Scan images using trivy

Author: dirkmueller

tests/test_all.py

@@ -11,6 +11,7 @@
 from pytest_container import get_extra_run_args
 from pytest_container import MultiStageBuild
 from pytest_container.container import ContainerData
+from pytest_container.runtime import LOCALHOST
 
 from bci_tester.data import ALL_CONTAINERS
 from bci_tester.data import BUSYBOX_CONTAINER
@@ -20,6 +21,7 @@
 from bci_tester.data import OS_VERSION
 from bci_tester.data import PCP_CONTAINER
 from bci_tester.data import POSTGRESQL_CONTAINERS
+from bci_tester.runtime_choice import DOCKER_SELECTED
 
 CONTAINER_IMAGES = ALL_CONTAINERS
 
@@ -170,6 +172,33 @@ def test_zypper_verify_passes(container_per_test: ContainerData) -> None:
     )
 
 
+@pytest.mark.skipif(
+    DOCKER_SELECTED, reason="Trivy-Scan images only with podman"
+)
+@pytest.mark.skipif(
+    LOCALHOST.system_info.arch not in ("x86_64",),
+    reason=f"{LOCALHOST.system_info.arch} is not supported to run trivy",
+)
+def test_trivy_image_scan(host, auto_container: ContainerData) -> None:
+    """Check that trivy image is able to scan the container."""
+
+    trivy_container = "docker.io/aquasec/trivy:latest"
+    baseurl = auto_container.container.baseurl
+    if not baseurl:
+        pytest.skip(
+            reason=f"container {auto_container.container} has no baseurl"
+        )
+
+    host.run_expect(
+        [0],
+        (
+            f"podman run -v trivy:/root {trivy_container} image {baseurl} "
+            "--exit-code 1 --exit-on-eol 2 -f template "
+            "--template '@contrib/sarif.tpl'"
+        ),
+    )
+
+
 @pytest.mark.parametrize(
     "container",
     [