tools/CI: scan repository with trivy security scanner (yarn.lock, com…

…poser.lock) - run scan on each push/pull request update - can be run locally using make test_trivy_repo - exit with error code 0/success when vulnerabilities are found, as not to make the workflow fail, a separate periodic run that exits with code 1 should be added in parallel - update trivy to v0.43.0 - https://github.com/aquasecurity/trivy/releases/tag/v0.43.0 - also consider TRIVY_EXIT_CODE when running trivy on the latest docker image - ref. shaarli#1531
nodiscc · Jun 30, 2023 · 3b5923b · 3b5923b
1 parent 467b28c
commit 3b5923b
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 13 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -98,3 +98,12 @@ jobs:
 
       - name: Build documentation
         run: mkdocs build --clean
+
+  trivy-repo:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Run trivy scanner on repository (non-blocking)
+        run: make test_trivy_repo TRIVY_EXIT_CODE=0
diff --git a/.github/workflows/docker-latest.yml b/.github/workflows/docker-latest.yml
@@ -41,5 +41,5 @@ jobs:
             ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest
       - name: Image digest
         run: echo ${{ steps.docker_build.outputs.digest }}
-      - name: Run trivy image scanner
-        run: make test_trivy TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest
+      - name: Run trivy scanner on latest docker image
+        run: make test_trivy_docker TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest
diff --git a/.gitignore b/.gitignore
@@ -26,6 +26,7 @@ sandbox
 phpmd.html
 phpdoc.xml
 .phpunit.result.cache
+trivy
 
 # User plugin configuration
 plugins/*

diff --git a/Makefile b/Makefile
@@ -82,15 +82,6 @@ locale_test_%:
 		--bootstrap tests/languages/bootstrap.php \
 		--testsuite language-$(firstword $(subst _, ,$*))
 
-# trivy version (https://github.com/aquasecurity/trivy/releases)
-TRIVY_VERSION=0.39.0
-# default docker image to scan with trivy
-TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/shaarli/shaarli:latest
-test_trivy:
-	wget --quiet --continue -O trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY_VERSION)/trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
-	tar -zxf trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
-	./trivy image $(TRIVY_TARGET_DOCKER_IMAGE)
-
 all_tests: test locale_test_de_DE locale_test_en_US locale_test_fr_FR
 	@# --The current version is not compatible with PHP 7.2
 	@#$(BIN)/phpcov merge --html coverage coverage
@@ -156,7 +147,7 @@ release_zip: composer_dependencies htmldoc translate build_frontend
 ### remove all unversioned files
 clean:
 	@git clean -df
-	@rm -rf sandbox
+	@rm -rf sandbox trivy*
 
 ### generate the AUTHORS file from Git commit information
 generate_authors:
@@ -178,7 +169,6 @@ htmldoc:
 	find doc/html/ -type f -exec chmod a-x '{}' \;
 	rm -r venv
 
-
 ### Generate Shaarli's translation compiled file (.mo)
 translate:
 	@echo "----------------------"
@@ -198,3 +188,28 @@ eslint:
 ### Run CSSLint check against Shaarli's SCSS files
 sasslint:
 	@yarnpkg run stylelint --config .dev/.stylelintrc.js 'assets/default/scss/*.scss'
+
+##
+# Security scans
+##
+
+# trivy version (https://github.com/aquasecurity/trivy/releases)
+TRIVY_VERSION=0.43.0
+# default trivy exit code when vulnerabilities are found
+TRIVY_EXIT_CODE=1
+# default docker image to scan with trivy
+TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/shaarli/shaarli:latest
+
+### download trivy vulneravbility scanner
+download_trivy:
+	wget --quiet --continue -O trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY_VERSION)/trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
+	tar -z -x trivy -f trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
+
+### run trivy vulnerability scanner on docker image
+test_trivy_docker: download_trivy
+	./trivy --exit-code $(TRIVY_EXIT_CODE) image $(TRIVY_TARGET_DOCKER_IMAGE)
+
+### run trivy vulnerability scanner on composer/yarn dependency trees
+test_trivy_repo: download_trivy
+	./trivy --exit-code $(TRIVY_EXIT_CODE) fs composer.lock
+	./trivy --exit-code $(TRIVY_EXIT_CODE) fs yarn.lock