Skip to content

Commit

Permalink
feat: implement security tests thanks to trivy
Browse files Browse the repository at this point in the history
close #28
  • Loading branch information
bdossantos committed Apr 27, 2020
1 parent b9c4e58 commit 30e9cf7
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 1 deletion.
10 changes: 9 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -52,4 +52,12 @@ shellcheck: ## Run shellcheck on /scripts directory
@find scripts/ -type f | xargs -n 1 shellcheck

test: ## Run tests suite
@$(MAKE) pre-commit shellcheck dockerfile-lint serverspec dive
@$(MAKE) pre-commit shellcheck dockerfile-lint serverspec dive trivy

trivy: ## Run trivy, a simple Vulnerability Scanner for Containers
$(info --> Run `trivy`)
@awk '/image:/ { print $$2 }' docker-compose.ci.yml \
| xargs -I % -n 1 -P 1 trivy \
--exit-code 1 \
--no-progress \
--severity HIGH,CRITICAL %
26 changes: 26 additions & 0 deletions scripts/trivy
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
#!/usr/bin/env bash

set -o errexit
set -o pipefail
set -o nounset

DEBUG=${DEBUG:=0}
[[ $DEBUG -eq 1 ]] && set -o xtrace

GITHUB_TOKEN=${GITHUB_TOKEN:=''}
TRIVY_TIMEOUT_SEC=${TRIVY_TIMEOUT_SEC:='360s'}

export TRIVY_TIMEOUT_SEC

# shellcheck disable=SC2145
echo "--> trivy $@"

# shellcheck disable=SC2046
docker run --network host --rm --name "trivy_$(date +'%Y%m%d%H%M%S')" \
-e GITHUB_TOKEN="${GITHUB_TOKEN}" \
-v $(pwd)/.cache:/root/.cache/ \
-v ~/.docker/config.json:/root/.docker/config.json:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-t $(tty &>/dev/null && echo '-i') \
aquasec/trivy:0.6.0 \
"$@"

0 comments on commit 30e9cf7

Please sign in to comment.