From ee61747e206cdc9f1fdc6054e62f7cd19d6f7ef5 Mon Sep 17 00:00:00 2001
From: Sudo-Ivan <ivan@quad4.io>
Date: Tue, 30 Dec 2025 23:45:17 -0600
Subject: [PATCH] feat: add comprehensive Trivy scanning tasks to Taskfile for
 enhanced vulnerability management

---
 Taskfile.yml | 218 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 218 insertions(+)

diff --git a/Taskfile.yml b/Taskfile.yml
index 44db545..94c506d 100644
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -366,3 +366,221 @@ tasks:
         mkdir -p sbom
         trivy fs --format cyclonedx --include-dev-deps --output sbom/sbom.cyclonedx.json .
         echo "CycloneDX SBOM generated: sbom/sbom.cyclonedx.json"
+
+  trivy:scan:json:
+    desc: Run Trivy vulnerability scan with JSON output
+    cmds:
+      - |
+        if ! command -v trivy &> /dev/null; then
+          echo "Error: Trivy not found. Run 'task trivy:install' first."
+          exit 1
+        fi
+        mkdir -p reports
+        trivy fs --scanners vuln --format json --output reports/trivy-vuln.json --timeout 90m .
+
+  trivy:scan:sarif:
+    desc: Run Trivy scan with SARIF output (for GitHub/GitLab integration)
+    cmds:
+      - |
+        if ! command -v trivy &> /dev/null; then
+          echo "Error: Trivy not found. Run 'task trivy:install' first."
+          exit 1
+        fi
+        mkdir -p reports
+        trivy fs --scanners vuln,secret --format sarif --output reports/trivy.sarif --timeout 90m .
+
+  trivy:scan:secrets:
+    desc: Scan for hardcoded secrets
+    cmds:
+      - |
+        if ! command -v trivy &> /dev/null; then
+          echo "Error: Trivy not found. Run 'task trivy:install' first."
+          exit 1
+        fi
+        trivy fs --scanners secret .
+
+  trivy:scan:licenses:
+    desc: Scan for licenses in dependencies
+    cmds:
+      - |
+        if ! command -v trivy &> /dev/null; then
+          echo "Error: Trivy not found. Run 'task trivy:install' first."
+          exit 1
+        fi
+        trivy fs --scanners license .
+
+  trivy:scan:misconfig:
+    desc: Scan for misconfigurations in config files
+    cmds:
+      - |
+        if ! command -v trivy &> /dev/null; then
+          echo "Error: Trivy not found. Run 'task trivy:install' first."
+          exit 1
+        fi
+        trivy fs --scanners misconfig .
+
+  trivy:db-update:
+    desc: Update Trivy vulnerability database
+    cmds:
+      - |
+        if ! command -v trivy &> /dev/null; then
+          echo "Error: Trivy not found. Run 'task trivy:install' first."
+          exit 1
+        fi
+        trivy image --download-db-only
+
+  trivy:cache-clean:
+    desc: Clean Trivy cache
+    cmds:
+      - |
+        if ! command -v trivy &> /dev/null; then
+          echo "Error: Trivy not found. Run 'task trivy:install' first."
+          exit 1
+        fi
+        trivy clean --cache
+
+  trivy:compliance:
+    desc: "Generate compliance report (specify COMPLIANCE env var: docker-bench-cis, k8s-nsa, etc.)"
+    cmds:
+      - |
+        if ! command -v trivy &> /dev/null; then
+          echo "Error: Trivy not found. Run 'task trivy:install' first."
+          exit 1
+        fi
+        if [ -z "${COMPLIANCE}" ]; then
+          echo "Error: COMPLIANCE environment variable required"
+          echo "Example: COMPLIANCE=docker-bench-cis task trivy:compliance"
+          exit 1
+        fi
+        mkdir -p reports
+        trivy fs --compliance "${COMPLIANCE}" --format json --output "reports/compliance-${COMPLIANCE}.json" .
+
+  trivy:ci:
+    desc: Run Trivy scan for CI (exits with non-zero code on findings)
+    cmds:
+      - |
+        if ! command -v trivy &> /dev/null; then
+          echo "Error: Trivy not found. Run 'task trivy:install' first."
+          exit 1
+        fi
+        trivy fs --scanners vuln --severity HIGH,CRITICAL --exit-code 1 --timeout 90m .
+
+  docker:build:
+    desc: Build Docker image (runtime image)
+    vars:
+      IMAGE_NAME: reticulum-go
+      IMAGE_TAG: latest
+    cmds:
+      - docker build -f docker/Dockerfile -t {{.IMAGE_NAME}}:{{.IMAGE_TAG}} .
