From e4d8dc6c5996da3aeba5c34575682c9e8f62b429 Mon Sep 17 00:00:00 2001
From: Jonathan Yu <jonathan@coder.com>
Date: Wed, 22 Sep 2021 18:35:05 +0000
Subject: [PATCH 1/5] chore: add vulnerability scanning with Trivy

---
 .github/workflows/security.yaml | 53 +++++++++++++++++++++++++++++++++
 scripts/install_deps.sh         |  8 ++++-
 scripts/scan.sh                 | 25 ++++++++++++++++
 3 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/security.yaml
 create mode 100755 scripts/scan.sh

diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
new file mode 100644
index 0000000..6e2c179
--- /dev/null
+++ b/.github/workflows/security.yaml
@@ -0,0 +1,53 @@
+name: Security
+
+on:
+  push:
+    branches:
+      - main
+
+  # If the workflow is modified, run the scans (though still using code
+  # checked out from master) so that we can test the workflow itself
+  pull_request:
+    branches:
+      - main
+    paths:
+      - .github/workflows/security.yaml
+
+  schedule:
+    # Run at 10:15 am UTC (3:15am PT/5:15am CT)
+    # Run at 0 minutes 0 hours of every day.
+    - cron: "15 10 * * *"
+
+  workflow_dispatch:
+
+permissions:
+  actions: none
+  checks: none
+  contents: read
+  deployments: none
+  issues: none
+  packages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+jobs:
+  scan-source:
+    name: scan/source
+    steps:
+      - name: Cancel previous runs
+        if: github.event_name == 'pull_request'
+        uses: styfle/cancel-workflow-action@0.9.1
+
+      - name: Checkout
+        uses: actions/checkout@v2
+        # with:
+        # ref: "main"
+
+      - name: Install dependencies
+        run: ./scripts/install_deps.sh
+
+      - name: Scan with AquaSec Trivy
+        run: ./scripts/scan.sh
+        continue-on-error: true
diff --git a/scripts/install_deps.sh b/scripts/install_deps.sh
index c322933..679558d 100755
--- a/scripts/install_deps.sh
+++ b/scripts/install_deps.sh
@@ -51,11 +51,17 @@ GORELEASER_VERSION="0.178.0"
 run_trace false curl "${curl_flags[@]}" "https://github.com/goreleaser/goreleaser/releases/download/v${GORELEASER_VERSION}/goreleaser_Linux_x86_64.tar.gz" \| \
   tar --extract --gzip --directory="$TMPBIN" --file=- "goreleaser"
 
+# trivy to scan container images
+TRIVY_VERSION="0.19.2"
+run_trace false curl "${curl_flags[@]}" "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \| \
+  tar --extract --gzip --directory="$TMPBIN" --file=- "trivy"
+
 run_trace false sudo install --mode=0755 --target-directory="$BINDIR" "$TMPBIN/*"
 
 run_trace false command -v \
   golangci-lint \
   goreleaser \
-  gotestsum
+  gotestsum \
+  trivy
 
 run_trace false sudo rm --verbose --recursive --force "$TMPDIR"
diff --git a/scripts/scan.sh b/scripts/scan.sh
new file mode 100755
index 0000000..809c840
--- /dev/null
+++ b/scripts/scan.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+#
+# Check dependencies and configuration for security issues
+
+set -euo pipefail
+PROJECT_ROOT=$(git rev-parse --show-toplevel)
+cd "$PROJECT_ROOT"
+source "./scripts/lib.sh"
+
+run_trace false trivy --version
+
+trivy_flags=(
+  --vuln-type=os,library
+  --severity=MEDIUM,HIGH,CRITICAL
+  --exit-code=1
+  --security-checks=vuln,config
+)
+
+if [ -n "${CI:-}" ]; then
+  trivy_flags+=(
+    --no-progress
+  )
+fi
+
+run_trace false trivy filesystem "${trivy_flags[@]}" "$PROJECT_ROOT"

From 5581ab4edfe2422c1021af04de2a917678baabeb Mon Sep 17 00:00:00 2001
From: Jonathan Yu <jonathan@coder.com>
Date: Wed, 22 Sep 2021 18:39:32 +0000
Subject: [PATCH 2/5] add runs-on

---
 .github/workflows/security.yaml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
index 6e2c179..f528fb8 100644
--- a/.github/workflows/security.yaml
+++ b/.github/workflows/security.yaml
@@ -5,8 +5,8 @@ on:
     branches:
       - main
 
-  # If the workflow is modified, run the scans (though still using code
-  # checked out from master) so that we can test the workflow itself
+  # If the workflow is modified, run the scans, so that we can test the
+  # workflow itself
   pull_request:
     branches:
       - main
@@ -35,6 +35,7 @@ permissions:
 jobs:
   scan-source:
     name: scan/source
+    runs-on: ubuntu-20.04
     steps:
       - name: Cancel previous runs
         if: github.event_name == 'pull_request'
@@ -42,8 +43,6 @@ jobs:
 
