add-security-scanners (#5)

general/dev#56

Reviewed-on: #5
Co-authored-by: fedy95 <fedy95@protonmail.com>
Co-committed-by: fedy95 <fedy95@protonmail.com>

.drone.yml

@@ -17,6 +17,64 @@ steps:
     when:
       event: pull_request
 
+
+  - name: build image
+    image: docker:dind
+    volumes:
+      - name: dockersock
+        path: /var/run/docker.sock
+    environment:
+      REGISTRY: registry.fedy95.com
+    commands:
+      - docker build -t "$REGISTRY"/baseimage-plantuml:$DRONE_COMMIT_SHA image -f image/Dockerfile
+    when:
+      event: pull_request
+
+  - name: trivy security scan
+    image: aquasec/trivy
+    volumes:
+      - name: dockersock
+        path: /var/run/docker.sock
+    environment:
+      REGISTRY: registry.fedy95.com
+    commands:
+      - "trivy \
+         --exit-code 1 \
+         --format json \
+         --no-progress \
+         $REGISTRY/baseimage-plantuml:$DRONE_COMMIT_SHA"
+    when:
+      event: pull_request
+
+  - name: grype security scan
+    image: docker:dind
+    volumes:
+      - name: dockersock
+        path: /var/run/docker.sock
+    environment:
+      REGISTRY: registry.fedy95.com
+    commands:
+      - apk add --no-cache curl
+      - "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | \
+        sh -s -- -b /usr/local/bin"
+      - "grype $REGISTRY/baseimage-plantuml:$DRONE_COMMIT_SHA \
+         --scope all-layers \
+         --fail-on=critical \
+         --verbose"
+    when:
+      event: pull_request
+
+  - name: cleanup
+    image: docker:dind
+    volumes:
+      - name: dockersock
+        path: /var/run/docker.sock
+    commands:
+      - docker rmi registry.fedy95.com/baseimage-plantuml:$DRONE_COMMIT_SHA
+    when:
+      event: pull_request
+      status: [ success, failure ]
+
   - name: release
     image: docker:dind
     volumes:
@@ -33,8 +91,8 @@ steps:
       REGISTRY_PASSWORD:
         from_secret: REGISTRY_PASSWORD
     commands:
-      - docker build -t "$REGISTRY"/baseimage-plantuml:"$DRONE_TAG" .
-      - docker build -t "$REGISTRY"/baseimage-plantuml:latest .
+      - docker build -t "$REGISTRY"/baseimage-plantuml:"$DRONE_TAG" image -f image/Dockerfile
+      - docker build -t "$REGISTRY"/baseimage-plantuml:latest image -f image/Dockerfile
       - docker login "$REGISTRY" -u"$REGISTRY_USERNAME" -p"$REGISTRY_PASSWORD"
       - docker push "$REGISTRY"/baseimage-plantuml:"$DRONE_TAG"
       - docker push "$REGISTRY"/baseimage-plantuml:latest

Makefile

@@ -5,7 +5,7 @@ LOCAL_REPOSITORY=fedy95/baseimage:plantuml
 PLANTUML_TAG=latest
 
 build:
-	docker build -t ${LOCAL_REPOSITORY}-${PLANTUML_TAG} .
+	docker build -t ${LOCAL_REPOSITORY}-${PLANTUML_TAG} image -f image/Dockerfile
 
 
 REGISTRY=registry.fedy95.com

example/build.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+# shellcheck disable=SC2046
+
+IMAGE="registry.fedy95.com/baseimage-plantuml:latest"
+
+docker pull $IMAGE
+docker run --rm -v $(pwd):/docs -u $(id -u) --entrypoint ./docs/generate.sh $IMAGE

example/generate.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+PLANTUML="java -jar plantuml.jar"
+
+$PLANTUML /docs/puml/*.puml -o "../images"