Configure and utilize trivy scan

also fix detected issue with Dockerfile Signed-off-by: Knut Ahlers <knut@ahlers.me>
2023-06-11 15:27:59 +02:00 · 2023-06-11 15:27:59 +02:00 · 1720ebb665
commit 1720ebb665
parent 6657c7f712
4 changed files with 22 additions and 1 deletions
--- a/.github/workflows/test-and-build.yml
+++ b/.github/workflows/test-and-build.yml
@ -40,6 +40,7 @@ jobs:
            nodejs-lts-hydrogen \
            npm \
            tar \
+            trivy \
            unzip \
            which \
            zip
@ -53,6 +54,9 @@ jobs:
        run: |
          go test -v ./...

+      - name: Execute Trivy scan
+        run: make trivy
+
      - name: Build release
        run: make publish
        env:
--- a/2
+++ b/2
@ -34,6 +34,8 @@ COPY --from=builder /go/bin/ots /usr/local/bin/ots

 EXPOSE 3000

+USER 1000:1000
+
 ENTRYPOINT ["/usr/local/bin/ots"]
 CMD ["--"]

--- a/Dockerfile.minimal
+++ b/Dockerfile.minimal
@ -30,6 +30,8 @@ COPY --from=builder /go/bin/ots /usr/local/bin/ots

 EXPOSE 3000

+USER 1000:1000
+
 ENTRYPOINT ["/usr/local/bin/ots"]
 CMD ["--"]

--- a/15
+++ b/15
@ -1,4 +1,4 @@
-VER_FONTAWESOME=6.4.0
+VER_FONTAWESOME:=6.4.0


 default: generate download_libs
@ -33,3 +33,16 @@ download_libs: fontawesome
 fontawesome:
 	curl -sSfL https://github.com/FortAwesome/Font-Awesome/archive/$(VER_FONTAWESOME).tar.gz | \
 		tar -vC frontend -xz --strip-components=1 --wildcards --exclude='*/js-packages' '*/css' '*/webfonts'
+
+# -- Vulnerability scanning --
+
+trivy:
+	trivy fs . \
+		--dependency-tree \
+		--exit-code 1 \
+		--format table \
+		--ignore-unfixed \
+		--quiet \
+		--scanners config,license,secret,vuln \
+		--severity HIGH,CRITICAL \
+		--skip-dirs docs