       - name: Checkout
         uses: actions/checkout@v2
-        # with:
-        # ref: "main"
 
       - name: Install dependencies
         run: ./scripts/install_deps.sh

From 48ebcc04fe56b37d63a2793da7efbe1cb8655841 Mon Sep 17 00:00:00 2001
From: Jonathan Yu <jonathan@coder.com>
Date: Wed, 22 Sep 2021 18:40:58 +0000
Subject: [PATCH 3/5] install Go

---
 .github/workflows/security.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
index f528fb8..4dcfb69 100644
--- a/.github/workflows/security.yaml
+++ b/.github/workflows/security.yaml
@@ -44,6 +44,11 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
 
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: '^1.16.7'
+
       - name: Install dependencies
         run: ./scripts/install_deps.sh
 

From a4fafc77a240f14d603041b574b658b57df66095 Mon Sep 17 00:00:00 2001
From: Jonathan Yu <jonathan@coder.com>
Date: Wed, 22 Sep 2021 18:50:44 +0000
Subject: [PATCH 4/5] move security to build workflow

---
 .github/workflows/build.yaml    | 29 ++++++++++++++++-
 .github/workflows/security.yaml | 57 ---------------------------------
 2 files changed, 28 insertions(+), 58 deletions(-)
 delete mode 100644 .github/workflows/security.yaml

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 2952f04..b2d985f 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -9,6 +9,10 @@ on:
     branches:
       - main
 
+  schedule:
+    # Run daily at 10:15 am UTC (3:15am PT/5:15am CT)
+    - cron: "15 10 * * *"
+
   workflow_dispatch:
 
 permissions:
@@ -25,7 +29,7 @@ permissions:
 
 jobs:
   build:
-    name: Build
+    name: build
     runs-on: ubuntu-20.04
     steps:
       - name: Cancel Previous Runs
@@ -57,3 +61,26 @@ jobs:
           distribution: goreleaser
           version: latest
           args: release --rm-dist --snapshot --skip-publish
+
+  scan-source:
+    name: scan/source
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Cancel previous runs
+        if: github.event_name == 'pull_request'
+        uses: styfle/cancel-workflow-action@0.9.1
+
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: '^1.16.7'
+
+      - name: Install dependencies
+        run: ./scripts/install_deps.sh
+
+      - name: Scan with AquaSec Trivy
+        run: ./scripts/scan.sh
+        continue-on-error: true
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
deleted file mode 100644
index 4dcfb69..0000000
--- a/.github/workflows/security.yaml
+++ /dev/null
@@ -1,57 +0,0 @@
-name: Security
-
-on:
-  push:
-    branches:
-      - main
-
-  # If the workflow is modified, run the scans, so that we can test the
-  # workflow itself
-  pull_request:
-    branches:
-      - main
-    paths:
-      - .github/workflows/security.yaml
-
-  schedule:
-    # Run at 10:15 am UTC (3:15am PT/5:15am CT)
-    # Run at 0 minutes 0 hours of every day.
-    - cron: "15 10 * * *"
-
-  workflow_dispatch:
-
-permissions:
-  actions: none
-  checks: none
-  contents: read
-  deployments: none
-  issues: none
-  packages: none
-  pull-requests: none
-  repository-projects: none
-  security-events: none
-  statuses: none
-
-jobs:
-  scan-source:
-    name: scan/source
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Cancel previous runs
-        if: github.event_name == 'pull_request'
-        uses: styfle/cancel-workflow-action@0.9.1
-
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - name: Install Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: '^1.16.7'
-
-      - name: Install dependencies
-        run: ./scripts/install_deps.sh
-
-      - name: Scan with AquaSec Trivy
-        run: ./scripts/scan.sh
-        continue-on-error: true

From 339ada1c52528a2e42863d35eabb23c6887756b8 Mon Sep 17 00:00:00 2001
From: Jonathan Yu <jonathan@coder.com>
Date: Wed, 22 Sep 2021 18:54:34 +0000
Subject: [PATCH 5/5] quote flags

---
 scripts/scan.sh | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/scripts/scan.sh b/scripts/scan.sh
index 809c840..33fe1be 100755
--- a/scripts/scan.sh
+++ b/scripts/scan.sh
@@ -10,15 +10,15 @@ source "./scripts/lib.sh"
 run_trace false trivy --version
 
 trivy_flags=(
-  --vuln-type=os,library
-  --severity=MEDIUM,HIGH,CRITICAL
-  --exit-code=1
-  --security-checks=vuln,config
+  "--vuln-type=os,library"
+  "--severity=MEDIUM,HIGH,CRITICAL"
+  "--exit-code=1"
+  "--security-checks=vuln,config"
 )
 
 if [ -n "${CI:-}" ]; then
   trivy_flags+=(
-    --no-progress
+    "--no-progress"
   )
 fi