Initial security command (#87)

skpr · Nov 20, 2024 · 0219431 · 0219431
1 parent d567c13
commit 0219431
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 5 deletions.
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,33 @@
+name: Security
+
+on:
+  schedule:
+    - cron: "15 21 * * 2,3" # UTC Wed,Thurs
+  workflow_dispatch: ~
+  push:
+    branches:
+      - security # This is a branch that we can push to for testing.
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      # https://github.com/GoogleContainerTools/container-structure-test?tab=readme-ov-file#linux
+      - name: Install Container Structure Tests
+        run: |
+          curl -LO https://github.com/GoogleContainerTools/container-structure-test/releases/latest/download/container-structure-test-linux-amd64
+          chmod +x container-structure-test-linux-amd64
+          mv container-structure-test-linux-amd64 /usr/local/bin/container-structure-test
+
+      # https://github.com/anchore/grype?tab=readme-ov-file#recommended
+      - name: Install Grype
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Build and Scan
+        run: |
+          make security PHP_VERSION=8.3
diff --git a/Makefile b/Makefile
@@ -97,4 +97,20 @@ ifndef PHP_VERSION
 	$(error PHP_VERSION is undefined)
 endif
 
+SECURITY_FAIL_ON=critical
+
+security: build
+	@set +e; \
+	fpm_exit_code=0; cli_exit_code=0; \
+	grype ${IMAGE_FPM}-dev-${VERSION_TAG}-${ARCH} --fail-on ${SECURITY_FAIL_ON}; \
+	fpm_exit_code=$$?; \
+	grype ${IMAGE_CLI}-dev-${VERSION_TAG}-${ARCH} --fail-on ${SECURITY_FAIL_ON}; \
+	cli_exit_code=$$?; \
+	if [ $$fpm_exit_code -ne 0 ] || [ $$cli_exit_code -ne 0 ]; then \
+		echo "Containers have high security findings."; \
+		exit 1; \
+	else \
+		echo "No high security findings."; \
+	fi
+
 .PHONY: *
diff --git a/cli/Dockerfile b/cli/Dockerfile
@@ -39,11 +39,8 @@ RUN curl -sS https://getcomposer.org/download/latest-2.x/composer.phar -o /usr/l
     chmod +x /usr/local/bin/composer && \
     ln -sv /usr/local/bin/composer /usr/local/bin/composer2
 
-# A lightweight crond for local development environments. Also leveraged the Skpr Preview environments.
-RUN curl -sSL https://github.com/skpr/crond/releases/download/v0.0.2/skpr-crond_0.0.2_linux_${ARCH}.tar.gz -o /tmp/skpr-crond.tar.gz && \
-    tar -zxvf /tmp/skpr-crond.tar.gz skpr-crond && \
-    mv skpr-crond /usr/local/bin/skpr-crond && \
-    rm -f /tmp/skpr-crond.tar.gz
+# A lightweight crond for local development environments.
+COPY --from=ghcr.io/skpr/crond:main /usr/local/bin/skpr-crond /usr/local/bin/skpr-crond
 
 ADD drush /etc/drush