build: add container scanning

Signed-off-by: Mark Sagi-Kazar <[email protected]>
openmeterio · Aug 12, 2024 · 8169672 · 8169672
1 parent 3ac18bd
commit 8169672
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 16 deletions.
diff --git a/ci/generate.go b/ci/generate.go
@@ -45,7 +45,8 @@ func (m *Generate) NodeSdk() *dagger.Directory {
 		WithExec([]string{"pnpm", "run", "generate"}).
 		WithExec([]string{"pnpm", "build"}).
 		WithExec([]string{"pnpm", "test"}).
-		Directory("/work/client/node")
+		Directory("/work/client/node").
+		WithoutDirectory("node_modules")
 }
 
 // Generate the Web SDK.
@@ -57,5 +58,6 @@ func (m *Generate) WebSdk() *dagger.Directory {
 		WithWorkdir("/work/client/web").
 		WithExec([]string{"pnpm", "install", "--frozen-lockfile"}).
 		WithExec([]string{"pnpm", "run", "generate"}).
-		Directory("/work/client/web")
+		Directory("/work/client/web").
+		WithoutDirectory("node_modules")
 }
diff --git a/ci/main.go b/ci/main.go
@@ -40,29 +40,46 @@ func New(
 	}, nil
 }
 
-func (m *Ci) Ci(ctx context.Context) error {
+func (m *Ci) Ci(ctx context.Context) (*dagger.Directory, error) {
 	p := newPipeline(ctx)
 
+	trivy := dag.Trivy(dagger.TrivyOpts{
+		Cache:             cacheVolume("trivy"),
+		WarmDatabaseCache: true,
+	})
+
+	containerImages := m.Build().containerImages("ci")
+
+	helmChartOpenMeter := m.Build().helmChart("openmeter", "0.0.0").File()
+	helmChartBenthosCollector := m.Build().helmChart("benthos-collector", "0.0.0").File()
+	helmCharts := dag.Directory().WithFiles("", []*dagger.File{helmChartOpenMeter, helmChartBenthosCollector})
+
+	releaseAssets := dag.Directory().WithFiles("", m.releaseAssets("ci"))
+
+	generated := dag.Directory().
+		WithDirectory("sdk/python", m.Generate().PythonSdk()).
+		WithDirectory("sdk/node", m.Generate().NodeSdk()).
+		WithDirectory("sdk/web", m.Generate().WebSdk())
+
+	dir := dag.Directory().
+		WithFile("scans/image.sarif", trivy.Container(containerImages[0]).Report("sarif")).
+		WithFile("scans/helm-openmeter.sarif", trivy.HelmChart(helmChartOpenMeter).Report("sarif")).
+		WithFile("scans/helm-benthos-collector.sarif", trivy.HelmChart(helmChartBenthosCollector).Report("sarif")).
+		WithDirectory("charts/", helmCharts).
+		WithDirectory("release/", releaseAssets).
+		WithDirectory("generated/", generated)
+
 	p.addJobs(
 		wrapSyncable(m.Test()),
 		m.Lint().All,
 
-		// TODO: run trivy scan on container(s?)
 		// TODO: version should be the commit hash (if any?)?
 		wrapSyncables(m.Build().containerImages("ci")),
 
-		// TODO: run trivy scan on helm chart
-		wrapSyncable(m.Build().helmChart("openmeter", "0.0.0").File()),
-		wrapSyncable(m.Build().helmChart("benthos-collector", "0.0.0").File()),
-
-		wrapSyncables(m.releaseAssets("ci")),
-
-		wrapSyncable(m.Generate().PythonSdk()),
-		wrapSyncable(m.Generate().NodeSdk()),
-		wrapSyncable(m.Generate().WebSdk()),
+		wrapSyncable(dir),
 	)
 
-	return p.wait()
+	return dir, p.wait()
 }
 
 func (m *Ci) Test() *dagger.Container {

diff --git a/dagger.json b/dagger.json
@@ -11,8 +11,8 @@
   ],
   "dependencies": [
     {
-      "name": "kafka",
-      "source": "github.com/sagikazarmark/daggerverse/kafka@c964ee26f982c4db0282523cd06f75ecb7e1102f"
+      "name": "trivy",
+      "source": "github.com/sagikazarmark/daggerverse/trivy@d5fde48ac060eb10fb30d4c47daf76aeb6249781"
     },
     {
       "name": "archivist",
@@ -42,6 +42,10 @@
       "name": "helm-docs",
       "source": "github.com/sagikazarmark/daggerverse/helm-docs@8f444e2c2b8e8162cea76d702086034ed3edc4f1"
     },
+    {
+      "name": "kafka",
+      "source": "github.com/sagikazarmark/daggerverse/kafka@c964ee26f982c4db0282523cd06f75ecb7e1102f"
+    },
     {
       "name": "python",
       "source": "github.com/sagikazarmark/daggerverse/python@8f444e2c2b8e8162cea76d702086034ed3edc4f1"