Add trivy vulnerability scanner and custom docker-make image
Trivy is used in the CI after building our Docker image. It scans the Docker image and our dependencies for known vulnerabilities. The docker-make image is a simple docker:latest containing make.
This commit is contained in:
sirkrypt0
committed by
Tobias Kantusch
Tobias Kantusch
parent
a48804bd19
commit
8d7aa2ea3c
3
.gitignore
vendored
3
.gitignore
vendored
@ -7,3 +7,6 @@ configuration.yaml
|
||||
# TLS certificate/key
|
||||
*.crt
|
||||
*.key
|
||||
|
||||
# trivy artifacts
|
||||
.trivy
|
||||
|
||||
@ -58,7 +58,7 @@ test:
|
||||
|
||||
dockerimage:
|
||||
stage: docker
|
||||
image: docker:latest
|
||||
image: $DOCKER_REGISTRY/docker-make:latest
|
||||
services:
|
||||
- name: docker:dind
|
||||
alias: docker
|
||||
@ -71,9 +71,17 @@ dockerimage:
|
||||
- docker pull $DOCKER_REGISTRY/library/alpine:latest
|
||||
- docker tag $DOCKER_REGISTRY/library/alpine:latest alpine:latest
|
||||
- docker build -t $IMAGE_NAME_ENV .
|
||||
# Run vulnerability scan before pushing the image
|
||||
- make trivy DOCKER_TAG=$IMAGE_NAME_ENV
|
||||
- docker push $IMAGE_NAME_ENV
|
||||
- docker tag $IMAGE_NAME_ENV $IMAGE_NAME_GENERAL
|
||||
- docker push $IMAGE_NAME_GENERAL
|
||||
cache:
|
||||
paths:
|
||||
- .trivy/.trivycache/
|
||||
artifacts:
|
||||
reports:
|
||||
container_scanning: .trivy/gl-container-scanning-report.json
|
||||
|
||||
nomadimage:
|
||||
stage: docker
|
||||
|
||||
16
Makefile
16
Makefile
@ -93,6 +93,22 @@ e2e-docker: docker ## Run e2e tests against the Docker container
|
||||
@timeout 30s bash -c "until curl -s -o /dev/null http://127.0.0.1:7200/; do sleep 0.1; done"
|
||||
@make e2e-test || EXIT=$$?; docker stop $(DOCKER_E2E_CONTAINER_NAME); exit $$EXIT
|
||||
|
||||
# See https://aquasecurity.github.io/trivy/v0.18.1/integrations/gitlab-ci/
|
||||
TRIVY_VERSION = $(shell wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
|
||||
.trivy/trivy:
|
||||
@mkdir -p .trivy
|
||||
@wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY_VERSION)/trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz -O - | tar -zxvf - -C .trivy
|
||||
@chmod +x .trivy/trivy
|
||||
|
||||
.PHONY: trivy
|
||||
trivy: .trivy/trivy ## Run trivy vulnerability scanner
|
||||
# Build report
|
||||
@.trivy/trivy --exit-code 0 --cache-dir .trivy/.trivycache/ --no-progress --format template --template "@.trivy/contrib/gitlab.tpl" -o .trivy/gl-container-scanning-report.json $(DOCKER_TAG)
|
||||
# Print report
|
||||
@.trivy/trivy --exit-code 0 --cache-dir .trivy/.trivycache/ --no-progress $(DOCKER_TAG)
|
||||
# Fail on severe vulnerabilities
|
||||
@.trivy/trivy --exit-code 1 --cache-dir .trivy/.trivycache/ --severity CRITICAL --no-progress $(DOCKER_TAG)
|
||||
|
||||
.PHONY: help
|
||||
HELP_FORMAT=" \033[36m%-25s\033[0m %s\n"
|
||||
help: ## Display this help screen
|
||||
|
||||
3
ci/docker-make/Dockerfile
Normal file
3
ci/docker-make/Dockerfile
Normal file
@ -0,0 +1,3 @@
|
||||
FROM docker:latest
|
||||
|
||||
RUN apk update && apk add make
|
||||
Reference in New Issue
Block a user