Add dependency security check using trivy (#1163)

This commit is contained in:
Lauris BH 2022-09-03 21:46:48 +03:00 committed by GitHub
parent 5ca7ede9e4
commit d5cdd2bb04
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 29 additions and 0 deletions

View file

@ -15,6 +15,15 @@ pipeline:
event: [push, pull_request] event: [push, pull_request]
path: *when_path path: *when_path
securitycheck:
image: aquasec/trivy:latest
commands:
- trivy fs --exit-code 0 --skip-dirs node_modules/ --skip-dirs plugins/woodpecker-plugins/node_modules --severity UNKNOWN,LOW docs/
# TODO currently it is not fixable so just do not block currently
- trivy fs --exit-code 0 --skip-dirs node_modules/ --skip-dirs plugins/woodpecker-plugins/node_modules --severity MEDIUM,HIGH,CRITICAL docs/
when:
path: *when_path
deploy-preview: deploy-preview:
image: woodpeckerci/plugin-surge-preview:next image: woodpeckerci/plugin-surge-preview:next
settings: settings:

View file

@ -50,6 +50,15 @@ pipeline:
image: mstruebing/editorconfig-checker image: mstruebing/editorconfig-checker
group: test group: test
securitycheck:
group: test
image: aquasec/trivy:latest
commands:
- trivy fs --exit-code 0 --skip-dirs web/ --skip-dirs docs/ --severity UNKNOWN,LOW .
- trivy fs --exit-code 1 --skip-dirs web/ --skip-dirs docs/ --severity MEDIUM,HIGH,CRITICAL .
when:
path: *when_path
test: test:
image: *golang_image image: *golang_image
group: test group: test

View file

@ -1,6 +1,8 @@
variables: variables:
- &node_image 'node:16-alpine' - &node_image 'node:16-alpine'
- &when_path - &when_path
# related config files
- ".woodpecker/web.yml"
# web source code # web source code
- "web/**" - "web/**"
@ -40,6 +42,15 @@ pipeline:
when: when:
path: *when_path path: *when_path
securitycheck:
group: test
image: aquasec/trivy:latest
commands:
- trivy fs --exit-code 0 --skip-dirs node_modules/ --severity UNKNOWN,LOW web/
- trivy fs --exit-code 1 --skip-dirs node_modules/ --severity MEDIUM,HIGH,CRITICAL web/
when:
path: *when_path
test: test:
group: test group: test
image: *node_image image: *node_image