From 81696724577a98d969c911d8e497ae17660c3177 Mon Sep 17 00:00:00 2001 From: Mark Sagi-Kazar Date: Mon, 12 Aug 2024 18:58:56 +0200 Subject: [PATCH] build: add container scanning Signed-off-by: Mark Sagi-Kazar --- ci/generate.go | 6 ++++-- ci/main.go | 41 +++++++++++++++++++++++++++++------------ dagger.json | 8 ++++++-- 3 files changed, 39 insertions(+), 16 deletions(-) diff --git a/ci/generate.go b/ci/generate.go index 6521d777e..0929dfeee 100644 --- a/ci/generate.go +++ b/ci/generate.go @@ -45,7 +45,8 @@ func (m *Generate) NodeSdk() *dagger.Directory { WithExec([]string{"pnpm", "run", "generate"}). WithExec([]string{"pnpm", "build"}). WithExec([]string{"pnpm", "test"}). - Directory("/work/client/node") + Directory("/work/client/node"). + WithoutDirectory("node_modules") } // Generate the Web SDK. @@ -57,5 +58,6 @@ func (m *Generate) WebSdk() *dagger.Directory { WithWorkdir("/work/client/web"). WithExec([]string{"pnpm", "install", "--frozen-lockfile"}). WithExec([]string{"pnpm", "run", "generate"}). - Directory("/work/client/web") + Directory("/work/client/web"). + WithoutDirectory("node_modules") } diff --git a/ci/main.go b/ci/main.go index 705a600f0..de0825810 100644 --- a/ci/main.go +++ b/ci/main.go @@ -40,29 +40,46 @@ func New( }, nil } -func (m *Ci) Ci(ctx context.Context) error { +func (m *Ci) Ci(ctx context.Context) (*dagger.Directory, error) { p := newPipeline(ctx) + trivy := dag.Trivy(dagger.TrivyOpts{ + Cache: cacheVolume("trivy"), + WarmDatabaseCache: true, + }) + + containerImages := m.Build().containerImages("ci") + + helmChartOpenMeter := m.Build().helmChart("openmeter", "0.0.0").File() + helmChartBenthosCollector := m.Build().helmChart("benthos-collector", "0.0.0").File() + helmCharts := dag.Directory().WithFiles("", []*dagger.File{helmChartOpenMeter, helmChartBenthosCollector}) + + releaseAssets := dag.Directory().WithFiles("", m.releaseAssets("ci")) + + generated := dag.Directory(). + WithDirectory("sdk/python", m.Generate().PythonSdk()). + WithDirectory("sdk/node", m.Generate().NodeSdk()). + WithDirectory("sdk/web", m.Generate().WebSdk()) + + dir := dag.Directory(). + WithFile("scans/image.sarif", trivy.Container(containerImages[0]).Report("sarif")). + WithFile("scans/helm-openmeter.sarif", trivy.HelmChart(helmChartOpenMeter).Report("sarif")). + WithFile("scans/helm-benthos-collector.sarif", trivy.HelmChart(helmChartBenthosCollector).Report("sarif")). + WithDirectory("charts/", helmCharts). + WithDirectory("release/", releaseAssets). + WithDirectory("generated/", generated) + p.addJobs( wrapSyncable(m.Test()), m.Lint().All, - // TODO: run trivy scan on container(s?) // TODO: version should be the commit hash (if any?)? wrapSyncables(m.Build().containerImages("ci")), - // TODO: run trivy scan on helm chart - wrapSyncable(m.Build().helmChart("openmeter", "0.0.0").File()), - wrapSyncable(m.Build().helmChart("benthos-collector", "0.0.0").File()), - - wrapSyncables(m.releaseAssets("ci")), - - wrapSyncable(m.Generate().PythonSdk()), - wrapSyncable(m.Generate().NodeSdk()), - wrapSyncable(m.Generate().WebSdk()), + wrapSyncable(dir), ) - return p.wait() + return dir, p.wait() } func (m *Ci) Test() *dagger.Container { diff --git a/dagger.json b/dagger.json index dc170a47f..a7e9aab53 100644 --- a/dagger.json +++ b/dagger.json @@ -11,8 +11,8 @@ ], "dependencies": [ { - "name": "kafka", - "source": "github.com/sagikazarmark/daggerverse/kafka@c964ee26f982c4db0282523cd06f75ecb7e1102f" + "name": "trivy", + "source": "github.com/sagikazarmark/daggerverse/trivy@d5fde48ac060eb10fb30d4c47daf76aeb6249781" }, { "name": "archivist", @@ -42,6 +42,10 @@ "name": "helm-docs", "source": "github.com/sagikazarmark/daggerverse/helm-docs@8f444e2c2b8e8162cea76d702086034ed3edc4f1" }, + { + "name": "kafka", + "source": "github.com/sagikazarmark/daggerverse/kafka@c964ee26f982c4db0282523cd06f75ecb7e1102f" + }, { "name": "python", "source": "github.com/sagikazarmark/daggerverse/python@8f444e2c2b8e8162cea76d702086034ed3edc4f1"