Initialize GovOPlaN meta repository
This commit is contained in:
136
tools/checks/security-audit/run.sh
Normal file
136
tools/checks/security-audit/run.sh
Normal file
@@ -0,0 +1,136 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../../.." && pwd)"
|
||||
IMAGE="${SECURITY_AUDIT_IMAGE:-govoplan/security-audit:local}"
|
||||
SCOPE="${SECURITY_AUDIT_SCOPE:-current}"
|
||||
MODE="${SECURITY_AUDIT_MODE:-full}"
|
||||
REPORTS_DIR="${SECURITY_AUDIT_REPORTS_DIR:-audit-reports}"
|
||||
REBUILD="${SECURITY_AUDIT_REBUILD:-0}"
|
||||
UPDATE="${SECURITY_AUDIT_UPDATE:-0}"
|
||||
BUILD_ONLY=0
|
||||
SCRIPT_ARGS=()
|
||||
|
||||
while [[ $# -gt 0 ]]; do
|
||||
case "$1" in
|
||||
--mode)
|
||||
MODE="${2:?missing mode}"
|
||||
shift 2
|
||||
;;
|
||||
--scope)
|
||||
SCOPE="${2:?missing scope}"
|
||||
shift 2
|
||||
;;
|
||||
--reports-dir)
|
||||
REPORTS_DIR="${2:?missing reports dir}"
|
||||
shift 2
|
||||
;;
|
||||
--rebuild)
|
||||
REBUILD=1
|
||||
shift
|
||||
;;
|
||||
--update)
|
||||
UPDATE=1
|
||||
REBUILD=1
|
||||
shift
|
||||
;;
|
||||
--build-only)
|
||||
BUILD_ONLY=1
|
||||
shift
|
||||
;;
|
||||
-h|--help)
|
||||
cat <<'EOF'
|
||||
Usage: tools/checks/security-audit/run.sh [--mode quick|ci|full] [--scope current|govoplan] [--reports-dir DIR] [--rebuild] [--update] [--build-only] [--strict|--report-only]
|
||||
|
||||
Builds or reuses the containerized GovOPlaN audit toolbox, then runs
|
||||
tools/checks/check-security-audit.sh inside it.
|
||||
|
||||
Image caching:
|
||||
The image is tagged by a fingerprint of tools/checks/security-audit/Dockerfile and
|
||||
requirements-audit.txt. Existing matching images are reused.
|
||||
|
||||
Flags:
|
||||
--rebuild Rebuild the fingerprinted image using Docker cache.
|
||||
--update Rebuild with --pull --no-cache to refresh base images/tools.
|
||||
--build-only Build or refresh the image, then exit without running an audit.
|
||||
EOF
|
||||
exit 0
|
||||
;;
|
||||
--strict|--report-only)
|
||||
SCRIPT_ARGS+=("$1")
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
SCRIPT_ARGS+=("$1")
|
||||
shift
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
REBUILD="${REBUILD:-0}"
|
||||
UPDATE="${UPDATE:-0}"
|
||||
BUILD_ONLY="${BUILD_ONLY:-0}"
|
||||
|
||||
IMAGE_NAME="${IMAGE##*/}"
|
||||
if [[ "$IMAGE_NAME" == *:* ]]; then
|
||||
IMAGE_REPOSITORY="${IMAGE%:*}"
|
||||
IMAGE_ALIAS="$IMAGE"
|
||||
else
|
||||
IMAGE_REPOSITORY="$IMAGE"
|
||||
IMAGE_ALIAS="$IMAGE:local"
|
||||
fi
|
||||
|
||||
IMAGE_FINGERPRINT="$(
|
||||
{
|
||||
sha256sum "$ROOT/tools/checks/security-audit/Dockerfile"
|
||||
sha256sum "$ROOT/requirements-audit.txt"
|
||||
} | sha256sum | cut -c1-16
|
||||
)"
|
||||
FINGERPRINT_IMAGE="${SECURITY_AUDIT_FINGERPRINT_IMAGE:-$IMAGE_REPOSITORY:$IMAGE_FINGERPRINT}"
|
||||
|
||||
build_image() {
|
||||
local -a build_args=(-t "$FINGERPRINT_IMAGE" -t "$IMAGE_ALIAS" -f "$ROOT/tools/checks/security-audit/Dockerfile")
|
||||
if [[ "$UPDATE" == "1" ]]; then
|
||||
build_args=(--pull --no-cache "${build_args[@]}")
|
||||
fi
|
||||
docker build "${build_args[@]}" "$ROOT"
|
||||
}
|
||||
|
||||
if [[ "$REBUILD" == "1" ]] || ! docker image inspect "$FINGERPRINT_IMAGE" >/dev/null 2>&1; then
|
||||
echo "Building security audit toolbox image: $FINGERPRINT_IMAGE"
|
||||
build_image
|
||||
else
|
||||
echo "Reusing security audit toolbox image: $FINGERPRINT_IMAGE"
|
||||
if ! docker image inspect "$IMAGE_ALIAS" >/dev/null 2>&1; then
|
||||
docker tag "$FINGERPRINT_IMAGE" "$IMAGE_ALIAS"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ "$BUILD_ONLY" == "1" ]]; then
|
||||
docker image inspect "$FINGERPRINT_IMAGE" --format 'Built audit toolbox image {{.RepoTags}} {{.Id}}'
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [[ "$SCOPE" == "govoplan" ]]; then
|
||||
MOUNT_ROOT="$(dirname "$ROOT")"
|
||||
WORKDIR="/workspace/$(basename "$ROOT")"
|
||||
EXTRA_ENV=(-e "GOVOPLAN_REPOS_ROOT=/workspace")
|
||||
else
|
||||
MOUNT_ROOT="$ROOT"
|
||||
WORKDIR="/workspace"
|
||||
EXTRA_ENV=()
|
||||
fi
|
||||
|
||||
docker run --rm \
|
||||
--user "$(id -u):$(id -g)" \
|
||||
-e HOME=/tmp/security-audit-home \
|
||||
-e SECURITY_AUDIT_SCOPE="$SCOPE" \
|
||||
-e SECURITY_AUDIT_MODE="$MODE" \
|
||||
-e SECURITY_AUDIT_REPORTS_DIR="$REPORTS_DIR" \
|
||||
-e SECURITY_AUDIT_FAIL_ON_FINDINGS="${SECURITY_AUDIT_FAIL_ON_FINDINGS:-0}" \
|
||||
-e SECURITY_AUDIT_REQUIRE_TOOLS="${SECURITY_AUDIT_REQUIRE_TOOLS:-0}" \
|
||||
"${EXTRA_ENV[@]}" \
|
||||
-v "$MOUNT_ROOT:/workspace" \
|
||||
-w "$WORKDIR" \
|
||||
"$FINGERPRINT_IMAGE" \
|
||||
bash tools/checks/check-security-audit.sh --mode "$MODE" --scope "$SCOPE" --reports-dir "$REPORTS_DIR" "${SCRIPT_ARGS[@]}"
|
||||
Reference in New Issue
Block a user