test trivy-vulnerability-scanner (#699)

* test trivy-vulnerability-scanner * update trivvy.yml * add tests on images build in other repo's * re-order * Update trivvy.yml, add if always to all scans * Update trivvy.yml, add other locally build container * Update trivvy.yml * Update trivvy.yml * wis2downloader not build locally * update mosquitto base-image version * rename, matrix scan, only scan images built in this repo * remove old fild * fix * revert mosquitto base-image version * fix permission error for new mosquitto base-image version * try to use a different TRIVY_DB_REPOSITORY to work around the TOOMANYREQUESTS issue * java db repo --------- Co-authored-by: Tom Kralidis <tomkralidis@gmail.com>
wmo-im · Nov 6, 2024 · 4079c2d · 4079c2d
1 parent 1719569
commit 4079c2d
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 1 deletion.
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,29 @@
+name: Run Trivy vulnerability scanner
+
+on: [ push ]
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image: ['wis2box-management', 'wis2box-mqtt-metrics-collector', 'wis2box-broker']
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build docker image ${{ matrix.image }}
+        run: |
+          docker build -t ${{ matrix.image }}:test ${{ matrix.image }}
+      - name: Run Trivy vulnerability scanner on ${{ matrix.image }}
+        if: always()
+        uses: aquasecurity/trivy-action@0.20.0
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+        with:
+          image-ref: ${{ matrix.image }}:test
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
diff --git a/wis2box-broker/Dockerfile b/wis2box-broker/Dockerfile
@@ -19,7 +19,7 @@
 #
 ###############################################################################
 
-FROM eclipse-mosquitto:2.0.15
+FROM eclipse-mosquitto:2.0.20
 
 RUN mkdir -p /data/wis2box/mosquitto
 RUN ln -s /mosquitto /data/wis2box/mosquitto

diff --git a/wis2box-broker/entrypoint.sh b/wis2box-broker/entrypoint.sh
@@ -35,4 +35,10 @@ for i in `env | grep -Ee "\<WIS2BOX_BROKER_USERNAME_[[:alnum:]]+"`; do
     echo "topic readwrite ${!topic}" >>  /mosquitto/config/acl.conf
 done
 
+# set ownership of mosquitto files
+chown -R mosquitto:mosquitto /mosquitto
+
+# set permission of acl.conf to 0700
+chmod 0700 /mosquitto/config/acl.conf
+
 /usr/sbin/mosquitto -c /mosquitto/config/mosquitto.conf