tools/CI: scan repository with trivy security scanner (yarn.lock, composer.lock)

- run scan on each push/pull request update
- can be run locally using make test_trivy_repo
- exit with error code 0/success when vulnerabilities are found,  as not to make the workflow fail, a separate periodic run that exits with code 1 should be added in parallel
- update trivy to v0.43.0
- https://github.com/aquasecurity/trivy/releases/tag/v0.43.0
- also consider TRIVY_EXIT_CODE when running trivy on the latest docker image
- ref. https://github.com/shaarli/Shaarli/issues/1531
This commit is contained in:
nodiscc 2023-05-21 22:16:48 +02:00
parent 467b28c237
commit 3b5923b7e1
No known key found for this signature in database
GPG key ID: 067FC4266A4B6909
4 changed files with 38 additions and 13 deletions

View file

@ -98,3 +98,12 @@ jobs:
- name: Build documentation
run: mkdocs build --clean
trivy-repo:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Run trivy scanner on repository (non-blocking)
run: make test_trivy_repo TRIVY_EXIT_CODE=0

View file

@ -41,5 +41,5 @@ jobs:
ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest
- name: Image digest
run: echo ${{ steps.docker_build.outputs.digest }}
- name: Run trivy image scanner
run: make test_trivy TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest
- name: Run trivy scanner on latest docker image
run: make test_trivy_docker TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest

1
.gitignore vendored
View file

@ -26,6 +26,7 @@ sandbox
phpmd.html
phpdoc.xml
.phpunit.result.cache
trivy
# User plugin configuration
plugins/*

View file

@ -82,15 +82,6 @@ locale_test_%:
--bootstrap tests/languages/bootstrap.php \
--testsuite language-$(firstword $(subst _, ,$*))
# trivy version (https://github.com/aquasecurity/trivy/releases)
TRIVY_VERSION=0.39.0
# default docker image to scan with trivy
TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/shaarli/shaarli:latest
test_trivy:
wget --quiet --continue -O trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY_VERSION)/trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
tar -zxf trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
./trivy image $(TRIVY_TARGET_DOCKER_IMAGE)
all_tests: test locale_test_de_DE locale_test_en_US locale_test_fr_FR
@# --The current version is not compatible with PHP 7.2
@#$(BIN)/phpcov merge --html coverage coverage
@ -156,7 +147,7 @@ release_zip: composer_dependencies htmldoc translate build_frontend
### remove all unversioned files
clean:
@git clean -df
@rm -rf sandbox
@rm -rf sandbox trivy*
### generate the AUTHORS file from Git commit information
generate_authors:
@ -178,7 +169,6 @@ htmldoc:
find doc/html/ -type f -exec chmod a-x '{}' \;
rm -r venv
### Generate Shaarli's translation compiled file (.mo)
translate:
@echo "----------------------"
@ -198,3 +188,28 @@ eslint:
### Run CSSLint check against Shaarli's SCSS files
sasslint:
@yarnpkg run stylelint --config .dev/.stylelintrc.js 'assets/default/scss/*.scss'
##
# Security scans
##
# trivy version (https://github.com/aquasecurity/trivy/releases)
TRIVY_VERSION=0.43.0
# default trivy exit code when vulnerabilities are found
TRIVY_EXIT_CODE=1
# default docker image to scan with trivy
TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/shaarli/shaarli:latest
### download trivy vulneravbility scanner
download_trivy:
wget --quiet --continue -O trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY_VERSION)/trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
tar -z -x trivy -f trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
### run trivy vulnerability scanner on docker image
test_trivy_docker: download_trivy
./trivy --exit-code $(TRIVY_EXIT_CODE) image $(TRIVY_TARGET_DOCKER_IMAGE)
### run trivy vulnerability scanner on composer/yarn dependency trees
test_trivy_repo: download_trivy
./trivy --exit-code $(TRIVY_EXIT_CODE) fs composer.lock
./trivy --exit-code $(TRIVY_EXIT_CODE) fs yarn.lock