diff --git a/.drone.yml b/.drone.yml index fecbe71..b22af17 100644 --- a/.drone.yml +++ b/.drone.yml @@ -8,7 +8,64 @@ volumes: - name: dockersock host: path: /var/run/docker.sock + steps: + - name: build image + image: docker:dind + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + REGISTRY: registry.fedy95.com + commands: + - docker build -t "$REGISTRY"/baseimage-autossl:$DRONE_COMMIT_SHA image -f image/Dockerfile + when: + event: pull_request + + - name: trivy security scan + image: aquasec/trivy + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + REGISTRY: registry.fedy95.com + commands: + - "trivy \ + --exit-code 1 \ + --format json \ + --no-progress \ + $REGISTRY/baseimage-autossl:$DRONE_COMMIT_SHA" + when: + event: pull_request + + - name: grype security scan + image: docker:dind + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + REGISTRY: registry.fedy95.com + commands: + - apk add --no-cache curl + - "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | \ + sh -s -- -b /usr/local/bin" + - "grype $REGISTRY/baseimage-autossl:$DRONE_COMMIT_SHA \ + --scope all-layers \ + --fail-on=critical \ + --verbose" + when: + event: pull_request + + - name: cleanup + image: docker:dind + volumes: + - name: dockersock + path: /var/run/docker.sock + commands: + - docker rmi registry.fedy95.com/baseimage-autossl:$DRONE_COMMIT_SHA + when: + event: pull_request + - name: release image: docker:dind volumes: @@ -25,8 +82,8 @@ steps: REGISTRY_PASSWORD: from_secret: REGISTRY_PASSWORD commands: - - docker build -t "$REGISTRY"/baseimage-autossl:"$DRONE_TAG" . - - docker build -t "$REGISTRY"/baseimage-autossl:latest . + - docker build -t "$REGISTRY"/baseimage-autossl:"$DRONE_TAG" image -f image/Dockerfile + - docker build -t "$REGISTRY"/baseimage-autossl:latest image -f image/Dockerfile - docker login "$REGISTRY" -u"$REGISTRY_USERNAME" -p"$REGISTRY_PASSWORD" - docker push "$REGISTRY"/baseimage-autossl:"$DRONE_TAG" - docker push "$REGISTRY"/baseimage-autossl:latest diff --git a/Makefile b/Makefile index 9b712dc..4c9afc9 100644 --- a/Makefile +++ b/Makefile @@ -5,6 +5,6 @@ LOCAL_REPOSITORY=fedy95/baseimage:autossl TAG=latest build: - docker build -t ${LOCAL_REPOSITORY}-${TAG} . + docker build -t ${LOCAL_REPOSITORY}-${TAG} image -f image/Dockerfile .DEFAULT_GOAL := build diff --git a/README.md b/README.md index 596889d..620b4bc 100644 --- a/README.md +++ b/README.md @@ -3,3 +3,7 @@ Base image for generate ssl-certs - [acme git](https://github.com/acmesh-official/acme.sh) + +### security scanners +- [trivy](https://github.com/aquasecurity/trivy) +- [grype](https://github.com/anchore/grype) diff --git a/Dockerfile b/image/Dockerfile similarity index 76% rename from Dockerfile rename to image/Dockerfile index 6a93c1c..ee84eb2 100644 --- a/Dockerfile +++ b/image/Dockerfile @@ -1,7 +1,8 @@ -FROM alpine +FROM alpine:3.14 WORKDIR /src RUN \ + apk update && apk upgrade && \ apk add --no-cache git openssl wget && \ git clone https://github.com/acmesh-official/acme.sh.git && \ apk del git