From 9a0af653128a6631c28305f207a17c67a9d35fe9 Mon Sep 17 00:00:00 2001 From: Matthew Casperson Date: Tue, 2 Dec 2025 05:20:20 +1000 Subject: [PATCH 1/2] Update sbom-scan.json to increment version and add zipping of depscan-bom.json files --- step-templates/sbom-scan.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/step-templates/sbom-scan.json b/step-templates/sbom-scan.json index 4412f106..b9f50344 100644 --- a/step-templates/sbom-scan.json +++ b/step-templates/sbom-scan.json @@ -3,7 +3,7 @@ "Name": "Scan for Vulnerabilities", "Description": "This step extracts the Docker image, finds any bom.json files, and scans them for vulnerabilities using Trivy.", "ActionType": "Octopus.Script", - "Version": 2, + "Version": 3, "CommunityActionTemplateId": null, "Packages": [ { @@ -24,7 +24,7 @@ "OctopusUseBundledTooling": "False", "Octopus.Action.Script.ScriptSource": "Inline", "Octopus.Action.Script.Syntax": "PowerShell", - "Octopus.Action.Script.ScriptBody": "Write-Host \"Pulling Trivy Docker Image\"\nWrite-Host \"##octopus[stdout-verbose]\"\ndocker pull ghcr.io/aquasecurity/trivy\nWrite-Host \"##octopus[stdout-default]\"\n\n$SUCCESS = 0\n\nWrite-Host \"##octopus[stdout-verbose]\"\nGet-ChildItem -Path \".\" | Out-String\nWrite-Host \"##octopus[stdout-default]\"\n\n# Find all bom.json files\n$bomFiles = Get-ChildItem -Path \".\" -Filter \"bom.json\" -Recurse -File\n\nif ($bomFiles.Count -eq 0) {\n Write-Host \"No bom.json files found in the current directory.\"\n exit 0\n}\n\nforeach ($file in $bomFiles) {\n Write-Host \"Scanning $($file.FullName)\"\n\n # Delete any existing report file\n if (Test-Path \"$PWD/depscan-bom.json\") {\n Remove-Item \"$PWD/depscan-bom.json\" -Force\n }\n\n # Generate the report, capturing the output\n try {\n $OUTPUT = docker run --rm -v \"$($file.FullName):/input/$($file.Name)\" ghcr.io/aquasecurity/trivy sbom -q \"/input/$($file.Name)\"\n $exitCode = $LASTEXITCODE\n }\n catch {\n $OUTPUT = $_.Exception.Message\n $exitCode = 1\n }\n\n # Run again to generate the JSON output\n docker run --rm -v \"${PWD}:/output\" -v \"$($file.FullName):/input/$($file.Name)\" ghcr.io/aquasecurity/trivy sbom -q -f json -o /output/depscan-bom.json \"/input/$($file.Name)\"\n\n # Octopus Deploy artifact\n New-OctopusArtifact \"$PWD/depscan-bom.json\"\n\n # Parse JSON output to count vulnerabilities\n $jsonContent = Get-Content -Path \"depscan-bom.json\" | ConvertFrom-Json\n $CRITICAL = ($jsonContent.Results | ForEach-Object { $_.Vulnerabilities } | Where-Object { $_.Severity -eq \"CRITICAL\" }).Count\n $HIGH = ($jsonContent.Results | ForEach-Object { $_.Vulnerabilities } | Where-Object { $_.Severity -eq \"HIGH\" }).Count\n\n if (\"#{Octopus.Environment.Name}\" -eq \"Security\") {\n Write-Highlight \"\uD83D\uDFE5 $CRITICAL critical vulnerabilities\"\n Write-Highlight \"\uD83D\uDFE7 $HIGH high vulnerabilities\"\n }\n\n # Set success to 1 if exit code is not zero\n if ($exitCode -ne 0) {\n $SUCCESS = 1\n }\n\n # Print the output\n $OUTPUT | ForEach-Object {\n if ($_.Length -gt 0) {\n Write-Host $_\n }\n }\n}\n\n# Cleanup\nfor ($i = 1; $i -le 10; $i++) {\n try {\n if (Test-Path \"bundle\") {\n Set-ItemProperty -Path \"bundle\" -Name IsReadOnly -Value $false -Recurse -ErrorAction SilentlyContinue\n Remove-Item -Path \"bundle\" -Recurse -Force -ErrorAction Stop\n break\n }\n }\n catch {\n Write-Host \"Attempting to clean up files\"\n Start-Sleep -Seconds 1\n }\n}\n\n# Set Octopus variable\nSet-OctopusVariable -Name \"VerificationResult\" -Value $SUCCESS\n\nexit 0" + "Octopus.Action.Script.ScriptBody": "Write-Host \"Pulling Trivy Docker Image\"\nWrite-Host \"##octopus[stdout-verbose]\"\ndocker pull ghcr.io/aquasecurity/trivy\nWrite-Host \"##octopus[stdout-default]\"\n\n$SUCCESS = 0\n\nWrite-Host \"##octopus[stdout-verbose]\"\nGet-ChildItem -Path \".