Networks/Reticulum-Go
2
1
Fork 0
Code Issues 4 Pull Requests 1 Actions Packages Projects 1 Releases 1 Wiki Activity

feat: add comprehensive Trivy scanning tasks to Taskfile for enhanced vulnerability management

Browse Source
This commit is contained in:
ivan
2025-12-30 23:45:17 -06:00
parent 4c1c819e42
commit ee61747e20
1 changed files with 218 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

218
Taskfile.yml
View File

@@ -366,3 +366,221 @@ tasks:
mkdir -p sbom
trivy fs --format cyclonedx --include-dev-deps --output sbom/sbom.cyclonedx.json .
echo "CycloneDX SBOM generated: sbom/sbom.cyclonedx.json"
trivy:scan:json:
desc: Run Trivy vulnerability scan with JSON output
cmds:
- |
if ! command -v trivy &> /dev/null; then
echo "Error: Trivy not found. Run 'task trivy:install' first."
exit 1
fi
mkdir -p reports
trivy fs --scanners vuln --format json --output reports/trivy-vuln.json --timeout 90m .
trivy:scan:sarif:
desc: Run Trivy scan with SARIF output (for GitHub/GitLab integration)
cmds:
- |
if ! command -v trivy &> /dev/null; then
echo "Error: Trivy not found. Run 'task trivy:install' first."
exit 1
fi
mkdir -p reports
trivy fs --scanners vuln,secret --format sarif --output reports/trivy.sarif --timeout 90m .
trivy:scan:secrets:
desc: Scan for hardcoded secrets
cmds:
- |
if ! command -v trivy &> /dev/null; then
echo "Error: Trivy not found. Run 'task trivy:install' first."
exit 1
fi
trivy fs --scanners secret .
trivy:scan:licenses:
desc: Scan for licenses in dependencies
cmds:
- |
if ! command -v trivy &> /dev/null; then
echo "Error: Trivy not found. Run 'task trivy:install' first."
exit 1
fi
trivy fs --scanners license .
trivy:scan:misconfig:
desc: Scan for misconfigurations in config files
cmds:
- |
if ! command -v trivy &> /dev/null; then
echo "Error: Trivy not found. Run 'task trivy:install' first."
exit 1
fi
trivy fs --scanners misconfig .
trivy:db-update:
desc: Update Trivy vulnerability database
cmds:
- |
if ! command -v trivy &> /dev/null; then
echo "Error: Trivy not found. Run 'task trivy:install' first."
exit 1
fi
trivy image --download-db-only
trivy:cache-clean:
desc: Clean Trivy cache
cmds:
- |
if ! command -v trivy &> /dev/null; then
echo "Error: Trivy not found. Run 'task trivy:install' first."
exit 1
fi
trivy clean --cache
trivy:compliance:
desc: "Generate compliance report (specify COMPLIANCE env var: docker-bench-cis, k8s-nsa, etc.)"
cmds:
- |
if ! command -v trivy &> /dev/null; then
echo "Error: Trivy not found. Run 'task trivy:install' first."
exit 1
fi
if [ -z "${COMPLIANCE}" ]; then
echo "Error: COMPLIANCE environment variable required"
echo "Example: COMPLIANCE=docker-bench-cis task trivy:compliance"
exit 1
fi
mkdir -p reports
trivy fs --compliance "${COMPLIANCE}" --format json --output "reports/compliance-${COMPLIANCE}.json" .
trivy:ci:
desc: Run Trivy scan for CI (exits with non-zero code on findings)
cmds:
- |
if ! command -v trivy &> /dev/null; then
echo "Error: Trivy not found. Run 'task trivy:install' first."
