feat(image): add linting

FalcoSuessgott · Feb 2, 2024 · 0a091db · 0a091db
1 parent 32cd106
commit 0a091db
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 10 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -10,12 +10,12 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - run: go generate -tags tools tools/tools.go
-
       - uses: actions/setup-go@v5
         with:
           go-version: '1.20'
           cache: false
+
+      - run: go generate -tags tools tools/tools.go
 
       - name: go get
         run: go get ./...

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,49 @@
+name: image_scan
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.20'
+          cache: false
+
+      - run: go generate -tags tools tools/tools.go
+
+      - name: go get
+        run: go get ./...
+
+      - name: go build
+        run: go build -o vault-kubernetes-kms cmd/main.go
+
+      - uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: Dockerfile
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t docker.io/falcosuessgott/vault-kubernetes-kms:${{ github.sha }} .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/falcosuessgott/vault-kubernetes-kms:${{ github.sha }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          output: trivy-results.sarif
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: trivy-results.sarif
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,11 +1,10 @@
 repos:
   - repo: https://github.com/tekwizely/pre-commit-golang
-    rev: v1.0.0-rc.1
+    rev: master
     hooks:
-      - id: go-build-mod
-      - id: go-test-mod
-      - id: go-vet-mod
-      - id: go-staticcheck-mod
+      - id: go-build-repo
+      - id: go-test-repo
+      - id: go-staticcheck-repo
       - id: go-fmt
       - id: go-fumpt
       - id: go-imports

diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,10 @@
-FROM alpine:3.19
+FROM golang:1.20 as builder 
+WORKDIR /app
+COPY . .
+RUN  CGO_ENABLED=0 GOOS=linux go build -o vault-kubernetes-kms cmd/main.go
 
-COPY vault-kubernetes-kms /usr/bin/vault-kubernetes-kms
+FROM gcr.io/distroless/static-debian12
+WORKDIR /
+COPY --from=builder /app/vault-kubernetes-kms .
 
-ENTRYPOINT ["/usr/bin/vault-kubernetes-kms"]
+ENTRYPOINT ["/vault-kubernetes-kms"]