From 07da736aef246a449c03d0412cb220dae15860b2 Mon Sep 17 00:00:00 2001 From: Benjamin Dos Santos Date: Mon, 27 Apr 2020 14:15:52 +0200 Subject: [PATCH] feat: implement security tests thanks to `trivy` close #28 --- .travis.yml | 1 + Makefile | 10 +++++++++- scripts/trivy | 26 ++++++++++++++++++++++++++ 3 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 scripts/trivy diff --git a/.travis.yml b/.travis.yml index 97215adf..2b9b4543 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,6 +15,7 @@ before_script: - mv 'shellcheck-v0.6.0/shellcheck' "$HOME/bin/shellcheck" - chmod +x "$HOME/bin/shellcheck" - cp -f scripts/dive "$HOME/bin/dive" + - cp -f scripts/trivy "$HOME/bin/dive" - rvm install "$(cat .ruby-version)" - export PATH=$HOME/.local/bin:/usr/sbin:$PATH script: diff --git a/Makefile b/Makefile index f9f77483..e224cba8 100644 --- a/Makefile +++ b/Makefile @@ -52,4 +52,12 @@ shellcheck: ## Run shellcheck on /scripts directory @find scripts/ -type f | xargs -n 1 shellcheck test: ## Run tests suite - @$(MAKE) pre-commit shellcheck dockerfile-lint serverspec dive + @$(MAKE) pre-commit shellcheck dockerfile-lint serverspec dive trivy + +trivy: ## Run trivy, a simple Vulnerability Scanner for Containers + $(info --> Run `trivy`) + @awk '/image:/ { print $$2 }' docker-compose.ci.yml \ + | xargs -I % -n 1 -P 1 trivy \ + --exit-code 1 \ + --no-progress \ + --severity HIGH,CRITICAL % diff --git a/scripts/trivy b/scripts/trivy new file mode 100644 index 00000000..d75c6725 --- /dev/null +++ b/scripts/trivy @@ -0,0 +1,26 @@ +#!/usr/bin/env bash + +set -o errexit +set -o pipefail +set -o nounset + +DEBUG=${DEBUG:=0} +[[ $DEBUG -eq 1 ]] && set -o xtrace + +GITHUB_TOKEN=${GITHUB_TOKEN:=''} +TRIVY_TIMEOUT_SEC=${TRIVY_TIMEOUT_SEC:='360s'} + +export TRIVY_TIMEOUT_SEC + +# shellcheck disable=SC2145 +echo "--> trivy $@" + +# shellcheck disable=SC2046 +docker run --network host --rm --name "trivy_$(date +'%Y%m%d%H%M%S')" \ + -e GITHUB_TOKEN="${GITHUB_TOKEN}" \ + -v $(pwd)/.cache:/root/.cache/ \ + -v ~/.docker/config.json:/root/.docker/config.json:ro \ + -v /var/run/docker.sock:/var/run/docker.sock:ro \ + -t $(tty &>/dev/null && echo '-i') \ + aquasec/trivy:0.6.0 \ + "$@"