-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Move Trivy and Tics tests to separate scripts
We're moving the Trivy and Tics test logic to separate scripts, simplifying the GH workflows and allowing these tests to be invoked locally.
- Loading branch information
1 parent
77b8816
commit 8a987d5
Showing
4 changed files
with
76 additions
and
59 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -73,35 +73,6 @@ jobs: | |
| working-directory: src/k8s | ||
| run: go mod download | ||
| - name: TICS scan | ||
| # TODO: move the following to a script. | ||
| run: | | ||
| export TICSAUTHTOKEN=${{ secrets.TICSAUTHTOKEN }} | ||
| set -x | ||
| # Install python dependencies | ||
| pip install -r tests/integration/requirements-test.txt | ||
| pip install -r tests/integration/requirements-dev.txt | ||
| cd src/k8s | ||
| # TICS requires us to have the test results in cobertura xml format under the | ||
| # directory use below | ||
| sudo make go.unit | ||
| go install github.com/boumenot/gocover-cobertura@latest | ||
| gocover-cobertura < coverage.txt > coverage.xml | ||
| mkdir .coverage | ||
| mv ./coverage.xml ./.coverage/ | ||
| # Install the TICS and staticcheck | ||
| go install honnef.co/go/tools/cmd/[email protected] | ||
| . <(curl --silent --show-error 'https://canonical.tiobe.com/tiobeweb/TICS/api/public/v1/fapi/installtics/Script?cfg=default&platform=linux&url=https://canonical.tiobe.com/tiobeweb/TICS/') | ||
| # We need to have our project built | ||
| # We load the dqlite libs here instead of doing through make because TICS | ||
| # will try to build parts of the project itself | ||
| sudo add-apt-repository -y ppa:dqlite/dev | ||
| sudo apt install dqlite-tools-v2 libdqlite1.17-dev | ||
| sudo make clean | ||
| go build -a ./... | ||
| TICSQServer -project k8s-snap -tmpdir /tmp/tics -branchdir $HOME/work/k8s-snap/k8s-snap/ | ||
| ./tests/tics-scan.sh | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| #!/usr/bin/env bash | ||
|
|
||
| SCRIPT_DIR=$(dirname "$BASH_SOURCE") | ||
|
|
||
| set -ex | ||
| cd "${SCRIPT_DIR}/.." | ||
|
|
||
| # Install python dependencies | ||
| pip install -r tests/integration/requirements-test.txt | ||
| pip install -r tests/integration/requirements-dev.txt | ||
|
|
||
| cd src/k8s | ||
|
|
||
| # TICS requires us to have the test results in cobertura xml format under the | ||
| # directory use below | ||
| sudo make go.unit | ||
| go install github.com/boumenot/gocover-cobertura@latest | ||
| gocover-cobertura < coverage.txt > coverage.xml | ||
| mkdir -p .coverage | ||
| mv ./coverage.xml ./.coverage/ | ||
|
|
||
| # Install the TICS and staticcheck | ||
| go install honnef.co/go/tools/cmd/[email protected] | ||
| . <(curl --silent --show-error 'https://canonical.tiobe.com/tiobeweb/TICS/api/public/v1/fapi/installtics/Script?cfg=default&platform=linux&url=https://canonical.tiobe.com/tiobeweb/TICS/') | ||
|
|
||
| # We need to have our project built | ||
| # We load the dqlite libs here instead of doing through make because TICS | ||
| # will try to build parts of the project itself | ||
| sudo add-apt-repository -y ppa:dqlite/dev | ||
| sudo apt install dqlite-tools-v2 libdqlite1.17-dev | ||
| sudo make clean | ||
| go build -a ./... | ||
|
|
||
| TICSQServer -project k8s-snap -tmpdir /tmp/tics -branchdir $HOME/work/k8s-snap/k8s-snap/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| #!/usr/bin/env bash | ||
|
|
||
| SCRIPT_DIR=$(dirname "$BASH_SOURCE") | ||
|
|
||
| set -ex | ||
| cd "${SCRIPT_DIR}/.." | ||
|
|
||
| SNAP_PATH="$1" | ||
| if [[ ! -f $SNAP_PATH ]]; then | ||
| echo "Usage: $0 <snap_path>" | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Setup Trivy vulnerability scanner | ||
| mkdir -p manual-trivy/sarifs | ||
| pushd manual-trivy | ||
| VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}'); | ||
| wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz | ||
| tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz | ||
| popd | ||
|
|
||
| # Run Trivy vulnerability scanner in repo mode | ||
| ./manual-trivy/trivy fs . \ | ||
| --format sarif \ | ||
| --db-repository public.ecr.aws/aquasecurity/trivy-db \ | ||
| --severity "MEDIUM,HIGH,CRITICAL" \ | ||
| --ignore-unfixed \ | ||
| > ./manual-trivy/sarifs/trivy-k8s-repo-scan--results.sarif | ||
|
|
||
| for var in $(env | grep -o '^TRIVY_[^=]*'); do | ||
| unset "$var" | ||
| done | ||
| cp "${SNAP_PATH}" ./k8s-test.snap | ||
| rm -rf ./squashfs-root | ||
| unsquashfs k8s-test.snap | ||
| ./manual-trivy/trivy rootfs ./squashfs-root/ \ | ||
| --format sarif \ | ||
| --db-repository public.ecr.aws/aquasecurity/trivy-db \ | ||
| > ./manual-trivy/sarifs/snap.sarif |