Merge pull request #1998 from nodiscc/trivy-repo-scan
tools/CI: scan repository with trivy security scanner (yarn.lock, composer.lock)
This commit is contained in:
commit
d24fc65695
4 changed files with 38 additions and 13 deletions
9
.github/workflows/ci.yml
vendored
9
.github/workflows/ci.yml
vendored
|
@ -98,3 +98,12 @@ jobs:
|
|||
|
||||
- name: Build documentation
|
||||
run: mkdocs build --clean
|
||||
|
||||
trivy-repo:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Run trivy scanner on repository (non-blocking)
|
||||
run: make test_trivy_repo TRIVY_EXIT_CODE=0
|
||||
|
|
4
.github/workflows/docker-latest.yml
vendored
4
.github/workflows/docker-latest.yml
vendored
|
@ -41,5 +41,5 @@ jobs:
|
|||
ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest
|
||||
- name: Image digest
|
||||
run: echo ${{ steps.docker_build.outputs.digest }}
|
||||
- name: Run trivy image scanner
|
||||
run: make test_trivy TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest
|
||||
- name: Run trivy scanner on latest docker image
|
||||
run: make test_trivy_docker TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest
|
||||
|
|
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -26,6 +26,7 @@ sandbox
|
|||
phpmd.html
|
||||
phpdoc.xml
|
||||
.phpunit.result.cache
|
||||
trivy
|
||||
|
||||
# User plugin configuration
|
||||
plugins/*
|
||||
|
|
37
Makefile
37
Makefile
|
@ -82,15 +82,6 @@ locale_test_%:
|
|||
--bootstrap tests/languages/bootstrap.php \
|
||||
--testsuite language-$(firstword $(subst _, ,$*))
|
||||
|
||||
# trivy version (https://github.com/aquasecurity/trivy/releases)
|
||||
TRIVY_VERSION=0.39.0
|
||||
# default docker image to scan with trivy
|
||||
TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/shaarli/shaarli:latest
|
||||
test_trivy:
|
||||
wget --quiet --continue -O trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY_VERSION)/trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
|
||||
tar -zxf trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
|
||||
./trivy image $(TRIVY_TARGET_DOCKER_IMAGE)
|
||||
|
||||
all_tests: test locale_test_de_DE locale_test_en_US locale_test_fr_FR
|
||||
@# --The current version is not compatible with PHP 7.2
|
||||
@#$(BIN)/phpcov merge --html coverage coverage
|
||||
|
@ -156,7 +147,7 @@ release_zip: composer_dependencies htmldoc translate build_frontend
|
|||
### remove all unversioned files
|
||||
clean:
|
||||
@git clean -df
|
||||
@rm -rf sandbox
|
||||
@rm -rf sandbox trivy*
|
||||
|
||||
### generate the AUTHORS file from Git commit information
|
||||
generate_authors:
|
||||
|
@ -178,7 +169,6 @@ htmldoc:
|
|||
find doc/html/ -type f -exec chmod a-x '{}' \;
|
||||
rm -r venv
|
||||
|
||||
|
||||
### Generate Shaarli's translation compiled file (.mo)
|
||||
translate:
|
||||
@echo "----------------------"
|
||||
|
@ -198,3 +188,28 @@ eslint:
|
|||
### Run CSSLint check against Shaarli's SCSS files
|
||||
sasslint:
|
||||
@yarnpkg run stylelint --config .dev/.stylelintrc.js 'assets/default/scss/*.scss'
|
||||
|
||||
##
|
||||
# Security scans
|
||||
##
|
||||
|
||||
# trivy version (https://github.com/aquasecurity/trivy/releases)
|
||||
TRIVY_VERSION=0.43.0
|
||||
# default trivy exit code when vulnerabilities are found
|
||||
TRIVY_EXIT_CODE=1
|
||||
# default docker image to scan with trivy
|
||||
TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/shaarli/shaarli:latest
|
||||
|
||||
### download trivy vulneravbility scanner
|
||||
download_trivy:
|
||||
wget --quiet --continue -O trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY_VERSION)/trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
|
||||
tar -z -x trivy -f trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
|
||||
|
||||
### run trivy vulnerability scanner on docker image
|
||||
test_trivy_docker: download_trivy
|
||||
./trivy --exit-code $(TRIVY_EXIT_CODE) image $(TRIVY_TARGET_DOCKER_IMAGE)
|
||||
|
||||
### run trivy vulnerability scanner on composer/yarn dependency trees
|
||||
test_trivy_repo: download_trivy
|
||||
./trivy --exit-code $(TRIVY_EXIT_CODE) fs composer.lock
|
||||
./trivy --exit-code $(TRIVY_EXIT_CODE) fs yarn.lock
|
||||
|
|
Loading…
Reference in a new issue