Implementing Comprehensive Scanning Workflows

Implementing Comprehensive Scanning Workflows

Create a comprehensive scanning workflow that leverages both tools' strengths:

#!/bin/bash
# comprehensive-scan.sh

IMAGE_NAME=$1
REPORT_DIR="./security-reports"
mkdir -p $REPORT_DIR

echo "Starting comprehensive security scan for $IMAGE_NAME"

# Step 1: Quick Trivy scan for immediate feedback
echo "Running Trivy scan..."
trivy image --severity CRITICAL,HIGH --exit-code 1 $IMAGE_NAME
TRIVY_EXIT=$?

# Step 2: Detailed Trivy analysis
trivy image --format json $IMAGE_NAME > $REPORT_DIR/trivy-detailed.json

# Step 3: Snyk scan with remediation advice
echo "Running Snyk scan..."
snyk container test $IMAGE_NAME --json > $REPORT_DIR/snyk-detailed.json
SNYK_EXIT=$?

# Step 4: Generate SBOM
echo "Generating Software Bill of Materials..."
trivy image --format cyclonedx $IMAGE_NAME > $REPORT_DIR/sbom.xml

# Step 5: Create unified report
python3 << EOF
import json

with open('$REPORT_DIR/trivy-detailed.json') as f:
    trivy_data = json.load(f)
    
with open('$REPORT_DIR/snyk-detailed.json') as f:
    snyk_data = json.load(f)

# Combine and analyze results
vuln_summary = {
    'image': '$IMAGE_NAME',
    'trivy_critical': len([v for r in trivy_data.get('Results', []) 
                          for v in r.get('Vulnerabilities', []) 
                          if v['Severity'] == 'CRITICAL']),
    'snyk_critical': len([v for v in snyk_data.get('vulnerabilities', []) 
                         if v['severity'] == 'critical']),
    'scan_date': trivy_data.get('CreatedAt', 'Unknown')
}

print(json.dumps(vuln_summary, indent=2))
EOF

# Exit with failure if either scanner found critical issues
if [ $TRIVY_EXIT -ne 0 ] || [ $SNYK_EXIT -ne 0 ]; then
    echo "Critical vulnerabilities found!"
    exit 1
fi