2 changed files with 63 additions and 3 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -16,6 +16,7 @@ steps:
      - yamllint -c /yamllint/relaxed.yaml .
    when:
      event: pull_request
+
  - name: lint json
    image: registry.fedy95.com/baseimage-jsonlint:latest
    commands:
@ -23,6 +24,63 @@ steps:
    when:
      event: pull_request

+  - name: build image
+    image: docker:dind
+    volumes:
+      - name: dockersock
+        path: /var/run/docker.sock
+    environment:
+      REGISTRY: registry.fedy95.com
+    commands:
+      - docker build -t "$REGISTRY"/baseimage-jsonlint:$DRONE_COMMIT_SHA image -f image/Dockerfile
+    when:
+      event: pull_request
+
+  - name: trivy security scan
+    image: aquasec/trivy
+    volumes:
+      - name: dockersock
+        path: /var/run/docker.sock
+    environment:
+      REGISTRY: registry.fedy95.com
+    commands:
+      - "trivy \
+         --exit-code 1 \
+         --format json \
+         --no-progress \
+         $REGISTRY/baseimage-jsonlint:$DRONE_COMMIT_SHA"
+    when:
+      event: pull_request
+
+  - name: grype security scan
+    image: docker:dind
+    volumes:
+      - name: dockersock
+        path: /var/run/docker.sock
+    environment:
+      REGISTRY: registry.fedy95.com
+    commands:
+      - apk add --no-cache curl
+      - "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | \
+        sh -s -- -b /usr/local/bin"
+      - "grype $REGISTRY/baseimage-jsonlint:$DRONE_COMMIT_SHA \
+         --scope all-layers \
+         --fail-on=critical \
+         --verbose"
+    when:
+      event: pull_request
+
+  - name: cleanup
+    image: docker:dind
+    volumes:
+      - name: dockersock
+        path: /var/run/docker.sock
+    commands:
+      - docker rmi registry.fedy95.com/baseimage-jsonlint:$DRONE_COMMIT_SHA
+    when:
+      event: pull_request
+      status: [ success, failure ]
+
  - name: release
    image: docker:dind
    volumes:
--- a/image/Dockerfile
+++ b/image/Dockerfile
@ -1,10 +1,12 @@
-FROM node:14.16.0-alpine3.13
+FROM node:14-alpine3.13

-ARG JSONLINT_VERSION=latest
+ARG JSONLINT_VERSION=1.6.3
 ENV npm_config_loglevel=silent

 WORKDIR /data
-RUN npm install -g jsonlint@"$JSONLINT_VERSION" && \
+RUN \
+  apk update && apk upgrade && \
+  npm install -g jsonlint@"$JSONLINT_VERSION" && \
 	rm -rf ~/.npm

 USER node