Add trivy scan, fix trivy errors for Dockerfile

Signed-off-by: Knut Ahlers <knut@ahlers.me>

.github/workflows/test-and-build.yml

@@ -42,6 +42,7 @@ jobs:
             nodejs-lts-fermium \
             npm \
             tar \
+            trivy \
             unzip \
             which \
             zip
@@ -63,6 +64,9 @@ jobs:
           NO_TESTS: 'true'
           PACKAGES: '.'
 
+      - name: Execute Trivy scan
+        run: make trivy
+
       - name: Extract changelog
         run: 'awk "/^#/ && ++c==2{exit}; /^#/f" "History.md" | tail -n +2 >release_changelog.md'
 

Dockerfile

@@ -4,8 +4,7 @@ COPY . /go/src/github.com/Luzifer/twitch-bot
 WORKDIR /go/src/github.com/Luzifer/twitch-bot
 
 ENV CGO_ENABLED=0 \
-    GOPATH=/go \
-    NODE_ENV=production
+    GOPATH=/go
 
 RUN set -ex \
  && pacman -Syy --noconfirm \
@@ -28,7 +27,7 @@ FROM alpine:latest
 LABEL maintainer "Knut Ahlers <knut@ahlers.me>"
 
 ENV CONFIG=/data/config.yaml \
-    STORAGE_FILE=/data/store.json.gz
+    STORAGE_CONN_STRING=/data/store.db
 
 RUN set -ex \
  && apk --no-cache add \
@@ -36,10 +35,13 @@ RUN set -ex \
       ca-certificates \
       curl \
       jq \
-      tzdata
+      tzdata \
+ && mkdir /data \
+ && chown 1000:1000 /data
 
 COPY --from=builder /go/bin/twitch-bot /usr/local/bin/twitch-bot
 
+USER 1000:1000
 VOLUME ["/data"]
 
 ENTRYPOINT ["/usr/local/bin/twitch-bot"]

Makefile

@@ -40,3 +40,16 @@ push_wiki:
 update_ua_list:
 	# User-Agents provided by https://www.useragents.me/
 	curl -sSf https://www.useragents.me/api | jq -r '.data[].ua' | grep -v 'Trident' >internal/linkcheck/user-agents.txt
+
+# -- Vulnerability scanning --
+
+trivy:
+	trivy fs . \
+		--dependency-tree \
+		--exit-code 1 \
+		--format table \
+		--ignore-unfixed \
+		--quiet \
+		--scanners config,license,secret,vuln \
+		--severity HIGH,CRITICAL \
+		--skip-dirs docs