Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add trivy,gosec scan #304

Merged
merged 1 commit into from
Sep 13, 2024
Merged

add trivy,gosec scan #304

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/workflows/period-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,10 @@ jobs:
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Run gosec security scan
run: |
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s latest
gosec -severity high -confidence high ./... || exit 1
- name: e2e test
env:
E2E_TESTING_LEVEL: "periodCheck"
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,10 @@ jobs:
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Run gosec security scan
run: |
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s latest
gosec -severity high -confidence high ./... || exit 1
- name: pr test
env:
E2E_TESTING_LEVEL: "pr-e2e"
Expand Down
2 changes: 1 addition & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -232,7 +232,7 @@ DOCKER_MAKE_CMD = docker run --rm -v ${PROJECT_SOURCE_CODE_DIR}:${BUILDER_MOUNT_
DOCKER_BUILDX_CMD_AMD64 = DOCKER_CLI_EXPERIMENTAL=enabled docker buildx build --platform=linux/amd64 -o type=docker
DOCKER_BUILDX_CMD_ARM64 = DOCKER_CLI_EXPERIMENTAL=enabled docker buildx build --platform=linux/arm64 -o type=docker
RELEASE_TAG ?= $(shell tagged="$$(git describe --tags --match='v*' --abbrev=0 2> /dev/null)"; if [ "$$tagged" ] && [ "$$(git rev-list -n1 HEAD)" = "$$(git rev-list -n1 $$tagged)" ]; then echo $$tagged; fi)
MUILT_ARCH_PUSH_CMD = ${PROJECT_SOURCE_CODE_DIR}/docker-push-with-multi-arch.sh
MUILT_ARCH_PUSH_CMD = ${PROJECT_SOURCE_CODE_DIR}/build/util/docker-push-with-multi-arch.sh

.PHONY: compile
compile: ## compile
Expand Down
0 docker-push-with-multi-arch.sh → build/util/docker-push-with-multi-arch.sh
View file
Open in desktop
File renamed without changes.
29 changes: 29 additions & 0 deletions build/util/scan-image-with-trivy.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
#!/bin/bash
image_name=$1
arch_list=("amd64" "arm64")
severity="CRITICAL"
e_code=${2:-0}

# install trivy
{ which trivy 2>/dev/null; } || { echo "install trivy now..."; curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin latest; }

for arch in ${arch_list[@]}
do
img_of_cur_arch=${image_name}-${arch}
echo "# scan image for ${img_of_cur_arch}"

# check image
set +e
docker inspect ${img_of_cur_arch} 2>&1 > /dev/null
if [ $? -ne 0 ]; then
echo "[Warning] No ${arch} image found on local , image name is ${img_of_cur_arch}. aborting image manifest merge"
exit 2
fi
set -e
# scan image
echo "# scaning image ${image_name}..."
trivy image ${img_of_cur_arch} --severity ${severity} --exit-code ${e_code}

# report
echo "# scan successfully for image ${image_name}. No $severity level vulnerabilities found to be fixed."
done