This repo contains a bunch of pre-commits that I find useful. You may too!
This pre-commit has been designed to use a local copy of Trivy to run trivy scans agains your repo. I did consider using Docker but decided against it for the following reasons:
- It requires Docker to be available on a system which may not be the case in all scenarios.
- It supports using a local copy of Trivy which the user can then ensure has a version match with what's expected in their pipelines.
- Because I made this repo and I decided to do ti this way 😄.
Install trivy - that's step 1. If you don't have it, it ain't working!
Next create something that looks like this:
---
repos:
- repo: https://github.com/drewbernetes/trivy-pre-commit.git
rev: v0.1.0
hooks:
- id: trivy
args:
- fs
- # Any additional flags
- . # the location/files to scanAs it's using the cli, you can just replace the fs bit for any other trivy supported commands (see trivy --help for more info on this).
And that's it. It's simple, it's straightforward, and now you can scan things until your projects are happy and secure.
Because you forgot to run trivy against your code before pushing again, didn't you? 😉. I know I do sometimes!
This pre-commit has been designed to build a docker image locally.
It does this by tagging it with local/IMAGE_NAME:0.0.0.
It requires Docker to be available on a system.
Install Docker - that's step 1. If you don't have it, it ain't working!
Next create something that looks like this:
---
repos:
- repo: https://github.com/drewbernetes/docker-pre-commit.git
rev: v0.1.0
hooks:
- id: docker
args:
- --image-name
- SOME_IMAGE
- --dockerfile-path
- docker/Dockerfile
- --context
- .That's it. You can pass in a bunch of args to supply if you like but the default command is: docker build local/IMAGE_NAME:0.0.0 -f PATH CONTEXT
Because you need to know your image builds before attempting to do it in your CI.