exit 1
fi
trivy fs --scanners vuln --severity HIGH,CRITICAL --exit-code 1 --timeout 90m .
docker:build:
desc: Build Docker image (runtime image)
vars:
IMAGE_NAME: reticulum-go
IMAGE_TAG: latest
cmds:
- docker build -f docker/Dockerfile -t {{.IMAGE_NAME}}:{{.IMAGE_TAG}} .
docker:build:tag:
desc: Build Docker image with custom tag (use IMAGE_TAG env var)
vars:
IMAGE_NAME: reticulum-go
IMAGE_TAG: ${IMAGE_TAG:-latest}
cmds:
- docker build -f docker/Dockerfile -t {{.IMAGE_NAME}}:{{.IMAGE_TAG}} .
docker:build:build:
desc: Build Docker image for building binaries only
vars:
IMAGE_NAME: reticulum-go-build
IMAGE_TAG: latest
cmds:
- docker build -f docker/Dockerfile.build -t {{.IMAGE_NAME}}:{{.IMAGE_TAG}} .
docker:run:
desc: Run Docker container (runtime image)
vars:
IMAGE_NAME: reticulum-go
IMAGE_TAG: latest
CONTAINER_NAME: reticulum-go
cmds:
- |
docker run --rm -it \
--name {{.CONTAINER_NAME}} \
-p 4242:4242 \
{{.IMAGE_NAME}}:{{.IMAGE_TAG}}
docker:run:detached:
desc: Run Docker container in detached mode
vars:
IMAGE_NAME: reticulum-go
IMAGE_TAG: latest
CONTAINER_NAME: reticulum-go
cmds:
- |
docker run -d \
--name {{.CONTAINER_NAME}} \
-p 4242:4242 \
{{.IMAGE_NAME}}:{{.IMAGE_TAG}}
docker:stop:
desc: Stop running Docker container
vars:
CONTAINER_NAME: reticulum-go
cmds:
- docker stop {{.CONTAINER_NAME}} || true
- docker rm {{.CONTAINER_NAME}} || true
docker:extract:
desc: Extract binary from build container
vars:
IMAGE_NAME: reticulum-go-build
IMAGE_TAG: latest
BINARY_NAME: reticulum-go
cmds:
- |
CONTAINER_ID=$(docker create {{.IMAGE_NAME}}:{{.IMAGE_TAG}})
docker cp $CONTAINER_ID:/dist/{{.BINARY_NAME}} {{.BUILD_DIR}}/{{.BINARY_NAME}}
docker rm $CONTAINER_ID
echo "Binary extracted to {{.BUILD_DIR}}/{{.BINARY_NAME}}"
docker:buildx:setup:
desc: Setup Docker buildx for multi-platform builds
cmds:
- docker buildx create --name reticulum-builder --use || docker buildx use reticulum-builder
- docker buildx inspect --bootstrap
docker:buildx:build:
desc: Build multi-platform Docker image
vars:
IMAGE_NAME: reticulum-go
IMAGE_TAG: latest
PLATFORMS: linux/amd64,linux/arm64,linux/arm/v7
cmds:
- |
docker buildx build \
--platform {{.PLATFORMS}} \
-f docker/Dockerfile \
-t {{.IMAGE_NAME}}:{{.IMAGE_TAG}} \
--load \
.
docker:buildx:build:push:
desc: Build and push multi-platform Docker image
vars:
IMAGE_NAME: reticulum-go
IMAGE_TAG: latest
PLATFORMS: linux/amd64,linux/arm64,linux/arm/v7
cmds:
- |
if [ -z "${DOCKER_REGISTRY}" ]; then
echo "Error: DOCKER_REGISTRY environment variable required"
echo "Example: DOCKER_REGISTRY=registry.example.com task docker:buildx:build:push"
exit 1
fi
docker buildx build \
--platform {{.PLATFORMS}} \
-f docker/Dockerfile \
-t ${DOCKER_REGISTRY}/{{.IMAGE_NAME}}:{{.IMAGE_TAG}} \
--push \
.
docker:clean:
desc: Clean Docker images and containers
cmds:
- docker stop reticulum-go || true
- docker rm reticulum-go || true
- docker rmi reticulum-go:latest || true
- docker rmi reticulum-go-build:latest || true