\" | Out-String\nWrite-Host \"##octopus[stdout-default]\"\n\n# Find all bom.json files\n$bomFiles = Get-ChildItem -Path \".\" -Filter \"bom.json\" -Recurse -File\n\nif ($bomFiles.Count -eq 0) {\n Write-Host \"No bom.json files found in the current directory.\"\n exit 0\n}\n\nforeach ($file in $bomFiles) {\n Write-Host \"Scanning $($file.FullName)\"\n\n # Delete any existing report file\n if (Test-Path \"$PWD/depscan-bom.json\") {\n Remove-Item \"$PWD/depscan-bom.json\" -Force\n }\n\n # Generate the report, capturing the output\n try {\n $OUTPUT = docker run --rm -v \"$($file.FullName):/input/$($file.Name)\" ghcr.io/aquasecurity/trivy sbom -q \"/input/$($file.Name)\"\n $exitCode = $LASTEXITCODE\n }\n catch {\n $OUTPUT = $_.Exception.Message\n $exitCode = 1\n }\n\n # Run again to generate the JSON output\n docker run --rm -v \"${PWD}:/output\" -v \"$($file.FullName):/input/$($file.Name)\" ghcr.io/aquasecurity/trivy sbom -q -f json -o /output/depscan-bom.json \"/input/$($file.Name)\"\n\n # Parse JSON output to count vulnerabilities\n $jsonContent = Get-Content -Path \"depscan-bom.json\" | ConvertFrom-Json\n $CRITICAL = ($jsonContent.Results | ForEach-Object { $_.Vulnerabilities } | Where-Object { $_.Severity -eq \"CRITICAL\" }).Count\n $HIGH = ($jsonContent.Results | ForEach-Object { $_.Vulnerabilities } | Where-Object { $_.Severity -eq \"HIGH\" }).Count\n\n if (\"#{Octopus.Environment.Name}\" -eq \"Security\") {\n Write-Highlight \"\uD83D\uDFE5 $CRITICAL critical vulnerabilities\"\n Write-Highlight \"\uD83D\uDFE7 $HIGH high vulnerabilities\"\n }\n\n # Set success to 1 if exit code is not zero\n if ($exitCode -ne 0) {\n $SUCCESS = 1\n }\n\n # Print the output\n $OUTPUT | ForEach-Object {\n if ($_.Length -gt 0) {\n Write-Host $_\n }\n }\n}\n\n# Find all depscan-bom.json files recursively\n$depscanFiles = Get-ChildItem -Path \".\" -Filter \"depscan-bom.json\" -Recurse -File\n\nif ($depscanFiles.Count -gt 0) {\n $zipPath = \"$PWD/depscan-bom.zip\"\n \n # Remove existing zip if present\n if (Test-Path $zipPath) {\n Remove-Item $zipPath -Force\n }\n \n # Compress all found files into the zip\n Compress-Archive -Path $depscanFiles.FullName -DestinationPath $zipPath\n\n # Octopus Deploy artifact\n New-OctopusArtifact $zipPath\n \n} else {\n Write-Host \"No depscan-bom.json files found to zip.\"\n}\n\n# Cleanup\nfor ($i = 1; $i -le 10; $i++) {\n try {\n if (Test-Path \"bundle\") {\n Set-ItemProperty -Path \"bundle\" -Name IsReadOnly -Value $false -Recurse -ErrorAction SilentlyContinue\n Remove-Item -Path \"bundle\" -Recurse -Force -ErrorAction Stop\n break\n }\n }\n catch {\n Write-Host \"Attempting to clean up files\"\n Start-Sleep -Seconds 1\n }\n}\n\n# Set Octopus variable\nSet-OctopusVariable -Name \"VerificationResult\" -Value $SUCCESS\n\nexit 0" }, "Parameters": [ { From 2eb003f07e78d85d5cc6247f30277fec5d4cfb9b Mon Sep 17 00:00:00 2001 From: Matthew Casperson Date: Tue, 2 Dec 2025 06:10:58 +1000 Subject: [PATCH 2/2] Update sbom-scan.json to adjust output paths for depscan-bom.json and improve zipping process --- step-templates/sbom-scan.