From 3af3424a9d28ace472530118353dd1e6f7252c58 Mon Sep 17 00:00:00 2001 From: fedy95 Date: Mon, 28 Jun 2021 18:35:39 +0000 Subject: [PATCH] add-security-scanners (#6) https://gitea.fedy95.com/general/dev/issues/56 Reviewed-on: https://gitea.fedy95.com/baseimage/autossl/pulls/6 Co-authored-by: fedy95 Co-committed-by: fedy95 --- .drone.yml | 62 ++++++++++++++++++++++++++++++++++++++++++++++-- Dockerfile | 9 ------- Makefile | 2 +- README.md | 4 ++++ image/Dockerfile | 10 ++++++++ 5 files changed, 75 insertions(+), 12 deletions(-) delete mode 100644 Dockerfile create mode 100644 image/Dockerfile diff --git a/.drone.yml b/.drone.yml index fecbe71..55a41df 100644 --- a/.drone.yml +++ b/.drone.yml @@ -8,7 +8,65 @@ volumes: - name: dockersock host: path: /var/run/docker.sock + steps: + - name: build image + image: docker:dind + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + REGISTRY: registry.fedy95.com + commands: + - docker build -t "$REGISTRY"/baseimage-autossl:$DRONE_COMMIT_SHA image -f image/Dockerfile + when: + event: pull_request + + - name: trivy security scan + image: aquasec/trivy + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + REGISTRY: registry.fedy95.com + commands: + - "trivy \ + --exit-code 1 \ + --format json \ + --no-progress \ + $REGISTRY/baseimage-autossl:$DRONE_COMMIT_SHA" + when: + event: pull_request + + - name: grype security scan + image: docker:dind + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + REGISTRY: registry.fedy95.com + commands: + - apk add --no-cache curl + - "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | \ + sh -s -- -b /usr/local/bin" + - "grype $REGISTRY/baseimage-autossl:$DRONE_COMMIT_SHA \ + --scope all-layers \ + --fail-on=critical \ + --verbose" + when: + event: pull_request + + - name: cleanup + image: docker:dind + volumes: + - name: dockersock + path: /var/run/docker.sock + commands: + - docker rmi registry.fedy95.com/baseimage-autossl:$DRONE_COMMIT_SHA + when: + event: pull_request + status: [ success, failure ] + - name: release image: docker:dind volumes: @@ -25,8 +83,8 @@ steps: REGISTRY_PASSWORD: from_secret: REGISTRY_PASSWORD commands: - - docker build -t "$REGISTRY"/baseimage-autossl:"$DRONE_TAG" . - - docker build -t "$REGISTRY"/baseimage-autossl:latest . + - docker build -t "$REGISTRY"/baseimage-autossl:"$DRONE_TAG" image -f image/Dockerfile + - docker build -t "$REGISTRY"/baseimage-autossl:latest image -f image/Dockerfile - docker login "$REGISTRY" -u"$REGISTRY_USERNAME" -p"$REGISTRY_PASSWORD" - docker push "$REGISTRY"/baseimage-autossl:"$DRONE_TAG" - docker push "$REGISTRY"/baseimage-autossl:latest diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 6a93c1c..0000000 --- a/Dockerfile +++ /dev/null @@ -1,9 +0,0 @@ -FROM alpine - -WORKDIR /src -RUN \ - apk add --no-cache git openssl wget && \ - git clone https://github.com/acmesh-official/acme.sh.git && \ - apk del git - -WORKDIR /src/acme.sh diff --git a/Makefile b/Makefile index 9b712dc..4c9afc9 100644 --- a/Makefile +++ b/Makefile @@ -5,6 +5,6 @@ LOCAL_REPOSITORY=fedy95/baseimage:autossl TAG=latest build: - docker build -t ${LOCAL_REPOSITORY}-${TAG} . + docker build -t ${LOCAL_REPOSITORY}-${TAG} image -f image/Dockerfile .DEFAULT_GOAL := build diff --git a/README.md b/README.md index 596889d..620b4bc 100644 --- a/README.md +++ b/README.md @@ -3,3 +3,7 @@ Base image for generate ssl-certs - [acme git](https://github.com/acmesh-official/acme.sh) + +### security scanners +- [trivy](https://github.com/aquasecurity/trivy) +- [grype](https://github.com/anchore/grype) diff --git a/image/Dockerfile b/image/Dockerfile new file mode 100644 index 0000000..b0ad4af --- /dev/null +++ b/image/Dockerfile @@ -0,0 +1,10 @@ +FROM alpine:3.14 + +WORKDIR /src +RUN \ + apk update && apk upgrade && \ + apk add --no-cache git openssl==1.1.1k-r0 wget==1.21.1-r1 && \ + git clone --depth 1 --branch 2.9.0 https://github.com/acmesh-official/acme.sh.git && \ + apk del git + +WORKDIR /src/acme.sh