Configure and utilize trivy scan

also fix detected issue with Dockerfile

Signed-off-by: Knut Ahlers <knut@ahlers.me>

.github/workflows/test-and-build.yml

@@ -40,6 +40,7 @@ jobs:
             nodejs-lts-hydrogen \
             npm \
             tar \
+            trivy \
             unzip \
             which \
             zip
@@ -53,6 +54,9 @@ jobs:
         run: |
           go test -v ./...
 
+      - name: Execute Trivy scan
+        run: make trivy
+
       - name: Build release
         run: make publish
         env:

Dockerfile

@@ -34,6 +34,8 @@ COPY --from=builder /go/bin/ots /usr/local/bin/ots
 
 EXPOSE 3000
 
+USER 1000:1000
+
 ENTRYPOINT ["/usr/local/bin/ots"]
 CMD ["--"]
 

Dockerfile.minimal

@@ -30,6 +30,8 @@ COPY --from=builder /go/bin/ots /usr/local/bin/ots
 
 EXPOSE 3000
 
+USER 1000:1000
+
 ENTRYPOINT ["/usr/local/bin/ots"]
 CMD ["--"]
 

Makefile

@@ -1,4 +1,4 @@
-VER_FONTAWESOME=6.4.0
+VER_FONTAWESOME:=6.4.0
 
 
 default: generate download_libs
@@ -33,3 +33,16 @@ download_libs: fontawesome
 fontawesome:
 	curl -sSfL https://github.com/FortAwesome/Font-Awesome/archive/$(VER_FONTAWESOME).tar.gz | \
 		tar -vC frontend -xz --strip-components=1 --wildcards --exclude='*/js-packages' '*/css' '*/webfonts'
+
+# -- Vulnerability scanning --
+
+trivy:
+	trivy fs . \
+		--dependency-tree \
+		--exit-code 1 \
+		--format table \
+		--ignore-unfixed \
+		--quiet \
+		--scanners config,license,secret,vuln \
+		--severity HIGH,CRITICAL \
+		--skip-dirs docs