Add Trivy to CI for every PR

Author: n0vad3v

.github/workflows/ci.yml

@@ -0,0 +1,71 @@
+name: CI Test
+
+on:
+  pull_request:
+    branches:
+      - master
+      - dev
+    paths-ignore:
+      - '**.md'
+
+jobs:
+  image-test:
+    name: Image Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Lower case for ghcr
+        id: ghcr_string
+        uses: ASzc/change-string-case-action@v1
+        with:
+          string: ${{ github.event.repository.full_name }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      
+      - name: Cache Docker layers
+        uses: actions/cache@v2
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Build image for testing
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          platforms: linux/amd64
+          load: true
+          tags: |
+            ${{ steps.ghcr_string.outputs.lowercase }}
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new
+    
+      - name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+      
+      - name: Install trivy
+        run: |
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+          echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update
+          sudo apt-get install trivy -y
+      
+      - name: Scan for CVEs
+        uses: mathiasvr/command-output@v1
+        id: trivy
+        with:
+          run: |
+            trivy image --no-progress --severity "HIGH,CRITICAL" ${{ steps.ghcr_string.outputs.lowercase }}
+      
+      - name: Comment CVE info on  PR
+        uses: thollander/actions-comment-pull-request@v1
+        with:
+          message: |
+            ```
+            ${{ steps.trivy.outputs.stdout }}
+            ```
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:15.14.0-alpine3.10
+FROM node:16-alpine3.15 as builder
 
 VOLUME [ "/data" ]
 
@@ -7,15 +7,27 @@ ENV DB_TYPE=$DB_TYPE
 
 RUN apk add --no-cache python3 py3-pip make gcc g++
 
+COPY . /app
+
 COPY package.json yarn.lock /app/
 
 WORKDIR /app
 
-RUN yarn
+RUN yarn install --frozen-lockfile && npx browserslist@latest --update-db
+RUN npm run build:without-migrate
 
-COPY . /app
+FROM node:16-alpine3.15 as runner
 
-RUN npm run build:without-migrate
+ENV NODE_ENV=production
+ARG DB_TYPE=sqlite
+ENV DB_TYPE=$DB_TYPE
+
+WORKDIR /app
+
+COPY --from=builder /app/node_modules ./node_modules
+COPY --from=builder /app/public ./public
+COPY --from=builder /app/.next ./.next
+COPY . /app
 
 EXPOSE 3000/tcp
 

yarn.lock

@@ -5469,9 +5469,9 @@ typeorm@^0.2.30:
     zen-observable-ts "^1.0.0"
 
 typescript@^4.1.3:
-  version "4.2.4"
-  resolved "https://registry.yarnpkg.com/typescript/-/typescript-4.2.4.tgz#8610b59747de028fda898a8aef0e103f156d0961"
-  integrity sha512-V+evlYHZnQkaz8TRBuxTA92yZBPotr5H+WhQ7bD3hZUndx5tGOa1fuCgeSjxAzM1RiN5IzvadIXTVefuuwZCRg==
+  version "4.7.4"
+  resolved "https://registry.yarnpkg.com/typescript/-/typescript-4.7.4.tgz#1a88596d1cf47d59507a1bcdfb5b9dfe4d488235"
+  integrity sha512-C0WQT0gezHuw6AdY1M2jxUO83Rjf0HP7Sk1DtXj6j1EwkQNZrHAg2XPWlq62oqEhYvONq5pkC2Y9oPljWToLmQ==
 
 typescript@~4.1.3:
   version "4.1.5"