From 900eb3893914f2e23c48d4372393b672fcf5f3d7 Mon Sep 17 00:00:00 2001 From: fedy95 Date: Mon, 28 Jun 2021 21:08:06 +0300 Subject: [PATCH 1/8] add-security-scanners --- .drone.yml | 61 ++++++++++++++++++++++++++++++++-- Makefile | 2 +- README.md | 4 +++ Dockerfile => image/Dockerfile | 3 +- 4 files changed, 66 insertions(+), 4 deletions(-) rename Dockerfile => image/Dockerfile (76%) diff --git a/.drone.yml b/.drone.yml index fecbe71..b22af17 100644 --- a/.drone.yml +++ b/.drone.yml @@ -8,7 +8,64 @@ volumes: - name: dockersock host: path: /var/run/docker.sock + steps: + - name: build image + image: docker:dind + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + REGISTRY: registry.fedy95.com + commands: + - docker build -t "$REGISTRY"/baseimage-autossl:$DRONE_COMMIT_SHA image -f image/Dockerfile + when: + event: pull_request + + - name: trivy security scan + image: aquasec/trivy + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + REGISTRY: registry.fedy95.com + commands: + - "trivy \ + --exit-code 1 \ + --format json \ + --no-progress \ + $REGISTRY/baseimage-autossl:$DRONE_COMMIT_SHA" + when: + event: pull_request + + - name: grype security scan + image: docker:dind + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + REGISTRY: registry.fedy95.com + commands: + - apk add --no-cache curl + - "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | \ + sh -s -- -b /usr/local/bin" + - "grype $REGISTRY/baseimage-autossl:$DRONE_COMMIT_SHA \ + --scope all-layers \ + --fail-on=critical \ + --verbose" + when: + event: pull_request + + - name: cleanup + image: docker:dind + volumes: + - name: dockersock + path: /var/run/docker.sock + commands: + - docker rmi registry.fedy95.com/baseimage-autossl:$DRONE_COMMIT_SHA + when: + event: pull_request + - name: release image: docker:dind volumes: @@ -25,8 +82,8 @@ steps: REGISTRY_PASSWORD: from_secret: REGISTRY_PASSWORD commands: - - docker build -t "$REGISTRY"/baseimage-autossl:"$DRONE_TAG" . - - docker build -t "$REGISTRY"/baseimage-autossl:latest . + - docker build -t "$REGISTRY"/baseimage-autossl:"$DRONE_TAG" image -f image/Dockerfile + - docker build -t "$REGISTRY"/baseimage-autossl:latest image -f image/Dockerfile - docker login "$REGISTRY" -u"$REGISTRY_USERNAME" -p"$REGISTRY_PASSWORD" - docker push "$REGISTRY"/baseimage-autossl:"$DRONE_TAG" - docker push "$REGISTRY"/baseimage-autossl:latest diff --git a/Makefile b/Makefile index 9b712dc..4c9afc9 100644 --- a/Makefile +++ b/Makefile @@ -5,6 +5,6 @@ LOCAL_REPOSITORY=fedy95/baseimage:autossl TAG=latest build: - docker build -t ${LOCAL_REPOSITORY}-${TAG} . + docker build -t ${LOCAL_REPOSITORY}-${TAG} image -f image/Dockerfile .DEFAULT_GOAL := build diff --git a/README.md b/README.md index 596889d..620b4bc 100644 --- a/README.md +++ b/README.md @@ -3,3 +3,7 @@ Base image for generate ssl-certs - [acme git](https://github.com/acmesh-official/acme.sh) + +### security scanners +- [trivy](https://github.com/aquasecurity/trivy) +- [grype](https://github.com/anchore/grype) diff --git a/Dockerfile b/image/Dockerfile similarity index 76% rename from Dockerfile rename to image/Dockerfile index 6a93c1c..ee84eb2 100644 --- a/Dockerfile +++ b/image/Dockerfile @@ -1,7 +1,8 @@ -FROM alpine +FROM alpine:3.14 WORKDIR /src RUN \ + apk update && apk upgrade && \ apk add --no-cache git openssl wget && \ git clone https://github.com/acmesh-official/acme.sh.git && \ apk del git -- 2.30.2 From caec635883f377a1cdc67dde064fe63dc6fdd7ef Mon Sep 17 00:00:00 2001 From: fedy95 Date: Mon, 28 Jun 2021 21:11:27 +0300 Subject: [PATCH 2/8] add-security-scanners --- image/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image/Dockerfile b/image/Dockerfile index ee84eb2..64184b2 100644 --- a/image/Dockerfile +++ b/image/Dockerfile @@ -3,7 +3,7 @@ FROM alpine:3.14 WORKDIR /src RUN \ apk update && apk upgrade && \ - apk add --no-cache git openssl wget && \ + apk add --no-cache git openssl-1.1.1k-r1 wget && \ git clone https://github.com/acmesh-official/acme.sh.git && \ apk del git -- 2.30.2 From c5dd054f9dff734fe2d9782e29fe9efe87862346 Mon Sep 17 00:00:00 2001 From: fedy95 Date: Mon, 28 Jun 2021 21:19:49 +0300 Subject: [PATCH 3/8] add-security-scanners --- .drone.