Install Trivy for vulnerability scanning unit-testing

shipwright-io · Feb 18, 2024 · 204320b · 204320b
1 parent c2d59a2
commit 204320b
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 0 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -22,6 +22,8 @@ jobs:
           go-version: '1.20.x'
           cache: true
           check-latest: true
+      - name: Install Trivy
+        run: make install-trivy
       - name: Build
         run: make build
       - name: Test

diff --git a/Makefile b/Makefile
@@ -157,6 +157,10 @@ install-counterfeiter:
 install-spruce:
 	hack/install-spruce.sh
 
+.PHONY: install-trivy
+install-trivy:
+	hack/install-trivy.sh
+
 # Install golangci-lint via: go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
 .PHONY: sanity-check
 sanity-check:

diff --git a/hack/install-trivy.sh b/hack/install-trivy.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Copyright The Shipwright Contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+#
+# Installs "trivy"
+#
+
+set -euo pipefail
+
+# Find a suitable install location
+for CANDIDATE in "$HOME/bin" "/usr/local/bin" "/usr/bin"; do
+  if [[ -w $CANDIDATE ]] && grep -q "$CANDIDATE" <<<"$PATH"; then
+    TARGET_DIR="$CANDIDATE"
+    break
+  fi
+done
+
+# Bail out in case no suitable location could be found
+if [[ -z ${TARGET_DIR:-} ]]; then
+  echo -e "Unable to determine a writable install location. Make sure that you have write access to either \\033[1m/usr/local/bin\\033[0m or \\033[1m${HOME}/bin\\033[0m and that is in your PATH."
+  exit 1
+fi
+
+echo "# Install Trivy"
+curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b "$TARGET_DIR"
+
+echo "# Trivy version"
+trivy --version