From d0b269cf752b766db88b048c18cd4ccf09bfb176 Mon Sep 17 00:00:00 2001 From: Daniel Pacak Date: Thu, 3 Oct 2019 16:55:03 +0300 Subject: [PATCH] chore: Release a Docker image (#23) Resolves: #10 Signed-off-by: Daniel Pacak --- .gitignore | 3 +- .goreleaser.yml | 44 ++++++++ .travis.yml | 37 ++++++ Dockerfile | 2 +- LICENSE | 201 +++++++++++++++++++++++++++++++++ Makefile | 4 +- README.md | 40 ++++++- cmd/scanner-trivy/main.go | 23 +++- docs/ARCHITECTURE.md | 1 + docs/RELEASES.md | 95 ++++++++++++++++ go.mod | 1 - go.sum | 2 - kube/harbor-scanner-trivy.yaml | 4 +- 13 files changed, 440 insertions(+), 17 deletions(-) create mode 100644 .goreleaser.yml create mode 100644 .travis.yml create mode 100644 LICENSE create mode 100644 docs/ARCHITECTURE.md create mode 100644 docs/RELEASES.md diff --git a/.gitignore b/.gitignore index 5bfa2adf..2b00b3de 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ .idea/ -bin/ +scanner-trivy +dist/ coverage.txt diff --git a/.goreleaser.yml b/.goreleaser.yml new file mode 100644 index 00000000..b266efcd --- /dev/null +++ b/.goreleaser.yml @@ -0,0 +1,44 @@ +env: + - GO111MODULE=on +before: + hooks: + - go mod tidy +builds: + - id: build-scanner-trivy + main: ./cmd/scanner-trivy/main.go + binary: scanner-trivy + env: + - CGO_ENABLED=0 +archives: + - replacements: + darwin: Darwin + linux: Linux + 386: i386 + amd64: x86_64 +checksum: + name_template: 'checksums.txt' +snapshot: + name_template: "{{ .Tag }}-next" +changelog: + sort: asc + filters: + exclude: + - '^docs:' + - '^test:' + - '^chore:' +dockers: + - image_templates: + - "docker.io/aquasec/harbor-scanner-trivy:{{ .Version }}" + binaries: + - scanner-trivy + build_flag_templates: + - "--label=org.label-schema.schema-version=1.0" + - "--label=org.label-schema.name={{ .ProjectName }}" + - "--label=org.label-schema.description=Harbor scanner adapter for Trivy" + - "--label=org.label-schema.vendor=Aqua Security" + - "--label=org.label-schema.version={{ .Version }}" + - "--label=org.label-schema.build-date={{ .Date }}" + - "--label=org.label-schema.vcs=https://github.com/aquasecurity/harbor-scanner-trivy" + - "--label=org.label-schema.vcs-ref={{ .FullCommit }}" + extra_files: + - trivy diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 00000000..1387c88a --- /dev/null +++ b/.travis.yml @@ -0,0 +1,37 @@ +language: go +go: + # TODO Upgrade to 1.13 https://github.com/aquasecurity/harbor-scanner-trivy/issues/24 + - "1.12" + +git: + depth: 1 + +services: + - docker + +env: + global: + - secure: "VdoZrMbSGn8EEXcdw3bi0LF+5+0YZGb2zyR6iaKxkN88R3nRMBcEHSBaryOS6c8w8fXzoFG9hwE58+kDbHogVewupHxseivAuWdmND9vmF0pllifEtO7T4KGWcLvaWCNoxUiWQpGGp44qTx/2q9IbT5GTKxRQAc8/ZwUkdQ6sC4/tWux212qfoUFQadqBpduhP7MSPPnRfe9jUXBU/7HY2k944Zt0vRqOAUujawA6vLC1VyVaMdF/70EuGNjSnQgC0mlaj33z9ZN5qPLqbd/UWEeDNzZHbOrP7JB9/VNpeVIar2QKgiZTjQzKx48qA1MuNHMnVQJkJCzNYThy8PkF5tITw7U+OloS+Kn4IVEk/aKdZupsjmsDzlXUtePMEPE9QJNMDWpQt3K5+LFf7/VIsTxWgOofobMqnwZszr1qoav4G0EV+x3RG+5TTyNbqXZoIaMpDQUf4xcVamJhoo7vFpAjFpan2u4Cveu+2xa7l8kvphkwVSlf1brP6Z/FbhCLWnSvRyH8VRx1IoGL+a/9Iae9kGHe9sfojjvUaAuWo2jyURtdDMVcbgYb5YyPlYAdWvqlViSBdwM0sxb6pwQ2BHNdxbd558uRFz1DCjOAtECmQ+2iulhu4RYFguUWSm45VcBN4iyRrXnJv5mwi+NsQSsZdgOKgqRTEgPACBeBek=" + - secure: "qPeleb8zRcnJEtcKWsdE13g6eamKoqxqTPqdVKsv3n+2zE9GLUMOS/eOUQSYLqvYxoiASyknN3Knd97M/Ll8FvXv4f2eGf9PYozVO1UnB/5KU9jm7yA0uG+uYotkJS5SStfIPupXX6wCNWsR3wBVTOYYzfM5uWFM/Rq05xLd0S+GT2DzIgH8SAANkL1c8zdJFlua3wWmB/gO8MtOJRq/vRHnMESr+FnQ5Ix4q5WBDaBsf5UMZJ+0vd5TU8YCLpKk6iMRLF+QllZD+m7BbVvHO5RCcNbCucyYLF3HNnVeHdW4bPt03nv2icoZNPqt0xJdNy+4nU8lsRJ2Waa5d/miDJOfee2SdIpa7+B+vSU4a/6/33iav6j3fSZXXJZbAX7AdfmRGm/FdyHQmfGTkxuVtr+3ipuayrbweRY6RxCkMYiG8j1xyIktb6xdkFj+1YHUky+YLRaK+055JjF4fg9omFhJhAqw57oZfUnVgmWY8t/4VwX1FtGOhnsB/1abvtGiQ+Dy44ciwi4AKt+mWLGWLnQeWKTyl/novz31QNvzGHlNHSSBQA2FWuF0+bUBuSvfiBFFhMMIBb8NyAH7j2eVkbkld30RHScAZhhBSOuNzSrhN8bkIu+0jBGO095KmIOUQQPAqvlTZnabZl0FEIKjJaFTZffN9CWmaZkuBU8kQZ4=" + - secure: "Y1J3i4AT0pzpdr9lWaWW1IdI/tNhy0v8wQ1AVuSy7dGjGYu3stMLZMmqBEKlFGdR34T8+jqwaKeSVxc05P+Ljqb2Rvwtbbr243xioHI80AVtRdzSVR5hrn5G45yDuDzFh07RkKV2KRGFUtyaxW5EFMlnI80rrwZQin49U5tjNaXxZlauMwQ2CHn7gCu3N8lQeTX9jNrLmPaw0z36f5zxDBzv5OLoRzlulsC+ddnrSTPEs2kAYb+CuvR2TvIC/fG4zBXbM2YZu0JxuSVKjn5HijnSkWH8uME5DOPmXi6DuJS4cgWAROSVSE9GqqVybp0FJqIH5lump68uftRib/9OdoChxiBD1hScOrVUGPJVEv4EPSdCS60JiFp+1jrHx+gFWd6QskaLeVvye2sEjgDwGfasNjj2lXI0mTSpb9fNIpFakEebGSvlvm/VnpBxeJsY43nOoIhnBLKho6OAlMys/0joTXNk/bNNIGi9x7m7Q5/s4FSv7LQolULGSDGt+Y0k+NkQ1RDNx6/xW2n3VT0jiCTx3uUkuDVUohM+E1BfldXOsAd7DwkkicWBwzamrMEJopirYqe4a1y6z0SQN5N+iwYFPwq1iXyxJu8Q2uv8wl4nxbK3Sj/2sYBlUR+v5/9HO7tjoPFol7OOTZe6MkLBDFVjCul45BhJzAGIq6/ouDg=" + +script: + - make test + - curl -sL https://git.io/goreleaser | bash -s -- --snapshot --skip-publish --rm-dist + +after_success: + - curl -sL https://codecov.io/bash | bash + # docker login is required to push docker images to Docker Hub. + # DOCKERHUB_USER and DOCKERHUB_TOKEN should be set as secrets in this .travis.yml configuration file. + - test -n "$TRAVIS_TAG" && docker login -u="$DOCKERHUB_USER" -p="$DOCKERHUB_TOKEN" + +deploy: + - provider: script + skip_cleanup: true + script: curl -sL https://git.io/goreleaser | bash -s -- --rm-dist + on: + tags: true + condition: $TRAVIS_OS_NAME = linux + +notifications: + email: false diff --git a/Dockerfile b/Dockerfile index e875fb76..ee671a83 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,6 @@ RUN apk add --no-cache rpm git bash ca-certificates && update-ca-certificates ADD trivy /usr/local/bin -ADD bin/scanner-trivy /app/scanner-trivy +ADD scanner-trivy /app/scanner-trivy ENTRYPOINT ["/app/scanner-trivy"] diff --git a/LICENSE b/LICENSE new file mode 100644 index 00000000..261eeb9e --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/Makefile b/Makefile index c4080645..1b4e05bf 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ SOURCES := $(shell find . -name '*.go') BINARY := scanner-trivy -IMAGE_TAG := poc +IMAGE_TAG := dev IMAGE := aquasec/harbor-scanner-trivy:$(IMAGE_TAG) build: $(BINARY) @@ -9,7 +9,7 @@ test: build GO111MODULE=on go test -short -race -coverprofile=coverage.txt -covermode=atomic ./... $(BINARY): $(SOURCES) - GOOS=linux GO111MODULE=on CGO_ENABLED=0 go build -o bin/$(BINARY) cmd/scanner-trivy/main.go + GOOS=linux GO111MODULE=on CGO_ENABLED=0 go build -o $(BINARY) cmd/scanner-trivy/main.go container: build docker build -t $(IMAGE) . diff --git a/README.md b/README.md index a930de01..a8260285 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,29 @@ +[![GitHub release][release-img]][release] +[![Build Status][ci-img]][ci] +[![Coverage Status][cov-img]][cov] +[![Go Report Card][report-card-img]][report-card] +[![License][license-img]][license] + # harbor-scanner-trivy -```bash +The Harbor Scanner Adapter for [Trivy][trivy-url]. +See [Pluggable Image Vulnerability Scanning Proposal][image-vulnerability-scanning-proposal] for more details. + +## TOC + +- [Deploy to Kubernetes (minikube)](#deploy-to-kubernetes-minikube) +- [Configuration](#configuration) +- [Documentation](#documentation) + +## Deploy to Kubernetes (minikube) + +``` $ eval $(minikube docker-env -p harbor) $ make container $ kubectl apply -f kube/harbor-scanner-trivy.yaml ``` -```bash +``` kubectl port-forward service/harbor-scanner-trivy 8080:8080 &> /dev/null & curl -v http://localhost:8080/api/v1/metadata @@ -29,3 +46,22 @@ curl -v http://localhost:8080/api/v1/metadata | `SCANNER_JOB_QUEUE_REDIS_POOL_MAX_ACTIVE` | 5 | The max number of connections allocated by the pool for a jobs queue. | | `SCANNER_JOB_QUEUE_REDIS_POOL_MAX_IDLE` | 5 | The max number of idle connections in the pool for a jobs queue. | | `SCANNER_JOB_QUEUE_WORKER_CONCURRENCY` | 1 | The number of workers to spin-up for a jobs queue. | + +## Documentation + +- [Architecture](./docs/ARCHITECTURE.md): architectural decisions behind designing harbor-scanner-trivy. +- [Releases](./docs/RELEASES.md): how to release a new version of harbor-scanner-trivy. + +[release-img]: https://img.shields.io/github/release/aquasecurity/harbor-scanner-trivy.svg +[release]: https://github.com/aquasecurity/harbor-scanner-trivy/releases +[ci-img]: https://travis-ci.org/aquasecurity/harbor-scanner-trivy.svg?branch=master +[ci]: https://travis-ci.org/aquasecurity/harbor-scanner-trivy +[cov-img]: https://codecov.io/github/aquasecurity/harbor-scanner-trivy/branch/master/graph/badge.svg +[cov]: https://codecov.io/github/aquasecurity/harbor-scanner-trivy +[report-card-img]: https://goreportcard.com/badge/github.com/aquasecurity/harbor-scanner-trivy +[report-card]: https://goreportcard.com/report/github.com/aquasecurity/harbor-scanner-trivy +[license-img]: https://img.shields.io/github/license/aquasecurity/harbor-scanner-trivy.svg +[license]: https://github.com/aquasecurity/harbor-scanner-trivy/blob/master/LICENSE + +[trivy-url]: https://github.com/aquasecurity/trivy +[image-vulnerability-scanning-proposal]: https://github.com/goharbor/community/pull/98 diff --git a/cmd/scanner-trivy/main.go b/cmd/scanner-trivy/main.go index a9d2fb6b..713c0bf1 100644 --- a/cmd/scanner-trivy/main.go +++ b/cmd/scanner-trivy/main.go @@ -12,13 +12,24 @@ import ( "os/signal" ) +var ( + // Default wise GoReleaser sets three ldflags: + version = "dev" + commit = "none" + date = "unknown" +) + func main() { log.SetOutput(os.Stdout) log.SetLevel(log.DebugLevel) log.SetReportCaller(false) log.SetFormatter(&log.JSONFormatter{}) - log.Info("Starting harbor-scanner-trivy") + log.WithFields(log.Fields{ + "version": version, + "commit": commit, + "built_at": date, + }).Info("Starting