Knah-Tsaeb/MyShaarli
Knah-Tsaeb/MyShaarli
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

run trivy vulnerability scanner on the 'latest' docker image

Browse source 
- run trivy from makefile so that it can be run both locally and through github actions
- usage: make test_trivy TRIVY_TARGET_DOCKER_IMAGE=regist.ry/user/image:tag
- tested by downgrading the base image to alpine 3.15.7 and verifying that vulnerabilities are reported (https://github.com/nodiscc/Shaarli/actions/runs/4860040980/jobs/8663400103)
- TEMP/TESTING only push image to ghcr.io, run trivy on trivy branch/docker tag as well as master
- ref. https://github.com/shaarli/Shaarli/issues/1531
This commit is contained in:
nodiscc 2023-05-02 12:15:57 +02:00
parent 88b76c44f7
commit d48e06f438
No known key found for this signature in database
GPG key ID: 067FC4266A4B6909
2 changed files with 21 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
.github/workflows/docker-latest.yml vendored
View file

@ -1,7 +1,7 @@
name: Build/push Docker image (master/latest) name: Build/push Docker image (master/latest)
on: on:
push: push:
branches: [ master ] branches: [ master, trivy ]
jobs: jobs:
docker-build: docker-build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -11,11 +11,11 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2 uses: docker/setup-buildx-action@v2
- name: Login to DockerHub # - name: Login to DockerHub
uses: docker/login-action@v2 # uses: docker/login-action@v2
with: # with:
username: ${{ secrets.DOCKERHUB_USERNAME }} # username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }} # password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry - name: Login to GitHub Container Registry
uses: docker/login-action@v2 uses: docker/login-action@v2
with: with:
@ -35,9 +35,11 @@ jobs:
with: with:
context: . context: .
push: true push: true
platforms: linux/amd64,linux/arm64,linux/arm/v7 # tags: |
tags: | # ${{ secrets.DOCKER_IMAGE }}:trivy
${{ secrets.DOCKER_IMAGE }}:latest # ghcr.io/${{ secrets.DOCKER_IMAGE }}:trivy
ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest tags: ghcr.io/${{ secrets.DOCKER_IMAGE }}:trivy
- name: Image digest - name: Image digest
run: echo ${{ steps.docker_build.outputs.digest }} run: echo ${{ steps.docker_build.outputs.digest }}
- name: Run trivy image scanner
run: make test_trivy TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/${{ secrets.DOCKER_IMAGE }}:trivy

9
Makefile
View file

@ -82,6 +82,15 @@ locale_test_%:
--bootstrap tests/languages/bootstrap.php \ --bootstrap tests/languages/bootstrap.php \
--testsuite language-$(firstword $(subst _, ,$*)) --testsuite language-$(firstword $(subst _, ,$*))
# trivy version (https://github.com/aquasecurity/trivy/releases)
TRIVY_VERSION=0.39.0
# default docker image to scan with trivy
TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/shaarli/shaarli:latest
test_trivy:
wget --quiet --continue -O trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY_VERSION)/trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
tar -zxf trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
./trivy image $(TRIVY_TARGET_DOCKER_IMAGE)
all_tests: test locale_test_de_DE locale_test_en_US locale_test_fr_FR all_tests: test locale_test_de_DE locale_test_en_US locale_test_fr_FR
@# --The current version is not compatible with PHP 7.2 @# --The current version is not compatible with PHP 7.2
@#$(BIN)/phpcov merge --html coverage coverage @#$(BIN)/phpcov merge --html coverage coverage