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.drone.yml b/.drone.yml index b22af17..f9b3d93 100644 --- a/.drone.yml +++ b/.drone.yml @@ -51,7 +51,6 @@ steps: sh -s -- -b /usr/local/bin" - "grype $REGISTRY/baseimage-autossl:$DRONE_COMMIT_SHA \ --scope all-layers \ - --fail-on=critical \ --verbose" when: event: pull_request -- 2.30.2 From 42a3334caaf62297f42d808df52d02b74add9533 Mon Sep 17 00:00:00 2001 From: fedy95 Date: Mon, 28 Jun 2021 21:20:23 +0300 Subject: [PATCH 4/8] add-security-scanners --- image/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image/Dockerfile b/image/Dockerfile index 64184b2..8ddc982 100644 --- a/image/Dockerfile +++ b/image/Dockerfile @@ -3,7 +3,7 @@ FROM alpine:3.14 WORKDIR /src RUN \ apk update && apk upgrade && \ - apk add --no-cache git openssl-1.1.1k-r1 wget && \ + apk add --no-cache git openssl-1.1.1k-r0 wget-1.21.1-r1 && \ git clone https://github.com/acmesh-official/acme.sh.git && \ apk del git -- 2.30.2 From 31c522ffd50697e1b538d0ea989f7047664fb8bf Mon Sep 17 00:00:00 2001 From: fedy95 Date: Mon, 28 Jun 2021 21:24:52 +0300 Subject: [PATCH 5/8] add-security-scanners --- image/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/image/Dockerfile b/image/Dockerfile index 8ddc982..b0ad4af 100644 --- a/image/Dockerfile +++ b/image/Dockerfile @@ -3,8 +3,8 @@ FROM alpine:3.14 WORKDIR /src RUN \ apk update && apk upgrade && \ - apk add --no-cache git openssl-1.1.1k-r0 wget-1.21.1-r1 && \ - git clone https://github.com/acmesh-official/acme.sh.git && \ + apk add --no-cache git openssl==1.1.1k-r0 wget==1.21.1-r1 && \ + git clone --depth 1 --branch 2.9.0 https://github.com/acmesh-official/acme.sh.git && \ apk del git WORKDIR /src/acme.sh -- 2.30.2 From 14f7570eae72bf4834f8e2b50c9f66b3b85e93de Mon Sep 17 00:00:00 2001 From: fedy95 Date: Mon, 28 Jun 2021 21:28:47 +0300 Subject: [PATCH 6/8] add-security-scanners --- .drone.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.drone.yml b/.drone.yml index f9b3d93..b22af17 100644 --- a/.drone.yml +++ b/.drone.yml @@ -51,6 +51,7 @@ steps: sh -s -- -b /usr/local/bin" - "grype $REGISTRY/baseimage-autossl:$DRONE_COMMIT_SHA \ --scope all-layers \ + --fail-on=critical \ --verbose" when: event: pull_request -- 2.30.2 From ffa0807dd6b4b7ef69b8b30e1764c98313a1fe51 Mon Sep 17 00:00:00 2001 From: fedy95 Date: Mon, 28 Jun 2021 21:30:47 +0300 Subject: [PATCH 7/8] add-security-scanners --- .drone.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.drone.yml b/.drone.yml index b22af17..93a7e0a 100644 --- a/.drone.yml +++ b/.drone.yml @@ -65,6 +65,7 @@ steps: - docker rmi registry.fedy95.com/baseimage-autossl:$DRONE_COMMIT_SHA when: event: pull_request + status: [ changed, failure ] - name: release image: docker:dind -- 2.30.2 From 80366ee4b8c888b32fb5377a8c624540ac26f290 Mon Sep 17 00:00:00 2001 From: fedy95 Date: Mon, 28 Jun 2021 21:35:09 +0300 Subject: [PATCH 8/8] add-security-scanners --- .drone.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.drone.yml b/.drone.yml index 93a7e0a..55a41df 100644 --- a/.drone.yml +++ b/.drone.yml @@ -65,7 +65,7 @@ steps: - docker rmi registry.fedy95.com/baseimage-autossl:$DRONE_COMMIT_SHA when: event: pull_request - status: [ changed, failure ] + status: [ success, failure ] - name: release image: docker:dind -- 2.30.2