Initial Commit
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
Markus Pesch 2022-01-30 21:39:29 +01:00
commit 4c845b61fa
Signed by: volker.raschek
GPG Key ID: 852BCC170D81A982
12 changed files with 1055 additions and 0 deletions

0
.dockerignore Normal file
View File

721
.drone.yml Normal file
View File

@ -0,0 +1,721 @@
---
kind: pipeline
type: kubernetes
name: linter
platform:
os: linux
steps:
- name: markdown lint
commands:
- markdownlint *.md
image: docker.io/volkerraschek/markdownlint:0.30.0
resources:
limits:
cpu: 50
memory: 50M
- name: email-notification
environment:
PLUGIN_HOST:
from_secret: smtp_host
PLUGIN_USERNAME:
from_secret: smtp_username
PLUGIN_PASSWORD:
from_secret: smtp_password
PLUGIN_FROM:
from_secret: smtp_mail_address
image: docker.io/drillster/drone-email:latest
resources:
limits:
cpu: 50
memory: 25M
when:
status:
- changed
- failure
trigger:
event:
exclude:
- tag
---
kind: pipeline
type: docker
name: dry-run-amd64
platform:
os: linux
arch: amd64
steps:
- name: build
image: plugins/docker
settings:
dockerfile: Dockerfile
auto_tag: false
dry_run: true
tags: latest-amd64
repo: volkerraschek/gosec
username:
from_secret: container_image_registry_user
password:
from_secret: container_image_registry_password
no_cache: true
volumes:
- name: docker_socket
path: /var/run/docker.sock
- name: notify
image: drillster/drone-email
environment:
PLUGIN_HOST:
from_secret: smtp_host
PLUGIN_USERNAME:
from_secret: smtp_username
PLUGIN_PASSWORD:
from_secret: smtp_password
PLUGIN_FROM:
from_secret: smtp_mail_address
when:
status:
- changed
- failure
volumes:
- name: docker_socket
host:
path: /var/run/docker.sock
depends_on:
- linter
trigger:
branch:
exclude:
- master
event:
- pull_request
- push
repo:
- volker.raschek/gosec-docker
---
kind: pipeline
type: docker
name: dry-run-arm-v7
platform:
os: linux
arch: arm
steps:
- name: build
image: plugins/docker
settings:
dockerfile: Dockerfile
auto_tag: false
dry_run: true
tags: latest-arm-v7
repo: volkerraschek/gosec
username:
from_secret: container_image_registry_user
password:
from_secret: container_image_registry_password
no_cache: true
- name: notify
image: drillster/drone-email
environment:
PLUGIN_HOST:
from_secret: smtp_host
PLUGIN_USERNAME:
from_secret: smtp_username
PLUGIN_PASSWORD:
from_secret: smtp_password
PLUGIN_FROM:
from_secret: smtp_mail_address
volumes:
- name: docker_socket
path: /var/run/docker.sock
when:
status:
- changed
- failure
volumes:
- name: docker_socket
host:
path: /var/run/docker.sock
depends_on:
- linter
trigger:
branch:
exclude:
- master
event:
- pull_request
- push
repo:
- volker.raschek/gosec-docker
---
kind: pipeline
type: docker
name: dry-run-arm64-v8
platform:
os: linux
arch: arm64
steps:
- name: build
image: plugins/docker
settings:
dockerfile: Dockerfile
auto_tag: false
dry_run: true
tags: latest-arm64-v8
repo: volkerraschek/gosec
username:
from_secret: container_image_registry_user
password:
from_secret: container_image_registry_password
no_cache: true
- name: notify
image: drillster/drone-email
environment:
PLUGIN_HOST:
from_secret: smtp_host
PLUGIN_USERNAME:
from_secret: smtp_username
PLUGIN_PASSWORD:
from_secret: smtp_password
PLUGIN_FROM:
from_secret: smtp_mail_address
volumes:
- name: docker_socket
path: /var/run/docker.sock
when:
status:
- changed
- failure
volumes:
- name: docker_socket
host:
path: /var/run/docker.sock
depends_on:
- linter
trigger:
branch:
exclude:
- master
event:
- pull_request
- push
repo:
- volker.raschek/gosec-docker
---
kind: pipeline
type: docker
name: latest-amd64
platform:
os: linux
