_TOKEN:-}" ]; then
+      curl -fsSL \
+        -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+        -H "User-Agent: curl" \
+        -H "Accept: application/vnd.github+json" \
+        "$url" >/dev/null || {
+        echo "ERROR: Trivy release ${TRIVY_VERSION} not found. Set a valid TRIVY_VERSION (or update .trivyversion, e.g. v0.70.0)." >&2
+        exit 1
+      }
+    else
+      curl -fsSL \
+        -H "User-Agent: curl" \
+        -H "Accept: application/vnd.github+json" \
+        "$url" >/dev/null || {
+        echo "ERROR: Trivy release ${TRIVY_VERSION} not found. Set a valid TRIVY_VERSION (or update .trivyversion, e.g. v0.70.0)." >&2
+        exit 1
+      }
+    fi
+    ;;
+
+  checksums)
+    # Verify pinned checksums file contains entries for expected assets
+    trivy_version="${TRIVY_VERSION#v}"
+    for arch in 64bit ARM64 PPC64LE s390x; do
+      asset="trivy_${trivy_version}_Linux-${arch}.tar.gz"
+      if ! awk -v asset="$asset" '{sub(/\r$$/, "", $2)} $2 == asset && $1 ~ /^[0-9a-f]{64}$/ {found=1} END {exit found ? 0 : 1}' python-versions/trivy-checksums.txt; then
+        echo "ERROR: Missing pinned checksum for ${asset} in python-versions/trivy-checksums.txt" >&2
+        exit 1
+      fi
+    done
+    ;;
+
+  *)
+    usage
+    ;;
+esac
+
+exit 0
