Skip to content
This repository was archived by the owner on Nov 14, 2024. It is now read-only.

chore: add vulnerability scanning with Trivy #39

Merged
merged 5 commits into from
Sep 22, 2021
Merged

chore: add vulnerability scanning with Trivy #39

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e4d8dc6
chore: add vulnerability scanning with Trivy
jawnsy Sep 22, 2021
5581ab4
add runs-on
jawnsy Sep 22, 2021
48ebcc0
install Go
jawnsy Sep 22, 2021
a4fafc7
move security to build workflow
jawnsy Sep 22, 2021
339ada1
quote flags
jawnsy Sep 22, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 28 additions & 1 deletion .github/workflows/build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ on:
branches:
- main

schedule:
# Run daily at 10:15 am UTC (3:15am PT/5:15am CT)
- cron: "15 10 * * *"

workflow_dispatch:

permissions:
Expand All @@ -25,7 +29,7 @@ permissions:

jobs:
build:
name: Build
name: build
runs-on: ubuntu-20.04
steps:
- name: Cancel Previous Runs
Expand Down Expand Up @@ -57,3 +61,26 @@ jobs:
distribution: goreleaser
version: latest
args: release --rm-dist --snapshot --skip-publish

scan-source:
name: scan/source
runs-on: ubuntu-20.04
steps:
- name: Cancel previous runs
if: github.event_name == 'pull_request'
uses: styfle/cancel-workflow-action@0.9.1

- name: Checkout
uses: actions/checkout@v2

- name: Install Go
uses: actions/setup-go@v2
with:
go-version: '^1.16.7'

- name: Install dependencies
run: ./scripts/install_deps.sh

- name: Scan with AquaSec Trivy
run: ./scripts/scan.sh
continue-on-error: true
8 changes: 7 additions & 1 deletion scripts/install_deps.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,11 +51,17 @@ GORELEASER_VERSION="0.178.0"
run_trace false curl "${curl_flags[@]}" "https://github.com/goreleaser/goreleaser/releases/download/v${GORELEASER_VERSION}/goreleaser_Linux_x86_64.tar.gz" \| \
tar --extract --gzip --directory="$TMPBIN" --file=- "goreleaser"

# trivy to scan container images
TRIVY_VERSION="0.19.2"
run_trace false curl "${curl_flags[@]}" "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \| \
tar --extract --gzip --directory="$TMPBIN" --file=- "trivy"

run_trace false sudo install --mode=0755 --target-directory="$BINDIR" "$TMPBIN/*"

run_trace false command -v \
golangci-lint \
goreleaser \
gotestsum
gotestsum \
trivy

run_trace false sudo rm --verbose --recursive --force "$TMPDIR"
25 changes: 25 additions & 0 deletions scripts/scan.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
#!/usr/bin/env bash
#
# Check dependencies and configuration for security issues

set -euo pipefail
PROJECT_ROOT=$(git rev-parse --show-toplevel)
cd "$PROJECT_ROOT"
source "./scripts/lib.sh"

run_trace false trivy --version

trivy_flags=(
"--vuln-type=os,library"
"--severity=MEDIUM,HIGH,CRITICAL"
"--exit-code=1"
"--security-checks=vuln,config"
)

if [ -n "${CI:-}" ]; then
trivy_flags+=(
"--no-progress"
)
fi

run_trace false trivy filesystem "${trivy_flags[@]}" "$PROJECT_ROOT"