From 8de92f626600c27e1faf073871c9b1f8f6f6a551 Mon Sep 17 00:00:00 2001 From: fedy95 Date: Mon, 28 Jun 2021 21:39:45 +0300 Subject: [PATCH 1/3] add-security-scanners --- .drone.yml | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/.drone.yml b/.drone.yml index a97ee9f..3caf6ed 100644 --- a/.drone.yml +++ b/.drone.yml @@ -16,6 +16,7 @@ steps: - yamllint -c /yamllint/relaxed.yaml . when: event: pull_request + - name: lint json image: registry.fedy95.com/baseimage-jsonlint:latest commands: @@ -23,6 +24,63 @@ steps: when: event: pull_request + - name: build image + image: docker:dind + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + REGISTRY: registry.fedy95.com + commands: + - docker build -t "$REGISTRY"/baseimage-jsonlint:$DRONE_COMMIT_SHA image -f image/Dockerfile + when: + event: pull_request + + - name: trivy security scan + image: aquasec/trivy + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + REGISTRY: registry.fedy95.com + commands: + - "trivy \ + --exit-code 1 \ + --format json \ + --no-progress \ + $REGISTRY/baseimage-jsonlint:$DRONE_COMMIT_SHA" + when: + event: pull_request + + - name: grype security scan + image: docker:dind + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + REGISTRY: registry.fedy95.com + commands: + - apk add --no-cache curl + - "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | \ + sh -s -- -b /usr/local/bin" + - "grype $REGISTRY/baseimage-jsonlint:$DRONE_COMMIT_SHA \ + --scope all-layers \ + --fail-on=critical \ + --verbose" + when: + event: pull_request + + - name: cleanup + image: docker:dind + volumes: + - name: dockersock + path: /var/run/docker.sock + commands: + - docker rmi registry.fedy95.com/baseimage-jsonlint:$DRONE_COMMIT_SHA + when: + event: pull_request + status: [ success, failure ] + - name: release image: docker:dind volumes: -- 2.30.2 From c095db85639d3232e229529c1cc6f69b9fccb75c Mon Sep 17 00:00:00 2001 From: fedy95 Date: Mon, 28 Jun 2021 21:42:43 +0300 Subject: [PATCH 2/3] add-security-scanners --- image/Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/image/Dockerfile b/image/Dockerfile index 85952d5..555ce56 100644 --- a/image/Dockerfile +++ b/image/Dockerfile @@ -4,7 +4,9 @@ ARG JSONLINT_VERSION=latest ENV npm_config_loglevel=silent WORKDIR /data -RUN npm install -g jsonlint@"$JSONLINT_VERSION" && \ +RUN \ + apk update && apk upgrade && \ + npm install -g jsonlint@"$JSONLINT_VERSION" && \ rm -rf ~/.npm USER node -- 2.30.2 From 3f831775ea97cec3a5f20996954734967222837e Mon Sep 17 00:00:00 2001 From: fedy95 Date: Mon, 28 Jun 2021 21:45:45 +0300 Subject: [PATCH 3/3] add-security-scanners --- image/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/image/Dockerfile b/image/Dockerfile index 555ce56..15fc50f 100644 --- a/image/Dockerfile +++ b/image/Dockerfile @@ -1,6 +1,6 @@ -FROM node:14.16.0-alpine3.13 +FROM node:14-alpine3.13 -ARG JSONLINT_VERSION=latest +ARG JSONLINT_VERSION=1.6.3 ENV npm_config_loglevel=silent WORKDIR /data -- 2.30.2