arch: amd64
steps:
- name: build
image: plugins/docker
settings:
dockerfile: Dockerfile
auto_tag: false
tags: latest-amd64
repo: volkerraschek/gosec
username:
from_secret: container_image_registry_user
password:
from_secret: container_image_registry_password
no_cache: true
volumes:
- name: docker_socket
path: /var/run/docker.sock
- name: notify
image: drillster/drone-email
environment:
PLUGIN_HOST:
from_secret: smtp_host
PLUGIN_USERNAME:
from_secret: smtp_username
PLUGIN_PASSWORD:
from_secret: smtp_password
PLUGIN_FROM:
from_secret: smtp_mail_address
when:
status:
- changed
- failure
volumes:
- name: docker_socket
host:
path: /var/run/docker.sock
depends_on:
- linter
trigger:
branch:
- master
event:
- cron
- push
repo:
- volker.raschek/gosec-docker
---
kind: pipeline
type: docker
name: latest-arm-v7
platform:
os: linux
arch: arm
steps:
- name: build
image: plugins/docker
settings:
dockerfile: Dockerfile
auto_tag: false
tags: latest-arm-v7
repo: volkerraschek/gosec
username:
from_secret: container_image_registry_user
password:
from_secret: container_image_registry_password
no_cache: true
- name: notify
image: drillster/drone-email
environment:
PLUGIN_HOST:
from_secret: smtp_host
PLUGIN_USERNAME:
from_secret: smtp_username
PLUGIN_PASSWORD:
from_secret: smtp_password
PLUGIN_FROM:
from_secret: smtp_mail_address
volumes:
- name: docker_socket
path: /var/run/docker.sock
when:
status:
- changed
- failure
volumes:
- name: docker_socket
host:
path: /var/run/docker.sock
depends_on:
- linter
trigger:
branch:
- master
event:
- cron
- push
repo:
- volker.raschek/gosec-docker
---
kind: pipeline
type: docker
name: latest-arm64-v8
platform:
os: linux
arch: arm64
steps:
- name: build
image: plugins/docker
settings:
dockerfile: Dockerfile
auto_tag: false
tags: latest-arm64-v8
repo: volkerraschek/gosec
username:
from_secret: container_image_registry_user
password:
from_secret: container_image_registry_password
no_cache: true
- name: notify
image: drillster/drone-email
environment:
PLUGIN_HOST:
from_secret: smtp_host
PLUGIN_USERNAME:
from_secret: smtp_username
PLUGIN_PASSWORD:
from_secret: smtp_password
PLUGIN_FROM:
from_secret: smtp_mail_address
volumes:
- name: docker_socket
path: /var/run/docker.sock
when:
status:
- changed
- failure
volumes:
- name: docker_socket
host:
path: /var/run/docker.sock
depends_on:
- linter
trigger:
branch:
- master
event:
- cron
- push
repo:
- volker.raschek/gosec-docker
---
kind: pipeline
type: kubernetes
name: latest-manifest
steps:
- name: build-manifest
image: plugins/manifest
settings:
auto_tag: false
ignore_missing: true
spec: manifest.tmpl
username:
from_secret: container_image_registry_user
password:
from_secret: container_image_registry_password
- name: notify
image: docker.io/drillster/drone-email:latest
environment:
PLUGIN_HOST:
from_secret: smtp_host
PLUGIN_USERNAME:
from_secret: smtp_username
PLUGIN_PASSWORD:
from_secret: smtp_password
PLUGIN_FROM:
from_secret: smtp_mail_address
resources:
limits:
cpu: 50
memory: 25M
when:
status:
- changed
- failure
depends_on:
- latest-amd64
- latest-arm-v7
- latest-arm64-v8
trigger:
branch:
- master
event:
- cron
- push
repo:
- volker.raschek/gosec-docker
---
kind: pipeline
type: docker
name: tagged-amd64
platform:
os: linux
arch: amd64
steps:
- name: build
image: plugins/docker
settings:
dockerfile: Dockerfile
auto_tag: true
auto_tag_suffix: amd64
repo: volkerraschek/gosec
username:
from_secret: container_image_registry_user
password:
from_secret: container_image_registry_password
build_args:
- HELM_VERSION=${DRONE_TAG}
no_cache: true
volumes:
