Merge pull request #1998 from nodiscc/trivy-repo-scan
tools/CI: scan repository with trivy security scanner (yarn.lock, composer.lock)
This commit is contained in:
commit
d24fc65695
4 changed files with 38 additions and 13 deletions
9
.github/workflows/ci.yml
vendored
9
.github/workflows/ci.yml
vendored
|
@ -98,3 +98,12 @@ jobs:
|
||||||
|
|
||||||
- name: Build documentation
|
- name: Build documentation
|
||||||
run: mkdocs build --clean
|
run: mkdocs build --clean
|
||||||
|
|
||||||
|
trivy-repo:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@v3
|
||||||
|
|
||||||
|
- name: Run trivy scanner on repository (non-blocking)
|
||||||
|
run: make test_trivy_repo TRIVY_EXIT_CODE=0
|
||||||
|
|
4
.github/workflows/docker-latest.yml
vendored
4
.github/workflows/docker-latest.yml
vendored
|
@ -41,5 +41,5 @@ jobs:
|
||||||
ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest
|
ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest
|
||||||
- name: Image digest
|
- name: Image digest
|
||||||
run: echo ${{ steps.docker_build.outputs.digest }}
|
run: echo ${{ steps.docker_build.outputs.digest }}
|
||||||
- name: Run trivy image scanner
|
- name: Run trivy scanner on latest docker image
|
||||||
run: make test_trivy TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest
|
run: make test_trivy_docker TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest
|
||||||
|
|
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -26,6 +26,7 @@ sandbox
|
||||||
phpmd.html
|
phpmd.html
|
||||||
phpdoc.xml
|
phpdoc.xml
|
||||||
.phpunit.result.cache
|
.phpunit.result.cache
|
||||||
|
trivy
|
||||||
|
|
||||||
# User plugin configuration
|
# User plugin configuration
|
||||||
plugins/*
|
plugins/*
|
||||||
|
|
37
Makefile
37
Makefile
|
@ -82,15 +82,6 @@ locale_test_%:
|
||||||
--bootstrap tests/languages/bootstrap.php \
|
--bootstrap tests/languages/bootstrap.php \
|
||||||
--testsuite language-$(firstword $(subst _, ,$*))
|
--testsuite language-$(firstword $(subst _, ,$*))
|
||||||
|
|
||||||
# trivy version (https://github.com/aquasecurity/trivy/releases)
|
|
||||||
TRIVY_VERSION=0.39.0
|
|
||||||
# default docker image to scan with trivy
|
|
||||||
TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/shaarli/shaarli:latest
|
|
||||||
test_trivy:
|
|
||||||
wget --quiet --continue -O trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY_VERSION)/trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
|
|
||||||
tar -zxf trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
|
|
||||||
./trivy image $(TRIVY_TARGET_DOCKER_IMAGE)
|
|
||||||
|
|
||||||
all_tests: test locale_test_de_DE locale_test_en_US locale_test_fr_FR
|
all_tests: test locale_test_de_DE locale_test_en_US locale_test_fr_FR
|
||||||
@# --The current version is not compatible with PHP 7.2
|
@# --The current version is not compatible with PHP 7.2
|
||||||
@#$(BIN)/phpcov merge --html coverage coverage
|
@#$(BIN)/phpcov merge --html coverage coverage
|
||||||
|
@ -156,7 +147,7 @@ release_zip: composer_dependencies htmldoc translate build_frontend
|
||||||
### remove all unversioned files
|
### remove all unversioned files
|
||||||
clean:
|
clean:
|
||||||
@git clean -df
|
@git clean -df
|
||||||
@rm -rf sandbox
|
@rm -rf sandbox trivy*
|
||||||
|
|
||||||
### generate the AUTHORS file from Git commit information
|
### generate the AUTHORS file from Git commit information
|
||||||
generate_authors:
|
generate_authors:
|
||||||
|
@ -178,7 +169,6 @@ htmldoc:
|
||||||
find doc/html/ -type f -exec chmod a-x '{}' \;
|
find doc/html/ -type f -exec chmod a-x '{}' \;
|
||||||
rm -r venv
|
rm -r venv
|
||||||
|
|
||||||
|
|
||||||
### Generate Shaarli's translation compiled file (.mo)
|
### Generate Shaarli's translation compiled file (.mo)
|
||||||
translate:
|
translate:
|
||||||
@echo "----------------------"
|
@echo "----------------------"
|
||||||
|
@ -198,3 +188,28 @@ eslint:
|
||||||
### Run CSSLint check against Shaarli's SCSS files
|
### Run CSSLint check against Shaarli's SCSS files
|
||||||
sasslint:
|
sasslint:
|
||||||
@yarnpkg run stylelint --config .dev/.stylelintrc.js 'assets/default/scss/*.scss'
|
@yarnpkg run stylelint --config .dev/.stylelintrc.js 'assets/default/scss/*.scss'
|
||||||
|
|
||||||
|
##
|
||||||
|
# Security scans
|
||||||
|
##
|
||||||
|
|
||||||
|
# trivy version (https://github.com/aquasecurity/trivy/releases)
|
||||||
|
TRIVY_VERSION=0.43.0
|
||||||
|
# default trivy exit code when vulnerabilities are found
|
||||||
|
TRIVY_EXIT_CODE=1
|
||||||
|
# default docker image to scan with trivy
|
||||||
|
TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/shaarli/shaarli:latest
|
||||||
|
|
||||||
|
### download trivy vulneravbility scanner
|
||||||
|
download_trivy:
|
||||||
|
wget --quiet --continue -O trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY_VERSION)/trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
|
||||||
|
tar -z -x trivy -f trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
|
||||||
|
|
||||||
|
### run trivy vulnerability scanner on docker image
|
||||||
|
test_trivy_docker: download_trivy
|
||||||
|
./trivy --exit-code $(TRIVY_EXIT_CODE) image $(TRIVY_TARGET_DOCKER_IMAGE)
|
||||||
|
|
||||||
|
### run trivy vulnerability scanner on composer/yarn dependency trees
|
||||||
|
test_trivy_repo: download_trivy
|
||||||
|
./trivy --exit-code $(TRIVY_EXIT_CODE) fs composer.lock
|
||||||
|
./trivy --exit-code $(TRIVY_EXIT_CODE) fs yarn.lock
|
||||||
|
|
Loading…
Reference in a new issue