Configure and utilize trivy scan
also fix detected issue with Dockerfile Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
parent
6657c7f712
commit
1720ebb665
4 changed files with 22 additions and 1 deletions
4
.github/workflows/test-and-build.yml
vendored
4
.github/workflows/test-and-build.yml
vendored
|
@ -40,6 +40,7 @@ jobs:
|
||||||
nodejs-lts-hydrogen \
|
nodejs-lts-hydrogen \
|
||||||
npm \
|
npm \
|
||||||
tar \
|
tar \
|
||||||
|
trivy \
|
||||||
unzip \
|
unzip \
|
||||||
which \
|
which \
|
||||||
zip
|
zip
|
||||||
|
@ -53,6 +54,9 @@ jobs:
|
||||||
run: |
|
run: |
|
||||||
go test -v ./...
|
go test -v ./...
|
||||||
|
|
||||||
|
- name: Execute Trivy scan
|
||||||
|
run: make trivy
|
||||||
|
|
||||||
- name: Build release
|
- name: Build release
|
||||||
run: make publish
|
run: make publish
|
||||||
env:
|
env:
|
||||||
|
|
|
@ -34,6 +34,8 @@ COPY --from=builder /go/bin/ots /usr/local/bin/ots
|
||||||
|
|
||||||
EXPOSE 3000
|
EXPOSE 3000
|
||||||
|
|
||||||
|
USER 1000:1000
|
||||||
|
|
||||||
ENTRYPOINT ["/usr/local/bin/ots"]
|
ENTRYPOINT ["/usr/local/bin/ots"]
|
||||||
CMD ["--"]
|
CMD ["--"]
|
||||||
|
|
||||||
|
|
|
@ -30,6 +30,8 @@ COPY --from=builder /go/bin/ots /usr/local/bin/ots
|
||||||
|
|
||||||
EXPOSE 3000
|
EXPOSE 3000
|
||||||
|
|
||||||
|
USER 1000:1000
|
||||||
|
|
||||||
ENTRYPOINT ["/usr/local/bin/ots"]
|
ENTRYPOINT ["/usr/local/bin/ots"]
|
||||||
CMD ["--"]
|
CMD ["--"]
|
||||||
|
|
||||||
|
|
15
Makefile
15
Makefile
|
@ -1,4 +1,4 @@
|
||||||
VER_FONTAWESOME=6.4.0
|
VER_FONTAWESOME:=6.4.0
|
||||||
|
|
||||||
|
|
||||||
default: generate download_libs
|
default: generate download_libs
|
||||||
|
@ -33,3 +33,16 @@ download_libs: fontawesome
|
||||||
fontawesome:
|
fontawesome:
|
||||||
curl -sSfL https://github.com/FortAwesome/Font-Awesome/archive/$(VER_FONTAWESOME).tar.gz | \
|
curl -sSfL https://github.com/FortAwesome/Font-Awesome/archive/$(VER_FONTAWESOME).tar.gz | \
|
||||||
tar -vC frontend -xz --strip-components=1 --wildcards --exclude='*/js-packages' '*/css' '*/webfonts'
|
tar -vC frontend -xz --strip-components=1 --wildcards --exclude='*/js-packages' '*/css' '*/webfonts'
|
||||||
|
|
||||||
|
# -- Vulnerability scanning --
|
||||||
|
|
||||||
|
trivy:
|
||||||
|
trivy fs . \
|
||||||
|
--dependency-tree \
|
||||||
|
--exit-code 1 \
|
||||||
|
--format table \
|
||||||
|
--ignore-unfixed \
|
||||||
|
--quiet \
|
||||||
|
--scanners config,license,secret,vuln \
|
||||||
|
--severity HIGH,CRITICAL \
|
||||||
|
--skip-dirs docs
|
||||||
|
|
Loading…
Reference in a new issue