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/step-templates/sbom-scan.json b/step-templates/sbom-scan.json index b9f50344..d03a409d 100644 --- a/step-templates/sbom-scan.json +++ b/step-templates/sbom-scan.json @@ -24,7 +24,7 @@ "OctopusUseBundledTooling": "False", "Octopus.Action.Script.ScriptSource": "Inline", "Octopus.Action.Script.Syntax": "PowerShell", - "Octopus.Action.Script.ScriptBody": "Write-Host \"Pulling Trivy Docker Image\"\nWrite-Host \"##octopus[stdout-verbose]\"\ndocker pull ghcr.io/aquasecurity/trivy\nWrite-Host \"##octopus[stdout-default]\"\n\n$SUCCESS = 0\n\nWrite-Host \"##octopus[stdout-verbose]\"\nGet-ChildItem -Path \".\" | Out-String\nWrite-Host \"##octopus[stdout-default]\"\n\n# Find all bom.json files\n$bomFiles = Get-ChildItem -Path \".\" -Filter \"bom.json\" -Recurse -File\n\nif ($bomFiles.Count -eq 0) {\n Write-Host \"No bom.json files found in the current directory.\"\n exit 0\n}\n\nforeach ($file in $bomFiles) {\n Write-Host \"Scanning $($file.FullName)\"\n\n # Delete any existing report file\n if (Test-Path \"$PWD/depscan-bom.json\") {\n Remove-Item \"$PWD/depscan-bom.json\" -Force\n }\n\n # Generate the report, capturing the output\n try {\n $OUTPUT = docker run --rm -v \"$($file.FullName):/input/$($file.Name)\" ghcr.io/aquasecurity/trivy sbom -q \"/input/$($file.Name)\"\n $exitCode = $LASTEXITCODE\n }\n catch {\n $OUTPUT = $_.Exception.Message\n $exitCode = 1\n }\n\n # Run again to generate the JSON output\n docker run --rm -v \"${PWD}:/output\" -v \"$($file.FullName):/input/$($file.Name)\" ghcr.io/aquasecurity/trivy sbom -q -f json -o /output/depscan-bom.json \"/input/$($file.Name)\"\n\n # Parse JSON output to count vulnerabilities\n $jsonContent = Get-Content -Path \"depscan-bom.json\" | ConvertFrom-Json\n $CRITICAL = ($jsonContent.Results | ForEach-Object { $_.Vulnerabilities } | Where-Object { $_.Severity -eq \"CRITICAL\" }).Count\n $HIGH = ($jsonContent.Results | ForEach-Object { $_.Vulnerabilities } | Where-Object { $_.Severity -eq \"HIGH\" }).Count\n\n if (\"#{Octopus.Environment.Name}\" -eq \"Security\") {\n Write-Highlight \"\uD83D\uDFE5 $CRITICAL critical vulnerabilities\"\n Write-Highlight \"\uD83D\uDFE7 $HIGH high vulnerabilities\"\n }\n\n # Set success to 1 if exit code is not zero\n if ($exitCode -ne 0) {\n $SUCCESS = 1\n }\n\n # Print the output\n $OUTPUT | ForEach-Object {\n if ($_.Length -gt 0) {\n Write-Host $_\n }\n }\n}\n\n# Find all depscan-bom.json files recursively\n$depscanFiles = Get-ChildItem -Path \".\" -Filter \"depscan-bom.json\" -Recurse -File\n\nif ($depscanFiles.Count -gt 0) {\n $zipPath = \"$PWD/depscan-bom.zip\"\n \n # Remove existing zip if present\n if (Test-Path $zipPath) {\n Remove-Item $zipPath -Force\n }\n \n # Compress all found files into the zip\n Compress-Archive -Path $depscanFiles.FullName -DestinationPath $zipPath\n\n # Octopus Deploy artifact\n New-OctopusArtifact $zipPath\n \n} else {\n Write-Host \"No depscan-bom.json files found to zip.\"\n}\n\n# Cleanup\nfor ($i = 1; $i -le 10; $i++) {\n try {\n if (Test-Path \"bundle\") {\n Set-ItemProperty -Path \"bundle\" -Name IsReadOnly -Value $false -Recurse -ErrorAction SilentlyContinue\n Remove-Item -Path \"bundle\" -Recurse -Force -ErrorAction Stop\n break\n }\n }\n catch {\n Write-Host \"Attempting to clean up files\"\n Start-Sleep -Seconds 1\n }\n}\n\n# Set Octopus variable\nSet-OctopusVariable -Name \"VerificationResult\" -Value $SUCCESS\n\nexit 0" + "Octopus.Action.Script.ScriptBody": "Write-Host \"Pulling Trivy Docker Image\"\nWrite-Host \"##octopus[stdout-verbose]\"\ndocker pull ghcr.io/aquasecurity/trivy\nWrite-Host \"##octopus[stdout-default]\"\n\n$SUCCESS = 0\n\nWrite-Host \"##octopus[stdout-verbose]\"\nGet-ChildItem -Path \".\" | Out-String\nWrite-Host \"##octopus[stdout-default]\"\n\n# Find all bom.json files\n$bomFiles = Get-ChildItem -Path \".