ci: add trivy scan (#194)

.drone.yml

@@ -95,19 +95,26 @@ platform:
   arch: amd64
 
 steps:
-  - name: dryrun
+  - name: security-build
     image: docker.io/owncloudci/drone-docker-buildx:1
     settings:
       dockerfile: Dockerfile.multiarch
-      dry_run: true
-      platforms:
-        - linux/amd64
-        - linux/arm64
-      provenance: false
+      output: type=oci,dest=oci/${DRONE_REPO_NAME},tar=false
       repo: owncloudci/${DRONE_REPO_NAME}
-    when:
-      ref:
-        - refs/pull/**
+
+  - name: security-scan
+    image: ghcr.io/aquasecurity/trivy
+    commands:
+      - trivy -v
+      - trivy image --input oci/${DRONE_REPO_NAME}
+    environment:
+      TRIVY_EXIT_CODE: 1
+      TRIVY_IGNORE_UNFIXED: True
+      TRIVY_NO_PROGRESS: True
+      TRIVY_SEVERITY: HIGH,CRITICAL
+      TRIVY_TIMEOUT: 1m
+    depends_on:
+      - security-build
 
   - name: publish
     image: docker.io/owncloudci/drone-docker-buildx:1
@@ -128,7 +135,7 @@ steps:
         - refs/heads/main
         - refs/tags/**
     depends_on:
-      - dryrun
+      - security-scan
 
 trigger:
   ref:

Dockerfile.multiarch

@@ -24,10 +24,14 @@ ARG ANSIBLE_VERSION
 # renovate: datasource=pypi depName=ansible
 ENV ANSIBLE_VERSION="${ANSIBLE_VERSION:-8.6.1}"
 
-RUN apk add --no-cache bash git curl rsync openssh-client sshpass py3-pip py3-requests py3-paramiko python3-dev libffi-dev build-base && \
+RUN apk --update add --virtual .build-deps python3-dev libffi-dev build-base && \
+  apk add --no-cache bash git curl rsync openssh-client sshpass py3-pip py3-requests py3-paramiko && \
+  apk upgrade --no-cache libcrypto3 libssl3 && \
   pip3 install -U pip && \
   pip3 install ansible=="${ANSIBLE_VERSION}" boto3 hcloud pywinrm passlib jsonschema && \
-  apk del --no-cache python3-dev libffi-dev build-base
+  apk del .build-deps && \
+  rm -rf /var/cache/apk/* && \
+  rm -rf /tmp/*
 
 COPY --from=build /src/dist/drone-ansible /bin/drone-ansible
 ENTRYPOINT ["/bin/drone-ansible"]