harbor-scanner-trivy") jobQueueConfig, err := etc.GetJobQueueConfig() if err != nil { @@ -51,17 +62,17 @@ func main() { sigint := make(chan os.Signal, 1) signal.Notify(sigint, os.Interrupt, os.Kill) captured := <-sigint - log.Debugf("Trapped os signal %v", captured) + log.WithField("signal", captured.String()).Debug("Trapped os signal") - log.Debug("Graceful shutdown started") + log.Debug("API server shutdown started") if err := server.Shutdown(context.Background()); err != nil { log.WithError(err).Error("Error while shutting down server") } - log.Debug("Graceful shutdown completed") + log.Debug("API server shutdown completed") - log.Debug("Stopping worker started") + log.Debug("Job queue shutdown started") worker.Stop() - log.Debug("Stopping worker completed") + log.Debug("Job queue shutdown completed") close(shutdownComplete) }() diff --git a/docs/ARCHITECTURE.md b/docs/ARCHITECTURE.md new file mode 100644 index 00000000..c79bec1a --- /dev/null +++ b/docs/ARCHITECTURE.md @@ -0,0 +1 @@ +# Architecture diff --git a/docs/RELEASES.md b/docs/RELEASES.md new file mode 100644 index 00000000..96cf03bd --- /dev/null +++ b/docs/RELEASES.md @@ -0,0 +1,95 @@ +# Releases + +This document is intended for maintainers only. + +## TOC + +- [Prerequisites](#prerequisites) +- [Build and test the next release locally](#build-and-test-the-next-release-locally) +- [Release a new version](#release-a-new-version) +- [Release artifacts](#release-artifacts) + +## Prerequisites + +1. Install [GoReleaser](https://goreleaser.com/) or use it as curl bash piping: + ``` + $ brew install goreleaser/tap/goreleaser + $ goreleaser -v + ``` + ``` + $ curl -sL https://git.io/goreleaser | bash -s -- -v + ``` +2. Fork and clone this repository and then add the `upstream` remote repository: + ``` + $ git remote -v + origin git@github.com:/harbor-scanner-trivy.git (fetch) + origin git@github.com:/harbor-scanner-trivy.git (push) + upstream git@github.com:aquasecurity/harbor-scanner-trivy.git (fetch) + upstream git@github.com:aquasecurity/harbor-scanner-trivy.git (push) + ``` +3. Docker client connected to a Docker host: + ``` + $ docker info + ``` + +### Environment + +GoReleaser requires the following environment variables to be set. + +| Environment Variable | Description | +|----------------------|-------------| +| `GITHUB_TOKEN` | GitHub API token with the `repo` scope to deploy the artifacts to GitHub | +| `DOCKERHUB_USER` | DockerHub username | +| `DOCKERHUB_TOKEN` | DockerHub access token to push images | + +Those can be stored as encrypted environment variable in `.travis.yml`. The easiest way to encrypt something with the +public key is to use Travis CLI: + +``` +$ gem install travis +``` + +``` +$ travis encrypt GITHUB_TOKEN="***" --repo aquasecurity/harbor-scanner-trivy +$ travis encrypt DOCKERHUB_USER="***" --repo aquasecurity/harbor-scanner-trivy +$ travis encrypt DOCKERHUB_TOKEN="***" --repo aquasecurity/harbor-scanner-trivy +``` + +## Build and test the next release locally + +1. Make sure that your fork's `master` branch is up to date with `upstream/master` and your working tree is clean. +2. Run unit tests and make sure that they're