1+ SHELL := /bin/bash
2+
13OUTDATED_API_DATA_URL =https://raw.githubusercontent.com/aquasecurity/trivy-db-data/refs/heads/main/k8s/api/k8s-outdated-api.json
24OUTDATED_API_CHECK =checks/kubernetes/workloads/outdated_api.rego
35BUNDLE_FILE =bundle.tar.gz
46REGISTRY_PORT =5111
57
6- SED ?= sed
8+ TRIVY_VERSIONS := latest v0.67.0 v0.63.0
9+
10+ SCHEMAS := cloud.json dockerfile.json kubernetes.json
11+ SCHEMAS_BASE := pkg/iac/rego/schemas
712
13+ SED ?= sed
814ifeq ($(shell uname) , Darwin)
915 SED = gsed
1016endif
@@ -19,11 +25,24 @@ test-integration:
1925
2026.PHONY : download-schemas
2127download-schemas :
22- @schemas_path=schemas ; \
23- base_url=https://raw.githubusercontent.com/aquasecurity/trivy/main/pkg/iac/rego/schemas ; \
24- mkdir -p $$ schemas_path ; \
25- for file in cloud.json dockerfile.json kubernetes.json ; do \
26- wget -q -O $$ schemas_path/$$ file $$ base_url/$$ file ; \
28+ @for version in $(TRIVY_VERSIONS ) ; do \
29+ schemas_path=" schemas/$$ version" ; \
30+ if [ " $$ version" = " latest" ; then \
31+ base_url=" https://raw.githubusercontent.com/aquasecurity/trivy/main/$( SCHEMAS_BASE) " ; \
32+ else \
33+ if [ -d " $$ schemas_path" ; then \
34+ echo " Skipping $$ version, schemas already exist" ; \
35+ continue ; \
36+ fi ; \
37+ base_url=" https://raw.githubusercontent.com/aquasecurity/trivy/refs/tags/$$ version/$( SCHEMAS_BASE) " ; \
38+ fi ; \
39+ echo " Downloading schemas for $$ version..." ; \
40+ mkdir -p $$ schemas_path; \
41+ for file in $( SCHEMAS) ; do \
42+ url=" $$ base_url/$$ file" ; \
43+ echo " - $$ file" ; \
44+ wget -q -O $$ schemas_path/$$ file $$ url || { echo " Failed to download $$ url" ; exit 1; }; \
45+ done ; \
2746 done
2847
2948.PHONY : rego
@@ -39,7 +58,45 @@ test-rego:
3958
4059.PHONY : check-rego
4160check-rego : download-schemas
42- @go run ./cmd/opa check lib checks --v0-v1 --strict -s schemas
61+ @go run ./cmd/opa check lib checks --v0-v1 --strict -s schemas/latest
62+
63+ .PHONY : check-rego-matrix
64+ check-rego-matrix : download-schemas build-opa
65+ @for version in $(TRIVY_VERSIONS ) ; do \
66+ echo " Running OPA check for $$ version..." ; \
67+ errors=$$(./opa check lib checks --strict -s schemas/$$version -f json --max-errors -1 2>&1 | jq -c '.errors[]?' ) ; \
68+ if [ -z " $$ errors" ; then \
69+ echo " No errors for $$ version" ; \
70+ continue ; \
71+ fi ; \
72+ errs=" " ; \
73+ while read -r err; do \
74+ msg=$$(echo $$err | jq -r '.message' ) ; \
75+ file=$$(echo $$err | jq -r '.location.file' ) ; \
76+ if echo " $$ msg" | grep -q ' ^undefined ref' ; then \
77+ min_version=$$(./opa parse "$$file" -f json --json-include -comments,-locations \
78+ | jq -r ' .annotations[0]?.custom.minimum_trivy_version' ; \
79+ if [ " $$ min_version" != " null" ; then \
80+ ver=$$ {version#v}; \
81+ cmp=$$(printf "%s\n%s\n" "$$ver" "$$min_version" | sort -V | head -n1 ) ; \
82+ if [ " $$ cmp" = " $$ ver" && [ " $$ ver" != " $$ min_version" ; then \
83+ echo " Skipping undefined ref in $$ file: matrix version $$ ver < minimum required $$ min_version" ; \
84+ continue ; \
85+ fi ; \
86+ fi ; \
87+ fi ; \
88+ row=$$(echo $$err | jq -r '.location.row' ) ; \
89+ code=$$(echo $$err | jq -r '.code' ) ; \
90+ errs=" $$ errs$$ file:$$ row: $$ code: $$ msg\n" ; \
91+ done <<< " $$errors" ; \
92+ if [ -n " $$ errs" ; then \
93+ echo " Found remaining errors for $$ version:" ; \
94+ echo " $$ errs" ; \
95+ exit 1; \
96+ else \
97+ echo " No relevant errors for $$ version" ; \
98+ fi ; \
99+ done
43100
44101.PHONY : lint-rego
45102lint-rego : check-rego
0 commit comments