Merge pull request #1980 from nodiscc/trivy

tools: run trivy vulnerability scanner on the 'latest' docker image
This commit is contained in:
nodiscc 2023-05-21 18:29:11 +00:00 committed by GitHub
commit f64b4666ea
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 0 deletions

View file

@ -41,3 +41,5 @@ jobs:
ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest
- name: Image digest - name: Image digest
run: echo ${{ steps.docker_build.outputs.digest }} run: echo ${{ steps.docker_build.outputs.digest }}
- name: Run trivy image scanner
run: make test_trivy TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/${{ secrets.DOCKER_IMAGE }}:trivy

View file

@ -82,6 +82,15 @@ locale_test_%:
--bootstrap tests/languages/bootstrap.php \ --bootstrap tests/languages/bootstrap.php \
--testsuite language-$(firstword $(subst _, ,$*)) --testsuite language-$(firstword $(subst _, ,$*))
# trivy version (https://github.com/aquasecurity/trivy/releases)
TRIVY_VERSION=0.39.0
# default docker image to scan with trivy
TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/shaarli/shaarli:latest
test_trivy:
wget --quiet --continue -O trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY_VERSION)/trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
tar -zxf trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
./trivy image $(TRIVY_TARGET_DOCKER_IMAGE)
all_tests: test locale_test_de_DE locale_test_en_US locale_test_fr_FR all_tests: test locale_test_de_DE locale_test_en_US locale_test_fr_FR
@# --The current version is not compatible with PHP 7.2 @# --The current version is not compatible with PHP 7.2
@#$(BIN)/phpcov merge --html coverage coverage @#$(BIN)/phpcov merge --html coverage coverage