- name: docker_socket
path: /var/run/docker.sock
- name: notify
image: drillster/drone-email
environment:
PLUGIN_HOST:
from_secret: smtp_host
PLUGIN_USERNAME:
from_secret: smtp_username
PLUGIN_PASSWORD:
from_secret: smtp_password
PLUGIN_FROM:
from_secret: smtp_mail_address
when:
status:
- changed
- failure
volumes:
- name: docker_socket
host:
path: /var/run/docker.sock
trigger:
event:
- tag
repo:
- volker.raschek/gosec-docker
---
kind: pipeline
type: docker
name: tagged-arm-v7
platform:
os: linux
arch: arm
steps:
- name: build
image: plugins/docker
settings:
dockerfile: Dockerfile
auto_tag: true
auto_tag_suffix: arm-v7
repo: volkerraschek/gosec
username:
from_secret: container_image_registry_user
password:
from_secret: container_image_registry_password
build_args:
- HELM_VERSION=${DRONE_TAG}
no_cache: true
volumes:
- name: docker_socket
path: /var/run/docker.sock
- name: notify
image: drillster/drone-email
environment:
PLUGIN_HOST:
from_secret: smtp_host
PLUGIN_USERNAME:
from_secret: smtp_username
PLUGIN_PASSWORD:
from_secret: smtp_password
PLUGIN_FROM:
from_secret: smtp_mail_address
when:
status:
- changed
- failure
volumes:
- name: docker_socket
host:
path: /var/run/docker.sock
trigger:
event:
- tag
repo:
- volker.raschek/gosec-docker
---
kind: pipeline
type: docker
name: tagged-arm64-v8
platform:
os: linux
arch: arm64
steps:
- name: build
image: plugins/docker
settings:
dockerfile: Dockerfile
auto_tag: true
auto_tag_suffix: arm64-v8
repo: volkerraschek/gosec
username:
from_secret: container_image_registry_user
password:
from_secret: container_image_registry_password
build_args:
- HELM_VERSION=${DRONE_TAG}
no_cache: true
volumes:
- name: docker_socket
path: /var/run/docker.sock
- name: notify
image: drillster/drone-email
environment:
PLUGIN_HOST:
from_secret: smtp_host
PLUGIN_USERNAME:
from_secret: smtp_username
PLUGIN_PASSWORD:
from_secret: smtp_password
PLUGIN_FROM:
from_secret: smtp_mail_address
when:
status:
- changed
- failure
volumes:
- name: docker_socket
host:
path: /var/run/docker.sock
trigger:
event:
- tag
repo:
- volker.raschek/gosec-docker
---
kind: pipeline
type: kubernetes
name: tagged-manifest
steps:
- name: build-manifest
image: plugins/manifest
settings:
auto_tag: true
ignore_missing: true
spec: manifest.tmpl
username:
from_secret: container_image_registry_user
password:
from_secret: container_image_registry_password
- name: notify
image: docker.io/drillster/drone-email:latest
environment:
PLUGIN_HOST:
from_secret: smtp_host
PLUGIN_USERNAME:
from_secret: smtp_username
PLUGIN_PASSWORD:
from_secret: smtp_password
PLUGIN_FROM:
from_secret: smtp_mail_address
resources:
limits:
cpu: 50
memory: 25M
when:
status:
- changed
- failure
depends_on:
- tagged-amd64
- tagged-arm-v7
- tagged-arm64-v8
trigger:
event:
- tag
repo:
- volker.raschek/gosec-docker
---
kind: pipeline
type: kubernetes
name: sync
platform:
os: linux
arch: amd64
steps:
- name: github
image: docker.io/appleboy/drone-git-push:latest
resources:
limits:
cpu: 50
memory: 25M
settings:
branch: master
remote: ssh://git@github.com/volker-raschek/gosec-docker.git
force: true
ssh_key:
from_secret: ssh_key
- name: email-notification
environment:
PLUGIN_HOST:
from_secret: smtp_host
PLUGIN_USERNAME:
from_secret: smtp_username
PLUGIN_PASSWORD:
from_secret: smtp_password
PLUGIN_FROM:
from_secret: smtp_mail_address
image: docker.io/drillster/drone-email:latest
resources:
limits:
cpu: 50
memory: 25M
when:
status:
- changed
- failure
depends_on:
- latest-manifest
trigger:
branch:
- master
event:
- cron
- push
repo:
- volker.raschek/gosec-docker

