From 8de92f626600c27e1faf073871c9b1f8f6f6a551 Mon Sep 17 00:00:00 2001 From: fedy95 Date: Mon, 28 Jun 2021 21:39:45 +0300 Subject: [PATCH] add-security-scanners --- .drone.yml | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/.drone.yml b/.drone.yml index a97ee9f..3caf6ed 100644 --- a/.drone.yml +++ b/.drone.yml @@ -16,6 +16,7 @@ steps: - yamllint -c /yamllint/relaxed.yaml . when: event: pull_request + - name: lint json image: registry.fedy95.com/baseimage-jsonlint:latest commands: @@ -23,6 +24,63 @@ steps: when: event: pull_request + - name: build image + image: docker:dind + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + REGISTRY: registry.fedy95.com + commands: + - docker build -t "$REGISTRY"/baseimage-jsonlint:$DRONE_COMMIT_SHA image -f image/Dockerfile + when: + event: pull_request + + - name: trivy security scan + image: aquasec/trivy + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + REGISTRY: registry.fedy95.com + commands: + - "trivy \ + --exit-code 1 \ + --format json \ + --no-progress \ + $REGISTRY/baseimage-jsonlint:$DRONE_COMMIT_SHA" + when: + event: pull_request + + - name: grype security scan + image: docker:dind + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + REGISTRY: registry.fedy95.com + commands: + - apk add --no-cache curl + - "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | \ + sh -s -- -b /usr/local/bin" + - "grype $REGISTRY/baseimage-jsonlint:$DRONE_COMMIT_SHA \ + --scope all-layers \ + --fail-on=critical \ + --verbose" + when: + event: pull_request + + - name: cleanup + image: docker:dind + volumes: + - name: dockersock + path: /var/run/docker.sock + commands: + - docker rmi registry.fedy95.com/baseimage-jsonlint:$DRONE_COMMIT_SHA + when: + event: pull_request + status: [ success, failure ] + - name: release image: docker:dind volumes: