0
0
mirror of https://github.com/thegeeklab/wp-ansible.git synced 2024-11-21 23:50:40 +00:00

ci: add trivy scan (#194)

This commit is contained in:
Robert Kaussow 2023-11-13 10:10:56 +01:00 committed by GitHub
parent 5c550ba608
commit 880f3ec40b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 23 additions and 12 deletions

View File

@ -95,19 +95,26 @@ platform:
arch: amd64 arch: amd64
steps: steps:
- name: dryrun - name: security-build
image: docker.io/owncloudci/drone-docker-buildx:1 image: docker.io/owncloudci/drone-docker-buildx:1
settings: settings:
dockerfile: Dockerfile.multiarch dockerfile: Dockerfile.multiarch
dry_run: true output: type=oci,dest=oci/${DRONE_REPO_NAME},tar=false
platforms:
- linux/amd64
- linux/arm64
provenance: false
repo: owncloudci/${DRONE_REPO_NAME} repo: owncloudci/${DRONE_REPO_NAME}
when:
ref: - name: security-scan
- refs/pull/** image: ghcr.io/aquasecurity/trivy
commands:
- trivy -v
- trivy image --input oci/${DRONE_REPO_NAME}
environment:
TRIVY_EXIT_CODE: 1
TRIVY_IGNORE_UNFIXED: True
TRIVY_NO_PROGRESS: True
TRIVY_SEVERITY: HIGH,CRITICAL
TRIVY_TIMEOUT: 1m
depends_on:
- security-build
- name: publish - name: publish
image: docker.io/owncloudci/drone-docker-buildx:1 image: docker.io/owncloudci/drone-docker-buildx:1
@ -128,7 +135,7 @@ steps:
- refs/heads/main - refs/heads/main
- refs/tags/** - refs/tags/**
depends_on: depends_on:
- dryrun - security-scan
trigger: trigger:
ref: ref:

View File

@ -24,10 +24,14 @@ ARG ANSIBLE_VERSION
# renovate: datasource=pypi depName=ansible # renovate: datasource=pypi depName=ansible
ENV ANSIBLE_VERSION="${ANSIBLE_VERSION:-8.6.1}" ENV ANSIBLE_VERSION="${ANSIBLE_VERSION:-8.6.1}"
RUN apk add --no-cache bash git curl rsync openssh-client sshpass py3-pip py3-requests py3-paramiko python3-dev libffi-dev build-base && \ RUN apk --update add --virtual .build-deps python3-dev libffi-dev build-base && \
apk add --no-cache bash git curl rsync openssh-client sshpass py3-pip py3-requests py3-paramiko && \
apk upgrade --no-cache libcrypto3 libssl3 && \
pip3 install -U pip && \ pip3 install -U pip && \
pip3 install ansible=="${ANSIBLE_VERSION}" boto3 hcloud pywinrm passlib jsonschema && \ pip3 install ansible=="${ANSIBLE_VERSION}" boto3 hcloud pywinrm passlib jsonschema && \
apk del --no-cache python3-dev libffi-dev build-base apk del .build-deps && \
rm -rf /var/cache/apk/* && \
rm -rf /tmp/*
COPY --from=build /src/dist/drone-ansible /bin/drone-ansible COPY --from=build /src/dist/drone-ansible /bin/drone-ansible
ENTRYPOINT ["/bin/drone-ansible"] ENTRYPOINT ["/bin/drone-ansible"]