#!/usr/bin/env bash set -euo pipefail ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../../.." && pwd)" IMAGE="${SECURITY_AUDIT_IMAGE:-govoplan/security-audit:local}" SCOPE="${SECURITY_AUDIT_SCOPE:-current}" MODE="${SECURITY_AUDIT_MODE:-full}" REPORTS_DIR="${SECURITY_AUDIT_REPORTS_DIR:-audit-reports}" REBUILD="${SECURITY_AUDIT_REBUILD:-0}" UPDATE="${SECURITY_AUDIT_UPDATE:-0}" BUILD_ONLY=0 SCRIPT_ARGS=() while [[ $# -gt 0 ]]; do case "$1" in --mode) MODE="${2:?missing mode}" shift 2 ;; --scope) SCOPE="${2:?missing scope}" shift 2 ;; --reports-dir) REPORTS_DIR="${2:?missing reports dir}" shift 2 ;; --rebuild) REBUILD=1 shift ;; --update) UPDATE=1 REBUILD=1 shift ;; --build-only) BUILD_ONLY=1 shift ;; -h|--help) cat <<'EOF' Usage: tools/checks/security-audit/run.sh [--mode quick|ci|full] [--scope current|govoplan] [--reports-dir DIR] [--rebuild] [--update] [--build-only] [--strict|--report-only] Builds or reuses the containerized GovOPlaN audit toolbox, then runs tools/checks/check-security-audit.sh inside it. Image caching: The image is tagged by a fingerprint of tools/checks/security-audit/Dockerfile and requirements-audit.txt. Existing matching images are reused. Flags: --rebuild Rebuild the fingerprinted image using Docker cache. --update Rebuild with --pull --no-cache to refresh base images/tools. --build-only Build or refresh the image, then exit without running an audit. EOF exit 0 ;; --strict|--report-only) SCRIPT_ARGS+=("$1") shift ;; *) SCRIPT_ARGS+=("$1") shift ;; esac done REBUILD="${REBUILD:-0}" UPDATE="${UPDATE:-0}" BUILD_ONLY="${BUILD_ONLY:-0}" IMAGE_NAME="${IMAGE##*/}" if [[ "$IMAGE_NAME" == *:* ]]; then IMAGE_REPOSITORY="${IMAGE%:*}" IMAGE_ALIAS="$IMAGE" else IMAGE_REPOSITORY="$IMAGE" IMAGE_ALIAS="$IMAGE:local" fi IMAGE_FINGERPRINT="$( { sha256sum "$ROOT/tools/checks/security-audit/Dockerfile" sha256sum "$ROOT/requirements-audit.txt" } | sha256sum | cut -c1-16 )" FINGERPRINT_IMAGE="${SECURITY_AUDIT_FINGERPRINT_IMAGE:-$IMAGE_REPOSITORY:$IMAGE_FINGERPRINT}" build_image() { local -a build_args=(-t "$FINGERPRINT_IMAGE" -t "$IMAGE_ALIAS" -f "$ROOT/tools/checks/security-audit/Dockerfile") if [[ "$UPDATE" == "1" ]]; then build_args=(--pull --no-cache "${build_args[@]}") fi docker build "${build_args[@]}" "$ROOT" } if [[ "$REBUILD" == "1" ]] || ! docker image inspect "$FINGERPRINT_IMAGE" >/dev/null 2>&1; then echo "Building security audit toolbox image: $FINGERPRINT_IMAGE" build_image else echo "Reusing security audit toolbox image: $FINGERPRINT_IMAGE" if ! docker image inspect "$IMAGE_ALIAS" >/dev/null 2>&1; then docker tag "$FINGERPRINT_IMAGE" "$IMAGE_ALIAS" fi fi if [[ "$BUILD_ONLY" == "1" ]]; then docker image inspect "$FINGERPRINT_IMAGE" --format 'Built audit toolbox image {{.RepoTags}} {{.Id}}' exit 0 fi if [[ "$SCOPE" == "govoplan" ]]; then MOUNT_ROOT="$(dirname "$ROOT")" WORKDIR="/workspace/$(basename "$ROOT")" EXTRA_ENV=(-e "GOVOPLAN_REPOS_ROOT=/workspace") else MOUNT_ROOT="$ROOT" WORKDIR="/workspace" EXTRA_ENV=() fi docker run --rm \ --user "$(id -u):$(id -g)" \ -e HOME=/tmp/security-audit-home \ -e SECURITY_AUDIT_SCOPE="$SCOPE" \ -e SECURITY_AUDIT_MODE="$MODE" \ -e SECURITY_AUDIT_REPORTS_DIR="$REPORTS_DIR" \ -e SECURITY_AUDIT_FAIL_ON_FINDINGS="${SECURITY_AUDIT_FAIL_ON_FINDINGS:-0}" \ -e SECURITY_AUDIT_REQUIRE_TOOLS="${SECURITY_AUDIT_REQUIRE_TOOLS:-0}" \ "${EXTRA_ENV[@]}" \ -v "$MOUNT_ROOT:/workspace" \ -w "$WORKDIR" \ "$FINGERPRINT_IMAGE" \ bash tools/checks/check-security-audit.sh --mode "$MODE" --scope "$SCOPE" --reports-dir "$REPORTS_DIR" "${SCRIPT_ARGS[@]}"