+
+  docker:build:tag:
+    desc: Build Docker image with custom tag (use IMAGE_TAG env var)
+    vars:
+      IMAGE_NAME: reticulum-go
+      IMAGE_TAG: ${IMAGE_TAG:-latest}
+    cmds:
+      - docker build -f docker/Dockerfile -t {{.IMAGE_NAME}}:{{.IMAGE_TAG}} .
+
+  docker:build:build:
+    desc: Build Docker image for building binaries only
+    vars:
+      IMAGE_NAME: reticulum-go-build
+      IMAGE_TAG: latest
+    cmds:
+      - docker build -f docker/Dockerfile.build -t {{.IMAGE_NAME}}:{{.IMAGE_TAG}} .
+
+  docker:run:
+    desc: Run Docker container (runtime image)
+    vars:
+      IMAGE_NAME: reticulum-go
+      IMAGE_TAG: latest
+      CONTAINER_NAME: reticulum-go
+    cmds:
+      - |
+        docker run --rm -it \
+          --name {{.CONTAINER_NAME}} \
+          -p 4242:4242 \
+          {{.IMAGE_NAME}}:{{.IMAGE_TAG}}
+
+  docker:run:detached:
+    desc: Run Docker container in detached mode
+    vars:
+      IMAGE_NAME: reticulum-go
+      IMAGE_TAG: latest
+      CONTAINER_NAME: reticulum-go
+    cmds:
+      - |
+        docker run -d \
+          --name {{.CONTAINER_NAME}} \
+          -p 4242:4242 \
+          {{.IMAGE_NAME}}:{{.IMAGE_TAG}}
+
+  docker:stop:
+    desc: Stop running Docker container
+    vars:
+      CONTAINER_NAME: reticulum-go
+    cmds:
+      - docker stop {{.CONTAINER_NAME}} || true
+      - docker rm {{.CONTAINER_NAME}} || true
+
+  docker:extract:
+    desc: Extract binary from build container
+    vars:
+      IMAGE_NAME: reticulum-go-build
+      IMAGE_TAG: latest
+      BINARY_NAME: reticulum-go
+    cmds:
+      - |
+        CONTAINER_ID=$(docker create {{.IMAGE_NAME}}:{{.IMAGE_TAG}})
+        docker cp $CONTAINER_ID:/dist/{{.BINARY_NAME}} {{.BUILD_DIR}}/{{.BINARY_NAME}}
+        docker rm $CONTAINER_ID
+        echo "Binary extracted to {{.BUILD_DIR}}/{{.BINARY_NAME}}"
+
+  docker:buildx:setup:
+    desc: Setup Docker buildx for multi-platform builds
+    cmds:
+      - docker buildx create --name reticulum-builder --use || docker buildx use reticulum-builder
+      - docker buildx inspect --bootstrap
+
+  docker:buildx:build:
+    desc: Build multi-platform Docker image
+    vars:
+      IMAGE_NAME: reticulum-go
+      IMAGE_TAG: latest
+      PLATFORMS: linux/amd64,linux/arm64,linux/arm/v7
+    cmds:
+      - |
+        docker buildx build \
+          --platform {{.PLATFORMS}} \
+          -f docker/Dockerfile \
+          -t {{.IMAGE_NAME}}:{{.IMAGE_TAG}} \
+          --load \
+          .
+
+  docker:buildx:build:push:
+    desc: Build and push multi-platform Docker image
+    vars:
+      IMAGE_NAME: reticulum-go
+      IMAGE_TAG: latest
+      PLATFORMS: linux/amd64,linux/arm64,linux/arm/v7
+    cmds:
+      - |
+        if [ -z "${DOCKER_REGISTRY}" ]; then
+          echo "Error: DOCKER_REGISTRY environment variable required"
+          echo "Example: DOCKER_REGISTRY=registry.example.com task docker:buildx:build:push"
+          exit 1
+        fi
+        docker buildx build \
+          --platform {{.PLATFORMS}} \
+          -f docker/Dockerfile \
+          -t ${DOCKER_REGISTRY}/{{.IMAGE_NAME}}:{{.IMAGE_TAG}} \
+          --push \
+          .
+
+  docker:clean:
+    desc: Clean Docker images and containers
+    cmds:
+      - docker stop reticulum-go || true
+      - docker rm reticulum-go || true
+      - docker rmi reticulum-go:latest || true
+      - docker rmi reticulum-go-build:latest || true