From 880f3ec40bddd854eacdc93a2d1c516b7df9095d Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@thegeeklab.de>
Date: Mon, 13 Nov 2023 10:10:56 +0100
Subject: [PATCH] ci: add trivy scan (#194)

---
 .drone.yml           | 27 +++++++++++++++++----------
 Dockerfile.multiarch |  8 ++++++--
 2 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index d76f710..f6d371f 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -95,19 +95,26 @@ platform:
   arch: amd64
 
 steps:
-  - name: dryrun
+  - name: security-build
     image: docker.io/owncloudci/drone-docker-buildx:1
     settings:
       dockerfile: Dockerfile.multiarch
-      dry_run: true
-      platforms:
-        - linux/amd64
-        - linux/arm64
-      provenance: false
+      output: type=oci,dest=oci/${DRONE_REPO_NAME},tar=false
       repo: owncloudci/${DRONE_REPO_NAME}
-    when:
-      ref:
-        - refs/pull/**
+
+  - name: security-scan
+    image: ghcr.io/aquasecurity/trivy
+    commands:
+      - trivy -v
+      - trivy image --input oci/${DRONE_REPO_NAME}
+    environment:
+      TRIVY_EXIT_CODE: 1
+      TRIVY_IGNORE_UNFIXED: True
+      TRIVY_NO_PROGRESS: True
+      TRIVY_SEVERITY: HIGH,CRITICAL
+      TRIVY_TIMEOUT: 1m
+    depends_on:
+      - security-build
 
   - name: publish
     image: docker.io/owncloudci/drone-docker-buildx:1
@@ -128,7 +135,7 @@ steps:
         - refs/heads/main
         - refs/tags/**
     depends_on:
-      - dryrun
+      - security-scan
 
 trigger:
   ref:
diff --git a/Dockerfile.multiarch b/Dockerfile.multiarch
index 61253e9..3f86395 100644
--- a/Dockerfile.multiarch
+++ b/Dockerfile.multiarch
@@ -24,10 +24,14 @@ ARG ANSIBLE_VERSION
 # renovate: datasource=pypi depName=ansible
 ENV ANSIBLE_VERSION="${ANSIBLE_VERSION:-8.6.1}"
 
-RUN apk add --no-cache bash git curl rsync openssh-client sshpass py3-pip py3-requests py3-paramiko python3-dev libffi-dev build-base && \
+RUN apk --update add --virtual .build-deps python3-dev libffi-dev build-base && \
+  apk add --no-cache bash git curl rsync openssh-client sshpass py3-pip py3-requests py3-paramiko && \
+  apk upgrade --no-cache libcrypto3 libssl3 && \
   pip3 install -U pip && \
   pip3 install ansible=="${ANSIBLE_VERSION}" boto3 hcloud pywinrm passlib jsonschema && \
-  apk del --no-cache python3-dev libffi-dev build-base
+  apk del .build-deps && \
+  rm -rf /var/cache/apk/* && \
+  rm -rf /tmp/*
 
 COPY --from=build /src/dist/drone-ansible /bin/drone-ansible
 ENTRYPOINT ["/bin/drone-ansible"]