Skip to content

Commit 4599e35

Browse files
supersebsuperseb
committed
Add trivy scan on base image
1 parent 6f6650b commit 4599e35

File tree

2 files changed

+28
-2
lines changed

2 files changed

+28
-2
lines changed

.drone.yml

Lines changed: 23 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,14 @@ steps:
99
- name: prepare-amd64-binaries
1010
image: ubuntu:20.04
1111
commands:
12-
- apt-get -y update && apt-get -y install make curl tar
12+
- apt-get -y update && apt-get -y install make curl tar docker.io
13+
- curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b $(pwd)
14+
- make check-security
1315
- make k8s-binaries
16+
privileged: true
17+
volumes:
18+
- name: socket
19+
path: /var/run/docker.sock
1420
when:
1521
event:
1622
- tag
@@ -31,6 +37,10 @@ steps:
3137
- drone-publish.rancher.io
3238
event:
3339
- tag
40+
volumes:
41+
- name: socket
42+
host:
43+
path: /var/run/docker.sock
3444
---
3545
kind: pipeline
3646
name: linux-arm64
@@ -43,8 +53,14 @@ steps:
4353
- name: prepare-arm64-binaries
4454
image: ubuntu:20.04
4555
commands:
46-
- apt-get -y update && apt-get -y install make curl tar
56+
- apt-get -y update && apt-get -y install make curl tar docker.io
57+
- curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b $(pwd)
58+
- make check-security
4759
- make ARCH=arm64 k8s-binaries
60+
privileged: true
61+
volumes:
62+
- name: socket
63+
path: /var/run/docker.sock
4864
when:
4965
event:
5066
- tag
@@ -65,6 +81,11 @@ steps:
6581
- drone-publish.rancher.io
6682
event:
6783
- tag
84+
85+
volumes:
86+
- name: socket
87+
host:
88+
path: /var/run/docker.sock
6889
---
6990
kind: pipeline
7091
name: windows-1809-pr

Makefile

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@ K8S_STAGING:=$(shell mktemp -d)
1010

1111
K8S_SERVER_TARBALL=kubernetes-server-linux-$(ARCH).tar.gz
1212

13+
HYPERKUBE_BASE_VERSION = $(shell grep hyperkube-base Dockerfile | awk '{ print $$2 }' )
14+
1315
all: all-push
1416

1517
sub-build-%:
@@ -55,6 +57,9 @@ build: k8s-binaries
5557
push: build
5658
docker push ${IMAGE}:${K8S_VERSION}-${TAGEND}-${ARCH}
5759

60+
check-security:
61+
/drone/src/trivy image -s HIGH,CRITICAL --exit-code 1 $(HYPERKUBE_BASE_VERSION) || (echo "trivy found issues $$?"; exit 1)
62+
5863
.PHONY: all build push clean all-build all-push-images all-push push-manifest k8s-binaries
5964

6065
.DEFAULT_GOAL := build

0 commit comments

Comments
 (0)