passing: + ``` + $ make test + ``` +3. Perform a dry run to test everything before doing a release for real. Notice the `--skip-publish` flag, which + instructs GoReleaser to only build and package things: + ``` + $ goreleaser --snapshot --skip-publish --rm-dist + ``` +4. Make sure that the Docker image was built successfully: + ``` + $ docker image inspect "docker.io/aquasec/harbor-scanner-trivy:$CURRENT_VERSION-next" + ``` + where `CURRENT_VERSION` corresponds to the latest release tag, e.g. `v0.1.0` or equals `v0.0.0` if you're releasing + for the first time. +5. You can even try running the container to be more confident with new release: + ``` + $ docker container run --rm -p 8080:8080 "docker.io/aquasec/harbor-scanner-trivy:$CURRENT_VERSION-next" + ``` + +## Release a new version + +1. If everything is fine so far create an annotated git tag and push it to the `upstream` repository to actually + trigger the release build: + ``` + $ git tag -a $NEW_VERSION -m "Release $NEW_VERSION" + $ git push upstream $NEW_VERSION + ``` + where `NEW_VERSION` adheres to semantic versioning, e.g. `v0.2.0`. +2. Check that Travis CI scheduled a build job that corresponds to `NEW_VERSION`. Make sure that the job exited with 0 status code. + +## Release artifacts + +1. Make sure that GoReleaser uploaded artifacts to GitHub [releases](https://github.com/aquasecurity/harbor-scanner-trivy/releases) page. +2. Make sure that GoReleaser pushed new tag `NEW_VERSION` to Docker Hub [repository](https://hub.docker.com/r/aquasec/harbor-scanner-trivy/tags). diff --git a/go.mod b/go.mod index 43898272..eee0bd11 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,6 @@ require ( github.com/caarlos0/env/v6 v6.0.0 github.com/gocraft/work v0.5.1 github.com/gomodule/redigo v2.0.0+incompatible - github.com/google/uuid v1.1.1 github.com/gorilla/mux v1.7.3 github.com/robfig/cron v1.2.0 // indirect github.com/sirupsen/logrus v1.4.2 diff --git a/go.sum b/go.sum index 74dfdc6e..83774bfd 100644 --- a/go.sum +++ b/go.sum @@ -8,8 +8,6 @@ github.com/gocraft/work v0.5.1 h1:3bRjMiOo6N4zcRgZWV3Y7uX7R22SF+A9bPTk4xRXr34= github.com/gocraft/work v0.5.1/go.mod h1:pc3n9Pb5FAESPPGfM0nL+7Q1xtgtRnF8rr/azzhQVlM= github.com/gomodule/redigo v2.0.0+incompatible h1:K/R+8tc58AaqLkqG2Ol3Qk+DR/TlNuhuh457pBFPtt0= github.com/gomodule/redigo v2.0.0+incompatible/go.mod h1:B4C85qUVwatsJoIUNIfCRsp7qO0iAmpGFZ4EELWSbC4= -github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY= -github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw= github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk= diff --git a/kube/harbor-scanner-trivy.yaml b/kube/harbor-scanner-trivy.yaml index ebb6e8ab..c8a97bc0 100644 --- a/kube/harbor-scanner-trivy.yaml +++ b/kube/harbor-scanner-trivy.yaml @@ -15,7 +15,7 @@ spec: spec: initContainers: - name: init - image: aquasec/harbor-scanner-trivy:poc + image: aquasec/harbor-scanner-trivy:dev imagePullPolicy: IfNotPresent command: - "trivy" @@ -27,7 +27,7 @@ spec: name: trivy-cache containers: - name: main - image: aquasec/harbor-scanner-trivy:poc + image: aquasec/harbor-scanner-trivy:dev imagePullPolicy: IfNotPresent env: - name: "SCANNER_API_ADDR"