add-security-scanners (#6)

general/dev#56

Reviewed-on: #6
Co-authored-by: fedy95 <fedy95@protonmail.com>
Co-committed-by: fedy95 <fedy95@protonmail.com>

.drone.yml

@@ -8,7 +8,65 @@ volumes:
   - name: dockersock
     host:
       path: /var/run/docker.sock
+
 steps:
+  - name: build image
+    image: docker:dind
+    volumes:
+      - name: dockersock
+        path: /var/run/docker.sock
+    environment:
+      REGISTRY: registry.fedy95.com
+    commands:
+      - docker build -t "$REGISTRY"/baseimage-autossl:$DRONE_COMMIT_SHA image -f image/Dockerfile
+    when:
+      event: pull_request
+
+  - name: trivy security scan
+    image: aquasec/trivy
+    volumes:
+      - name: dockersock
+        path: /var/run/docker.sock
+    environment:
+      REGISTRY: registry.fedy95.com
+    commands:
+      - "trivy \
+         --exit-code 1 \
+         --format json \
+         --no-progress \
+         $REGISTRY/baseimage-autossl:$DRONE_COMMIT_SHA"
+    when:
+      event: pull_request
+
+  - name: grype security scan
+    image: docker:dind
+    volumes:
+      - name: dockersock
+        path: /var/run/docker.sock
+    environment:
+      REGISTRY: registry.fedy95.com
+    commands:
+      - apk add --no-cache curl
+      - "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | \
+        sh -s -- -b /usr/local/bin"
+      - "grype $REGISTRY/baseimage-autossl:$DRONE_COMMIT_SHA \
+         --scope all-layers \
+         --fail-on=critical \
+         --verbose"
+    when:
+      event: pull_request
+
+  - name: cleanup
+    image: docker:dind
+    volumes:
+      - name: dockersock
+        path: /var/run/docker.sock
+    commands:
+      - docker rmi registry.fedy95.com/baseimage-autossl:$DRONE_COMMIT_SHA
+    when:
+      event: pull_request
+      status: [ success, failure ]
+
   - name: release
     image: docker:dind
     volumes:
@@ -25,8 +83,8 @@ steps:
       REGISTRY_PASSWORD:
         from_secret: REGISTRY_PASSWORD
     commands:
-      - docker build -t "$REGISTRY"/baseimage-autossl:"$DRONE_TAG" .
-      - docker build -t "$REGISTRY"/baseimage-autossl:latest .
+      - docker build -t "$REGISTRY"/baseimage-autossl:"$DRONE_TAG" image -f image/Dockerfile
+      - docker build -t "$REGISTRY"/baseimage-autossl:latest image -f image/Dockerfile
       - docker login "$REGISTRY" -u"$REGISTRY_USERNAME" -p"$REGISTRY_PASSWORD"
       - docker push "$REGISTRY"/baseimage-autossl:"$DRONE_TAG"
       - docker push "$REGISTRY"/baseimage-autossl:latest

Dockerfile

@@ -1,9 +0,0 @@
-FROM alpine
-
-WORKDIR /src
-RUN \
-  apk add --no-cache git openssl wget && \
-  git clone https://github.com/acmesh-official/acme.sh.git && \
-  apk del git
-
-WORKDIR /src/acme.sh

Makefile

@@ -5,6 +5,6 @@ LOCAL_REPOSITORY=fedy95/baseimage:autossl
 TAG=latest
 
 build:
-	docker build -t ${LOCAL_REPOSITORY}-${TAG} .
+	docker build -t ${LOCAL_REPOSITORY}-${TAG} image -f image/Dockerfile
 
 .DEFAULT_GOAL := build

README.md

@@ -3,3 +3,7 @@
 Base image for generate ssl-certs
 
 - [acme git](https://github.com/acmesh-official/acme.sh)
+
+### security scanners
+- [trivy](https://github.com/aquasecurity/trivy)
+- [grype](https://github.com/anchore/grype)

image/Dockerfile

@@ -0,0 +1,10 @@
+FROM alpine:3.14
+
+WORKDIR /src
+RUN \
+  apk update && apk upgrade && \
+  apk add --no-cache git openssl==1.1.1k-r0 wget==1.21.1-r1 && \
+  git clone --depth 1 --branch 2.9.0 https://github.com/acmesh-official/acme.sh.git && \
+  apk del git
+
+WORKDIR /src/acme.sh