mirror of
https://github.com/thegeeklab/wp-ansible.git
synced 2024-11-21 23:50:40 +00:00
ci: add trivy scan (#194)
This commit is contained in:
parent
5c550ba608
commit
880f3ec40b
27
.drone.yml
27
.drone.yml
@ -95,19 +95,26 @@ platform:
|
|||||||
arch: amd64
|
arch: amd64
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: dryrun
|
- name: security-build
|
||||||
image: docker.io/owncloudci/drone-docker-buildx:1
|
image: docker.io/owncloudci/drone-docker-buildx:1
|
||||||
settings:
|
settings:
|
||||||
dockerfile: Dockerfile.multiarch
|
dockerfile: Dockerfile.multiarch
|
||||||
dry_run: true
|
output: type=oci,dest=oci/${DRONE_REPO_NAME},tar=false
|
||||||
platforms:
|
|
||||||
- linux/amd64
|
|
||||||
- linux/arm64
|
|
||||||
provenance: false
|
|
||||||
repo: owncloudci/${DRONE_REPO_NAME}
|
repo: owncloudci/${DRONE_REPO_NAME}
|
||||||
when:
|
|
||||||
ref:
|
- name: security-scan
|
||||||
- refs/pull/**
|
image: ghcr.io/aquasecurity/trivy
|
||||||
|
commands:
|
||||||
|
- trivy -v
|
||||||
|
- trivy image --input oci/${DRONE_REPO_NAME}
|
||||||
|
environment:
|
||||||
|
TRIVY_EXIT_CODE: 1
|
||||||
|
TRIVY_IGNORE_UNFIXED: True
|
||||||
|
TRIVY_NO_PROGRESS: True
|
||||||
|
TRIVY_SEVERITY: HIGH,CRITICAL
|
||||||
|
TRIVY_TIMEOUT: 1m
|
||||||
|
depends_on:
|
||||||
|
- security-build
|
||||||
|
|
||||||
- name: publish
|
- name: publish
|
||||||
image: docker.io/owncloudci/drone-docker-buildx:1
|
image: docker.io/owncloudci/drone-docker-buildx:1
|
||||||
@ -128,7 +135,7 @@ steps:
|
|||||||
- refs/heads/main
|
- refs/heads/main
|
||||||
- refs/tags/**
|
- refs/tags/**
|
||||||
depends_on:
|
depends_on:
|
||||||
- dryrun
|
- security-scan
|
||||||
|
|
||||||
trigger:
|
trigger:
|
||||||
ref:
|
ref:
|
||||||
|
@ -24,10 +24,14 @@ ARG ANSIBLE_VERSION
|
|||||||
# renovate: datasource=pypi depName=ansible
|
# renovate: datasource=pypi depName=ansible
|
||||||
ENV ANSIBLE_VERSION="${ANSIBLE_VERSION:-8.6.1}"
|
ENV ANSIBLE_VERSION="${ANSIBLE_VERSION:-8.6.1}"
|
||||||
|
|
||||||
RUN apk add --no-cache bash git curl rsync openssh-client sshpass py3-pip py3-requests py3-paramiko python3-dev libffi-dev build-base && \
|
RUN apk --update add --virtual .build-deps python3-dev libffi-dev build-base && \
|
||||||
|
apk add --no-cache bash git curl rsync openssh-client sshpass py3-pip py3-requests py3-paramiko && \
|
||||||
|
apk upgrade --no-cache libcrypto3 libssl3 && \
|
||||||
pip3 install -U pip && \
|
pip3 install -U pip && \
|
||||||
pip3 install ansible=="${ANSIBLE_VERSION}" boto3 hcloud pywinrm passlib jsonschema && \
|
pip3 install ansible=="${ANSIBLE_VERSION}" boto3 hcloud pywinrm passlib jsonschema && \
|
||||||
apk del --no-cache python3-dev libffi-dev build-base
|
apk del .build-deps && \
|
||||||
|
rm -rf /var/cache/apk/* && \
|
||||||
|
rm -rf /tmp/*
|
||||||
|
|
||||||
COPY --from=build /src/dist/drone-ansible /bin/drone-ansible
|
COPY --from=build /src/dist/drone-ansible /bin/drone-ansible
|
||||||
ENTRYPOINT ["/bin/drone-ansible"]
|
ENTRYPOINT ["/bin/drone-ansible"]
|
||||||
|
Loading…
Reference in New Issue
Block a user