\" -Filter \"bom.json\" -Recurse -File\n\nif ($bomFiles.Count -eq 0) {\n Write-Host \"No bom.json files found in the current directory.\"\n exit 0\n}\n\nforeach ($file in $bomFiles) {\n Write-Host \"Scanning $($file.FullName)\"\n\n # Delete any existing report file\n if (Test-Path \"$($file.FullName)/depscan-bom.json\") {\n Remove-Item \"$($file.FullName)/depscan-bom.json\" -Force\n }\n\n # Generate the report, capturing the output\n try {\n $OUTPUT = docker run --rm -v \"$($file.FullName):/input/$($file.Name)\" ghcr.io/aquasecurity/trivy sbom -q \"/input/$($file.Name)\"\n $exitCode = $LASTEXITCODE\n }\n catch {\n $OUTPUT = $_.Exception.Message\n $exitCode = 1\n }\n\n # Run again to generate the JSON output in the same directory as the bom.json file\n docker run --rm -v \"$($file.DirectoryName):/output\" -v \"$($file.FullName):/input/$($file.Name)\" ghcr.io/aquasecurity/trivy sbom -q -f json -o /output/depscan-bom.json \"/input/$($file.Name)\"\n\n # Parse JSON output to count vulnerabilities\n $jsonContent = Get-Content -Path \"$($file.DirectoryName)/depscan-bom.json\" | ConvertFrom-Json\n $CRITICAL = ($jsonContent.Results | ForEach-Object { $_.Vulnerabilities } | Where-Object { $_.Severity -eq \"CRITICAL\" }).Count\n $HIGH = ($jsonContent.Results | ForEach-Object { $_.Vulnerabilities } | Where-Object { $_.Severity -eq \"HIGH\" }).Count\n\n if (\"#{Octopus.Environment.Name}\" -eq \"Security\") {\n Write-Highlight \"\uD83D\uDFE5 $CRITICAL critical vulnerabilities\"\n Write-Highlight \"\uD83D\uDFE7 $HIGH high vulnerabilities\"\n }\n\n # Set success to 1 if exit code is not zero\n if ($exitCode -ne 0) {\n $SUCCESS = 1\n }\n\n # Print the output\n $OUTPUT | ForEach-Object {\n if ($_.Length -gt 0) {\n Write-Host $_\n }\n }\n}\n\n# Find all depscan-bom.json files recursively\n$depscanFiles = Get-ChildItem -Path \".\" -Filter \"depscan-bom.json\" -Recurse -File\n\nif ($depscanFiles.Count -gt 0) {\n $zipPath = \"$PWD/depscan-bom.zip\"\n\n # Remove existing zip if present\n if (Test-Path $zipPath) {\n Remove-Item $zipPath -Force\n }\n\n # Create a temporary directory structure and copy files with relative paths\n $tempDir = \"$PWD/temp_zip\"\n\n if (Test-Path $tempDir) {\n Remove-Item $tempDir -Recurse -Force\n }\n\n New-Item -ItemType Directory -Path $tempDir -Force | Out-Null\n\n foreach ($file in $depscanFiles) {\n $relativePath = $file.FullName.Substring($PWD.Path.Length + 1)\n $targetPath = Join-Path $tempDir $relativePath\n $targetDir = Split-Path $targetPath -Parent\n\n Write-Host \"Adding $relativePath to zip\"\n\n if (-not (Test-Path $targetDir)) {\n New-Item -ItemType Directory -Path $targetDir -Force | Out-Null\n }\n\n Copy-Item $file.FullName -Destination $targetPath\n }\n\n # Compress with relative paths\n Compress-Archive -Path \"$tempDir/*\" -DestinationPath $zipPath\n\n # Cleanup temp directory\n Remove-Item $tempDir -Recurse -Force\n\n # Octopus Deploy artifact\n New-OctopusArtifact $zipPath\n\n} else {\n Write-Host \"No depscan-bom.json files found to zip.\"\n}\n\n# Cleanup\nfor ($i = 1; $i -le 10; $i++) {\n try {\n if (Test-Path \"bundle\") {\n Set-ItemProperty -Path \"bundle\" -Name IsReadOnly -Value $false -Recurse -ErrorAction SilentlyContinue\n Remove-Item -Path \"bundle\" -Recurse -Force -ErrorAction Stop\n break\n }\n }\n catch {\n Write-Host \"Attempting to clean up files\"\n Start-Sleep -Seconds 1\n }\n}\n\n# Set Octopus variable\nSet-OctopusVariable -Name \"VerificationResult\" -Value $SUCCESS\n\nexit 0" }, "Parameters": [ {