12
.editorconfig Normal file
View File

@ -0,0 +1,12 @@
root = true
[*]
indent_style = space
indent_size = 2
end_of_line = lf
charset = utf-8
trim_trailing_whitespace = true
insert_final_newline = false
[Makefile]
indent_style = tab

1
.gitattributes vendored Normal file
View File

@ -0,0 +1 @@
Makefile eol=lf

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
# IntelliJ
.idea/

144
.markdownlint.yaml Normal file
View File

@ -0,0 +1,144 @@
# markdownlint YAML configuration
# https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.yaml
# Default state for all rules
default: true
# Path to configuration file to extend
extends: null
# MD003/heading-style/header-style - Heading style
MD003:
# Heading style
style: "atx"
# MD004/ul-style - Unordered list style
MD004:
style: "dash"
# MD007/ul-indent - Unordered list indentation
MD007:
# Spaces for indent
indent: 2
# Whether to indent the first level of the list
start_indented: false
# MD009/no-trailing-spaces - Trailing spaces
MD009:
# Spaces for line break
br_spaces: 2
# Allow spaces for empty lines in list items
list_item_empty_lines: false
# Include unnecessary breaks
strict: false
# MD010/no-hard-tabs - Hard tabs
MD010:
# Include code blocks
code_blocks: true
# MD012/no-multiple-blanks - Multiple consecutive blank lines
MD012:
# Consecutive blank lines
maximum: 1
# MD013/line-length - Line length
MD013:
# Number of characters
line_length: 80
# Number of characters for headings
heading_line_length: 80
# Number of characters for code blocks
code_block_line_length: 80
# Include code blocks
code_blocks: false
# Include tables
tables: false
# Include headings
headings: true
# Include headings
headers: true
# Strict length checking
strict: false
# Stern length checking
stern: false
# MD022/blanks-around-headings/blanks-around-headers - Headings should be surrounded by blank lines
MD022:
# Blank lines above heading
lines_above: 1
# Blank lines below heading
lines_below: 1
# MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content
MD024:
# Only check sibling headings
allow_different_nesting: true
# MD025/single-title/single-h1 - Multiple top-level headings in the same document
MD025:
# Heading level
level: 1
# RegExp for matching title in front matter
front_matter_title: "^\\s*title\\s*[:=]"
# MD026/no-trailing-punctuation - Trailing punctuation in heading
MD026:
# Punctuation characters
punctuation: ".,;:!。,;:!"
# MD029/ol-prefix - Ordered list item prefix
MD029:
# List style
style: "one_or_ordered"
# MD030/list-marker-space - Spaces after list markers
MD030:
# Spaces for single-line unordered list items
ul_single: 1
# Spaces for single-line ordered list items
ol_single: 1
# Spaces for multi-line unordered list items
ul_multi: 1
# Spaces for multi-line ordered list items
ol_multi: 1
# MD033/no-inline-html - Inline HTML
MD033:
# Allowed elements
allowed_elements: []
# MD035/hr-style - Horizontal rule style
MD035:
# Horizontal rule style
style: "---"
# MD036/no-emphasis-as-heading/no-emphasis-as-header - Emphasis used instead of a heading
MD036:
# Punctuation characters
punctuation: ".,;:!?。,;:!?"
# MD041/first-line-heading/first-line-h1 - First line in a file should be a top-level heading
MD041:
# Heading level
level: 1
# RegExp for matching title in front matter
front_matter_title: "^\\s*title\\s*[:=]"
# MD044/proper-names - Proper names should have the correct capitalization
MD044:
# List of proper names
names:
- helm
# Include code blocks
code_blocks: false
# MD046/code-block-style - Code block style
MD046:
# Block style
style: "fenced"
# MD048/code-fence-style - Code fence style
MD048:
# Code fence syle
style: "backtick"

