Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tools/CI: scan repository with trivy security scanner (yarn.lock, composer.lock) #1998

Merged
merged 1 commit into from
Jul 6, 2023
Merged

tools/CI: scan repository with trivy security scanner (yarn.lock, composer.lock) #1998

merged 1 commit into from
Jul 6, 2023

Conversation

nodiscc
Copy link
Member

@nodiscc nodiscc commented Jun 30, 2023

This is reproduces functionality provided by Github's dependabot alerts, but with the ability to run locally/more portable, and reuses an already existing tool (trivy can run on yarn/composer.lock as well as Docker images). In a separate PR I will add a separate workflow that runs on a schedule on master and reports a failure when vulnerabilities are found. The main CI workflow will not report failure in case vulnerabilities are found, to prevent the workflow from failing due to unrelated third-party libraries/changes.

@nodiscc
tools/CI: scan repository with trivy security scanner (yarn.lock, com…
3b5923b 
…poser.lock)

- run scan on each push/pull request update
- can be run locally using make test_trivy_repo
- exit with error code 0/success when vulnerabilities are found,  as not to make the workflow fail, a separate periodic run that exits with code 1 should be added in parallel
- update trivy to v0.43.0
- https://github.com/aquasecurity/trivy/releases/tag/v0.43.0
- also consider TRIVY_EXIT_CODE when running trivy on the latest docker image
- ref. shaarli#1531
@nodiscc nodiscc added security tools developer tools labels Jun 30, 2023
@nodiscc nodiscc added this to the 0.13.0 milestone Jun 30, 2023
@nodiscc nodiscc mentioned this pull request Jun 30, 2023
Closed
@nodiscc nodiscc merged commit d24fc65 into shaarli:master Jul 6, 2023
7 checks passed
@nodiscc nodiscc deleted the trivy-repo-scan branch July 6, 2023 16:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@virtualtam virtualtam Awaiting requested review from virtualtam

@ArthurHoaro ArthurHoaro Awaiting requested review from ArthurHoaro

Assignees
No one assigned
Labels
security tools developer tools
Projects
None yet
Milestone
0.13.0
Development

Successfully merging this pull request may close these issues.
1 participant
@nodiscc