Skip to content

Commit

Permalink
Merge pull request #1998 from nodiscc/trivy-repo-scan
Browse files Browse the repository at this point in the history
tools/CI: scan repository with trivy security scanner (yarn.lock, composer.lock)
  • Loading branch information
nodiscc authored Jul 6, 2023
2 parents c44a0d2 + 3b5923b commit d24fc65
Show file tree
Hide file tree
Showing 4 changed files with 38 additions and 13 deletions.
9 changes: 9 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -98,3 +98,12 @@ jobs:

- name: Build documentation
run: mkdocs build --clean

trivy-repo:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3

- name: Run trivy scanner on repository (non-blocking)
run: make test_trivy_repo TRIVY_EXIT_CODE=0
4 changes: 2 additions & 2 deletions .github/workflows/docker-latest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,5 +41,5 @@ jobs:
ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest
- name: Image digest
run: echo ${{ steps.docker_build.outputs.digest }}
- name: Run trivy image scanner
run: make test_trivy TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest
- name: Run trivy scanner on latest docker image
run: make test_trivy_docker TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ sandbox
phpmd.html
phpdoc.xml
.phpunit.result.cache
trivy

# User plugin configuration
plugins/*
Expand Down
37 changes: 26 additions & 11 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -82,15 +82,6 @@ locale_test_%:
--bootstrap tests/languages/bootstrap.php \
--testsuite language-$(firstword $(subst _, ,$*))

# trivy version (https://github.com/aquasecurity/trivy/releases)
TRIVY_VERSION=0.39.0
# default docker image to scan with trivy
TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/shaarli/shaarli:latest
test_trivy:
wget --quiet --continue -O trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY_VERSION)/trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
tar -zxf trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
./trivy image $(TRIVY_TARGET_DOCKER_IMAGE)

all_tests: test locale_test_de_DE locale_test_en_US locale_test_fr_FR
@# --The current version is not compatible with PHP 7.2
@#$(BIN)/phpcov merge --html coverage coverage
Expand Down Expand Up @@ -156,7 +147,7 @@ release_zip: composer_dependencies htmldoc translate build_frontend
### remove all unversioned files
clean:
@git clean -df
@rm -rf sandbox
@rm -rf sandbox trivy*

### generate the AUTHORS file from Git commit information
generate_authors:
Expand All @@ -178,7 +169,6 @@ htmldoc:
find doc/html/ -type f -exec chmod a-x '{}' \;
rm -r venv


### Generate Shaarli's translation compiled file (.mo)
translate:
@echo "----------------------"
Expand All @@ -198,3 +188,28 @@ eslint:
### Run CSSLint check against Shaarli's SCSS files
sasslint:
@yarnpkg run stylelint --config .dev/.stylelintrc.js 'assets/default/scss/*.scss'

##
# Security scans
##

# trivy version (https://github.com/aquasecurity/trivy/releases)
TRIVY_VERSION=0.43.0
# default trivy exit code when vulnerabilities are found
TRIVY_EXIT_CODE=1
# default docker image to scan with trivy
TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/shaarli/shaarli:latest

### download trivy vulneravbility scanner
download_trivy:
wget --quiet --continue -O trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY_VERSION)/trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
tar -z -x trivy -f trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz

### run trivy vulnerability scanner on docker image
test_trivy_docker: download_trivy
./trivy --exit-code $(TRIVY_EXIT_CODE) image $(TRIVY_TARGET_DOCKER_IMAGE)

### run trivy vulnerability scanner on composer/yarn dependency trees
test_trivy_repo: download_trivy
./trivy --exit-code $(TRIVY_EXIT_CODE) fs composer.lock
./trivy --exit-code $(TRIVY_EXIT_CODE) fs yarn.lock

0 comments on commit d24fc65

Please sign in to comment.