15
Dockerfile Normal file
View File

@ -0,0 +1,15 @@
FROM docker.io/library/golang:1.17.5-alpine AS build
ARG GOSEC_VERSION
RUN apk update && \
apk upgrade && \
apk add git make
RUN if [ ! -z "${GOSEC_VERSION}" ]; then set -ex; go install github.com/securego/gosec/v2/cmd/gosec@${GOSEC_VERSION}; fi
RUN if [ -z "${GOSEC_VERSION}" ]; then set -ex; go install github.com/securego/gosec/v2/cmd/gosec@latest; fi
RUN cp /go/bin/gosec /usr/bin/gosec && \
rm -rf /go/*
ENTRYPOINT [ "/usr/bin/gosec" ]

13
LICENSE Normal file
View File

@ -0,0 +1,13 @@
Copyright 2022 Markus Pesch
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

52
Makefile Normal file
View File

@ -0,0 +1,52 @@
# GOSEC_VERSION
# Only required to install a specifiy version
GOSEC_VERSION?=v2.9.4 # renovate: datasource=github-releases depName=gosec lookupName=securego/gosec versioning=semver
# CONTAINER_RUNTIME
# The CONTAINER_RUNTIME variable will be used to specified the path to a
# container runtime. This is needed to start and run a container image.
CONTAINER_RUNTIME?=$(shell which docker)
# HELM_IMAGE_REGISTRY_NAME
# Defines the name of the new container to be built using several variables.
HELM_IMAGE_REGISTRY_NAME:=docker.io
HELM_IMAGE_REGISTRY_USER:=volkerraschek
HELM_IMAGE_NAMESPACE?=${HELM_IMAGE_REGISTRY_USER}
HELM_IMAGE_NAME:=gosec
HELM_IMAGE_VERSION?=latest
HELM_IMAGE_FULLY_QUALIFIED=${HELM_IMAGE_REGISTRY_NAME}/${HELM_IMAGE_NAMESPACE}/${HELM_IMAGE_NAME}:${HELM_IMAGE_VERSION}
HELM_IMAGE_UNQUALIFIED=${HELM_IMAGE_NAMESPACE}/${HELM_IMAGE_NAME}:${HELM_IMAGE_VERSION}
# BUILD CONTAINER IMAGE
# ==============================================================================
PHONY:=container-image/build
container-image/build:
${CONTAINER_RUNTIME} build \
--build-arg GOSEC_VERSION=${GOSEC_VERSION} \
--file Dockerfile \
--no-cache \
--pull \
--tag ${HELM_IMAGE_FULLY_QUALIFIED} \
--tag ${HELM_IMAGE_UNQUALIFIED} \
.
# DELETE CONTAINER IMAGE
# ==============================================================================
PHONY:=container-image/delete
container-image/delete:
- ${CONTAINER_RUNTIME} image rm ${HELM_IMAGE_FULLY_QUALIFIED} ${HELM_IMAGE_UNQUALIFIED}
- ${CONTAINER_RUNTIME} image rm ${BASE_IMAGE_FULL}
# PUSH CONTAINER IMAGE
# ==============================================================================
PHONY+=container-image/push
container-image/push:
echo ${HELM_IMAGE_REGISTRY_PASSWORD} | ${CONTAINER_RUNTIME} login ${HELM_IMAGE_REGISTRY_NAME} --username ${HELM_IMAGE_REGISTRY_USER} --password-stdin
${CONTAINER_RUNTIME} push ${HELM_IMAGE_FULLY_QUALIFIED}
# PHONY
# ==============================================================================
# Declare the contents of the PHONY variable as phony. We keep that information
# in a variable so we can use it in if_changed.
.PHONY: ${PHONY}

