From 3b5923b7e18cdc487b510445fc320400429efd36 Mon Sep 17 00:00:00 2001 From: nodiscc Date: Sun, 21 May 2023 22:16:48 +0200 Subject: [PATCH] tools/CI: scan repository with trivy security scanner (yarn.lock, composer.lock) - run scan on each push/pull request update - can be run locally using make test_trivy_repo - exit with error code 0/success when vulnerabilities are found, as not to make the workflow fail, a separate periodic run that exits with code 1 should be added in parallel - update trivy to v0.43.0 - https://github.com/aquasecurity/trivy/releases/tag/v0.43.0 - also consider TRIVY_EXIT_CODE when running trivy on the latest docker image - ref. https://github.com/shaarli/Shaarli/issues/1531 --- .github/workflows/ci.yml | 9 +++++++ .github/workflows/docker-latest.yml | 4 ++-- .gitignore | 1 + Makefile | 37 ++++++++++++++++++++--------- 4 files changed, 38 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 81547154e..bdb058a58 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -98,3 +98,12 @@ jobs: - name: Build documentation run: mkdocs build --clean + + trivy-repo: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run trivy scanner on repository (non-blocking) + run: make test_trivy_repo TRIVY_EXIT_CODE=0 diff --git a/.github/workflows/docker-latest.yml b/.github/workflows/docker-latest.yml index bce2d4c0e..ad885b6a4 100644 --- a/.github/workflows/docker-latest.yml +++ b/.github/workflows/docker-latest.yml @@ -41,5 +41,5 @@ jobs: ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest - name: Image digest run: echo ${{ steps.docker_build.outputs.digest }} - - name: Run trivy image scanner - run: make test_trivy TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest + - name: Run trivy scanner on latest docker image + run: make test_trivy_docker TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest diff --git a/.gitignore b/.gitignore index de11480fb..8216ed15a 100644 --- a/.gitignore +++ b/.gitignore @@ -26,6 +26,7 @@ sandbox phpmd.html phpdoc.xml .phpunit.result.cache +trivy # User plugin configuration plugins/* diff --git a/Makefile b/Makefile index 1587b3056..11f05d0fe 100644 --- a/Makefile +++ b/Makefile @@ -82,15 +82,6 @@ locale_test_%: --bootstrap tests/languages/bootstrap.php \ --testsuite language-$(firstword $(subst _, ,$*)) -# trivy version (https://github.com/aquasecurity/trivy/releases) -TRIVY_VERSION=0.39.0 -# default docker image to scan with trivy -TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/shaarli/shaarli:latest -test_trivy: - wget --quiet --continue -O trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY_VERSION)/trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz - tar -zxf trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz - ./trivy image $(TRIVY_TARGET_DOCKER_IMAGE) - all_tests: test locale_test_de_DE locale_test_en_US locale_test_fr_FR @# --The current version is not compatible with PHP 7.2 @#$(BIN)/phpcov merge --html coverage coverage @@ -156,7 +147,7 @@ release_zip: composer_dependencies htmldoc translate build_frontend ### remove all unversioned files clean: @git clean -df - @rm -rf sandbox + @rm -rf sandbox trivy* ### generate the AUTHORS file from Git commit information generate_authors: @@ -178,7 +169,6 @@ htmldoc: find doc/html/ -type f -exec chmod a-x '{}' \; rm -r venv - ### Generate Shaarli's translation compiled file (.mo) translate: @echo "----------------------" @@ -198,3 +188,28 @@ eslint: ### Run CSSLint check against Shaarli's SCSS files sasslint: @yarnpkg run stylelint --config .dev/.stylelintrc.js 'assets/default/scss/*.scss' + +## +# Security scans +## + +# trivy version (https://github.com/aquasecurity/trivy/releases) +TRIVY_VERSION=0.43.0 +# default trivy exit code when vulnerabilities are found +TRIVY_EXIT_CODE=1 +# default docker image to scan with trivy +TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/shaarli/shaarli:latest + +### download trivy vulneravbility scanner +download_trivy: + wget --quiet --continue -O trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY_VERSION)/trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz + tar -z -x trivy -f trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz + +### run trivy vulnerability scanner on docker image +test_trivy_docker: download_trivy + ./trivy --exit-code $(TRIVY_EXIT_CODE) image $(TRIVY_TARGET_DOCKER_IMAGE) + +### run trivy vulnerability scanner on composer/yarn dependency trees +test_trivy_repo: download_trivy + ./trivy --exit-code $(TRIVY_EXIT_CODE) fs composer.lock + ./trivy --exit-code $(TRIVY_EXIT_CODE) fs yarn.lock