From 4063f94807ca4fe62d95e3e075f22c8f36fdf314 Mon Sep 17 00:00:00 2001 From: Paul Bouwer Date: Tue, 5 Oct 2021 16:25:26 +1000 Subject: [PATCH 1/2] Add trivy to development environment for vuln scanning --- .devcontainer/Dockerfile | 8 ++++++++ Makefile | 7 +++++++ 2 files changed, 15 insertions(+) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index a7fa1a55..68c6e1ba 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -68,6 +68,14 @@ RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/s && echo "source ~/completions/kubectl.bash" >> ~/.bashrc \ && echo "alias k=kubectl" >> ~/.bashrc \ && echo "complete -o default -F __start_kubectl k" >> ~/.bashrc + +# Install trivy +RUN mkdir /tmp/trivy \ + && curl -L https://github.com/aquasecurity/trivy/releases/download/v0.19.2/trivy_0.19.2_Linux-64bit.tar.gz | tar xvz -C /tmp/trivy -f - contrib trivy \ + && chmod +x /tmp/trivy/trivy \ + && mv /tmp/trivy/trivy /usr/local/bin/trivy \ + && mkdir -p /trivy/contrib \ + && mv /tmp/trivy/contrib/* /trivy/contrib/ # Clean up RUN apt-get autoremove -y \ diff --git a/Makefile b/Makefile index 030e65d8..c7be66fe 100644 --- a/Makefile +++ b/Makefile @@ -5,6 +5,13 @@ IMAGE_MAJOR_VERSION = $(shell echo "$(IMAGE_VERSION)" | cut -d '.' -f1 ) IMAGE_MINOR_VERSION = $(shell echo "$(IMAGE_VERSION)" | cut -d '.' -f2 ) IMAGE = $(REGISTRY)/$(REPOSITORY)/hello-kubernetes +.PHONY: scan-for-vulns +scan-for-vulns: + trivy image --format template --template "@/trivy/contrib/sarif.tpl" $(IMAGE):$(IMAGE_VERSION) + +.PHONY: build-images +build-images: build-image-linux + .PHONY: build-image-linux build-image-linux: docker build --no-cache \ From 9af02b5fb283a0d7237824a1e9a4a0fea4aa678e Mon Sep 17 00:00:00 2001 From: Paul Bouwer Date: Tue, 5 Oct 2021 16:26:07 +1000 Subject: [PATCH 2/2] Update base image and version to remediate vuln report --- src/app/Dockerfile | 2 +- src/app/package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/app/Dockerfile b/src/app/Dockerfile index fb87cbae..a61d1b77 100644 --- a/src/app/Dockerfile +++ b/src/app/Dockerfile @@ -1,4 +1,4 @@ -FROM node:15-alpine +FROM node:16-alpine3.13 ARG IMAGE_CREATE_DATE ARG IMAGE_VERSION diff --git a/src/app/package.json b/src/app/package.json index 3135a9be..3ec86a19 100644 --- a/src/app/package.json +++ b/src/app/package.json @@ -1,6 +1,6 @@ { "name": "hello-kubernetes", - "version": "1.10.0", + "version": "1.10.1", "description": "Hello Kubernetes!", "author": "Paul Bouwer", "license": "MIT",