Configure and utilize trivy scan

also fix detected issue with Dockerfile

Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
Knut Ahlers 2023-06-11 15:27:59 +02:00
parent 6657c7f712
commit 1720ebb665
Signed by: luzifer
GPG key ID: D91C3E91E4CAD6F5
4 changed files with 22 additions and 1 deletions

View file

@ -40,6 +40,7 @@ jobs:
nodejs-lts-hydrogen \ nodejs-lts-hydrogen \
npm \ npm \
tar \ tar \
trivy \
unzip \ unzip \
which \ which \
zip zip
@ -53,6 +54,9 @@ jobs:
run: | run: |
go test -v ./... go test -v ./...
- name: Execute Trivy scan
run: make trivy
- name: Build release - name: Build release
run: make publish run: make publish
env: env:

View file

@ -34,6 +34,8 @@ COPY --from=builder /go/bin/ots /usr/local/bin/ots
EXPOSE 3000 EXPOSE 3000
USER 1000:1000
ENTRYPOINT ["/usr/local/bin/ots"] ENTRYPOINT ["/usr/local/bin/ots"]
CMD ["--"] CMD ["--"]

View file

@ -30,6 +30,8 @@ COPY --from=builder /go/bin/ots /usr/local/bin/ots
EXPOSE 3000 EXPOSE 3000
USER 1000:1000
ENTRYPOINT ["/usr/local/bin/ots"] ENTRYPOINT ["/usr/local/bin/ots"]
CMD ["--"] CMD ["--"]

View file

@ -1,4 +1,4 @@
VER_FONTAWESOME=6.4.0 VER_FONTAWESOME:=6.4.0
default: generate download_libs default: generate download_libs
@ -33,3 +33,16 @@ download_libs: fontawesome
fontawesome: fontawesome:
curl -sSfL https://github.com/FortAwesome/Font-Awesome/archive/$(VER_FONTAWESOME).tar.gz | \ curl -sSfL https://github.com/FortAwesome/Font-Awesome/archive/$(VER_FONTAWESOME).tar.gz | \
tar -vC frontend -xz --strip-components=1 --wildcards --exclude='*/js-packages' '*/css' '*/webfonts' tar -vC frontend -xz --strip-components=1 --wildcards --exclude='*/js-packages' '*/css' '*/webfonts'
# -- Vulnerability scanning --
trivy:
trivy fs . \
--dependency-tree \
--exit-code 1 \
--format table \
--ignore-unfixed \
--quiet \
--scanners config,license,secret,vuln \
--severity HIGH,CRITICAL \
--skip-dirs docs