From 5d0f1acbf2f4d5192f26f07df1ba15efc78229e2 Mon Sep 17 00:00:00 2001 From: Knut Ahlers Date: Mon, 12 Jun 2023 23:35:54 +0200 Subject: [PATCH] Add trivy scan, fix trivy errors for Dockerfile Signed-off-by: Knut Ahlers --- .github/workflows/test-and-build.yml | 4 ++++ Dockerfile | 10 ++++++---- Makefile | 13 +++++++++++++ 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test-and-build.yml b/.github/workflows/test-and-build.yml index 8a8a753..207916c 100644 --- a/.github/workflows/test-and-build.yml +++ b/.github/workflows/test-and-build.yml @@ -42,6 +42,7 @@ jobs: nodejs-lts-fermium \ npm \ tar \ + trivy \ unzip \ which \ zip @@ -63,6 +64,9 @@ jobs: NO_TESTS: 'true' PACKAGES: '.' + - name: Execute Trivy scan + run: make trivy + - name: Extract changelog run: 'awk "/^#/ && ++c==2{exit}; /^#/f" "History.md" | tail -n +2 >release_changelog.md' diff --git a/Dockerfile b/Dockerfile index 36bae37..2bb3d39 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,8 +4,7 @@ COPY . /go/src/github.com/Luzifer/twitch-bot WORKDIR /go/src/github.com/Luzifer/twitch-bot ENV CGO_ENABLED=0 \ - GOPATH=/go \ - NODE_ENV=production + GOPATH=/go RUN set -ex \ && pacman -Syy --noconfirm \ @@ -28,7 +27,7 @@ FROM alpine:latest LABEL maintainer "Knut Ahlers " ENV CONFIG=/data/config.yaml \ - STORAGE_FILE=/data/store.json.gz + STORAGE_CONN_STRING=/data/store.db RUN set -ex \ && apk --no-cache add \ @@ -36,10 +35,13 @@ RUN set -ex \ ca-certificates \ curl \ jq \ - tzdata + tzdata \ + && mkdir /data \ + && chown 1000:1000 /data COPY --from=builder /go/bin/twitch-bot /usr/local/bin/twitch-bot +USER 1000:1000 VOLUME ["/data"] ENTRYPOINT ["/usr/local/bin/twitch-bot"] diff --git a/Makefile b/Makefile index 6542457..a226904 100644 --- a/Makefile +++ b/Makefile @@ -40,3 +40,16 @@ push_wiki: update_ua_list: # User-Agents provided by https://www.useragents.me/ curl -sSf https://www.useragents.me/api | jq -r '.data[].ua' | grep -v 'Trident' >internal/linkcheck/user-agents.txt + +# -- Vulnerability scanning -- + +trivy: + trivy fs . \ + --dependency-tree \ + --exit-code 1 \ + --format table \ + --ignore-unfixed \ + --quiet \ + --scanners config,license,secret,vuln \ + --severity HIGH,CRITICAL \ + --skip-dirs docs