35
README.md Normal file
View File

@ -0,0 +1,35 @@
# gosec-docker
[![Build Status](https://drone.cryptic.systems/api/badges/volker.raschek/gosec-docker/status.svg)](https://drone.cryptic.systems/volker.raschek/gosec-docker)
[![Docker Pulls](https://img.shields.io/docker/pulls/volkerraschek/gosec)](https://hub.docker.com/r/volkerraschek/gosec)
This project contains all sources to build the container image
`docker.io/volkerraschek/gosec`. The primary goal of this project is to package
the binary `gosec` as container image to provide the functionally for CI/CD
workflows. The source code of the binary can be found in the upstream project of
[gosec](github.com/securego/gosec).
## drone
Here is an example how to use `docker.io/volkerraschek/gosec` to scan for
vulerabilities.
```yaml
kind: pipeline
type: kubernetes
name: vulnerability-scan
platform:
os: linux
arch: amd64
steps:
- name: gosec
commands:
- gosec -v ./...
image: docker.io/volkerraschek/gosec:latest
resources:
limits:
cpu: 250
memory: 500M
```

26
manifest.tmpl Normal file
View File

@ -0,0 +1,26 @@
image: volkerraschek/gosec:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
{{#if build.tags}}
tags:
{{#each build.tags}}
- {{this}}
{{/each}}
- "latest"
{{/if}}
manifests:
-
image: volkerraschek/gosec:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}-amd64
platform:
architecture: amd64
os: linux
-
image: volkerraschek/gosec:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}-arm-v7
platform:
architecture: arm
os: linux
variant: v7
-
image: volkerraschek/gosec:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}-arm64-v8
platform:
architecture: arm64
os: linux
variant: v8

34
renovate.json Normal file
View File

@ -0,0 +1,34 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"assignees": [ "volker.raschek" ],
"automergeStrategy": "merge-commit",
"automergeType": "pr",
"labels": [ "renovate" ],
"packageRules": [
{
"addLabels": [ "renovate/droneci", "renovate/automerge" ],
"automerge": true,
"matchManagers": "droneci",
"matchUpdateTypes": [ "minor", "patch"]
},
{
"addLabels": [ "renovate/gosec", "renovate/automerge" ],
"automerge": false,
"matchPackageNames": [ "gosec" ],
"matchManagers": [ "regex" ]
}
],
"rebaseLabel": "renovate/rebase",
"rebaseWhen": "behind-base-branch",
"regexManagers": [
{
"description": "Update version",
"fileMatch": [
"^Makefile$"
],
"matchStrings": [
"GOSEC_VERSION\\?=(?<currentValue>.*) # renovate: datasource=(?<datasource>.*) depName=(?<depName>.*) (lookupName=(?<lookupName>.*))? (versioning=(?<versioning>.*))?"
]
}
]
}