# This script checks for vulnerabilities in a Docker image hosted on Google Container Registry.
# It first reads the image from the standard input using the cat command. If the input is not
# passed it exits with a status code of 1.
#
# The script then retrieves the SHA digest of the image using the "gcloud container images describe"
# command and the vulnerability information using the "gcloud beta container images describe" command.
#
# The vulnerability information is then formatted into a list of severities and the number of
# vulnerabilities for each severity. This list is printed to the console along with URLs of related
# vulnerabilities.
#
# Finally, the script checks if the list contains "CRITICAL:" and if its value is greater than 0.
# If it is, an error message indicating the presence of critical vulnerabilities in the image is
# printed and the script exits with a status code of 1.
if [ -z "$1" ]; then
  # Read the image name from standard input if no parameter is passed
  IMAGE=$(cat -)
else
  # Otherwise, use the parameter
  IMAGE="$1"
fi

if [ -z "$IMAGE" ]; then
  echo "Error: \$IMAGE environment variable is not set."
  exit 1
fi

#!/bin/sh

# Detect the Linux distribution
if cat /etc/os-release | grep -iq "alpine"; then
  distro="alpine"
elif cat /etc/os-release | grep -iqE "debian|ubuntu"; then
  distro="debian"
elif cat /etc/os-release | grep -iqE "centos|fedora"; then
  distro="redhat"
else
  echo "Unsupported distribution"
  exit 1
fi

# Install jq if not already installed
if ! command -v jq &> /dev/null; then
  echo "Installing jq..."

  case $distro in
    "alpine")
      apk add jq
      ;;
    "debian")
      apt-get update && apt-get install -y jq
      ;;
    "redhat")
      dnf install -y jq
      ;;
  esac
fi

gcloud components install beta --quiet
json_output=$(gcloud beta container images describe "${IMAGE}" --show-package-vulnerability --format json)

echo "\nVulnerability URLs:"
echo "===================="

echo $json_output | jq '.package_vulnerability_summary.vulnerabilities | keys[] as $keys | if (.[$keys] | length) > 0 then "\($keys) " + (.[$keys] | .[].vulnerability.relatedUrls[].url) else "" end' | awk '{ if ( $1 in count ) { print "\t- " $0; count[$1]++ } else { print $1; print "\t- " $0; count[$1] = 1 } }'

severities=$(echo $json_output | jq -r '.package_vulnerability_summary.vulnerabilities | keys[] as $keys | ($keys) + ": "  + (.[$keys] | length | tostring)')
echo "\nSummary"
echo "=========="
echo $severities

# Get the output of the jq command

# Check if the output contains "CRITICAL:"
if echo $severities | grep -q "CRITICAL:"; then
  # Get the value of "CRITICAL:"
  critical=$(echo $severities | grep -o "CRITICAL: [0-9]*" | grep -o "[0-9]*")

  # Check if the value of "CRITICAL:" is greater than 0
  if [[ $critical -gt 0 ]]; then
    # Exit with an error code
    echo "\nERROR: There is a CRITICAL vulnerabilities in the docker image that is generated. Please check if this can be fixed"
    exit 1
  fi
fi