feat: implement security tests thanks to trivy

close #28
bdossantos · Apr 29, 2020 · 07da736 · 07da736
1 parent b8c838d
commit 07da736
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 1 deletion.
diff --git a/.travis.yml b/.travis.yml
@@ -15,6 +15,7 @@ before_script:
   - mv 'shellcheck-v0.6.0/shellcheck' "$HOME/bin/shellcheck"
   - chmod +x "$HOME/bin/shellcheck"
   - cp -f scripts/dive "$HOME/bin/dive"
+  - cp -f scripts/trivy "$HOME/bin/dive"
   - rvm install "$(cat .ruby-version)"
   - export PATH=$HOME/.local/bin:/usr/sbin:$PATH
 script:

diff --git a/Makefile b/Makefile
@@ -52,4 +52,12 @@ shellcheck: ## Run shellcheck on /scripts directory
 	@find scripts/ -type f | xargs -n 1 shellcheck
 
 test: ## Run tests suite
-	@$(MAKE) pre-commit shellcheck dockerfile-lint serverspec dive
+	@$(MAKE) pre-commit shellcheck dockerfile-lint serverspec dive trivy
+
+trivy: ## Run trivy, a simple Vulnerability Scanner for Containers
+	$(info --> Run `trivy`)
+	@awk '/image:/ { print $$2 }' docker-compose.ci.yml \
+		| xargs -I % -n 1 -P 1 trivy \
+			--exit-code 1 \
+			--no-progress \
+			--severity HIGH,CRITICAL %
diff --git a/scripts/trivy b/scripts/trivy
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o pipefail
+set -o nounset
+
+DEBUG=${DEBUG:=0}
+[[ $DEBUG -eq 1 ]] && set -o xtrace
+
+GITHUB_TOKEN=${GITHUB_TOKEN:=''}
+TRIVY_TIMEOUT_SEC=${TRIVY_TIMEOUT_SEC:='360s'}
+
+export TRIVY_TIMEOUT_SEC
+
+# shellcheck disable=SC2145
+echo "--> trivy $@"
+
+# shellcheck disable=SC2046
+docker run --network host --rm --name "trivy_$(date +'%Y%m%d%H%M%S')" \
+  -e GITHUB_TOKEN="${GITHUB_TOKEN}" \
+  -v $(pwd)/.cache:/root/.cache/ \
+  -v ~/.docker/config.json:/root/.docker/config.json:ro \
+  -v /var/run/docker.sock:/var/run/docker.sock:ro \
+  -t $(tty &>/dev/null && echo '-i') \
+  aquasec/trivy:0.6.0 \
+  "$@"