chore: add vulnerability scanning with Trivy (#39)

jawnsy · web-flow · commit 19b87a13f7d9 · 2021-09-22T13:03:48.000-07:00
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -9,6 +9,10 @@ on:
     branches:
       - main
 
+  schedule:
+    # Run daily at 10:15 am UTC (3:15am PT/5:15am CT)
+    - cron: "15 10 * * *"
+
   workflow_dispatch:
 
 permissions:
@@ -25,7 +29,7 @@ permissions:
 
 jobs:
   build:
-    name: Build
+    name: build
     runs-on: ubuntu-20.04
     steps:
       - name: Cancel Previous Runs
@@ -57,3 +61,26 @@ jobs:
           distribution: goreleaser
           version: latest
           args: release --rm-dist --snapshot --skip-publish
+
+  scan-source:
+    name: scan/source
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Cancel previous runs
+        if: github.event_name == 'pull_request'
+        uses: styfle/cancel-workflow-action@0.9.1
+
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: '^1.16.7'
+
+      - name: Install dependencies
+        run: ./scripts/install_deps.sh
+
+      - name: Scan with AquaSec Trivy
+        run: ./scripts/scan.sh
+        continue-on-error: true
diff --git a/scripts/install_deps.sh b/scripts/install_deps.sh
@@ -51,11 +51,17 @@ GORELEASER_VERSION="0.178.0"
 run_trace false curl "${curl_flags[@]}" "https://github.com/goreleaser/goreleaser/releases/download/v${GORELEASER_VERSION}/goreleaser_Linux_x86_64.tar.gz" \| \
   tar --extract --gzip --directory="$TMPBIN" --file=- "goreleaser"
 
+# trivy to scan container images
+TRIVY_VERSION="0.19.2"
+run_trace false curl "${curl_flags[@]}" "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \| \
+  tar --extract --gzip --directory="$TMPBIN" --file=- "trivy"
+
 run_trace false sudo install --mode=0755 --target-directory="$BINDIR" "$TMPBIN/*"
 
 run_trace false command -v \
   golangci-lint \
   goreleaser \
-  gotestsum
+  gotestsum \
+  trivy
 
 run_trace false sudo rm --verbose --recursive --force "$TMPDIR"
diff --git a/scripts/scan.sh b/scripts/scan.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+#
+# Check dependencies and configuration for security issues
+
+set -euo pipefail
+PROJECT_ROOT=$(git rev-parse --show-toplevel)
+cd "$PROJECT_ROOT"
+source "./scripts/lib.sh"
+
+run_trace false trivy --version
+
+trivy_flags=(
+  "--vuln-type=os,library"
+  "--severity=MEDIUM,HIGH,CRITICAL"
+  "--exit-code=1"
+  "--security-checks=vuln,config"
+)
+
+if [ -n "${CI:-}" ]; then
+  trivy_flags+=(
+    "--no-progress"
+  )
+fi
+
+run_trace false trivy filesystem "${trivy_flags[@]}" "$PROJECT_ROOT"
