From d0259b255b26edec5466faa9eaee581030b6ca04 Mon Sep 17 00:00:00 2001
From: Markus Opolka <markus@martialblog.de>
Date: Wed, 23 Jun 2021 08:40:51 +0200
Subject: [PATCH] Add Trivy Scan and Structure Test (#71)

* Add Trivy Scan and Structure Tests
* Update README, fancy new Badges!
* Update Makefile, full-qualified Image names
---
 .../test-latest-container-images.yaml         | 49 ++++++++++++++++
 .../workflows/test-lts-container-images.yaml  | 49 ++++++++++++++++
 Makefile                                      | 12 ++--
 README.md                                     |  4 +-
 tests/{image_tests.yaml => apache-tests.yaml} |  0
 tests/fpm-alpine-tests.yaml                   | 57 +++++++++++++++++++
 tests/fpm-tests.yaml                          |  1 +
 tests/run.sh                                  | 11 ----
 8 files changed, 165 insertions(+), 18 deletions(-)
 create mode 100644 .github/workflows/test-latest-container-images.yaml
 create mode 100644 .github/workflows/test-lts-container-images.yaml
 rename tests/{image_tests.yaml => apache-tests.yaml} (100%)
 create mode 100644 tests/fpm-alpine-tests.yaml
 create mode 120000 tests/fpm-tests.yaml
 delete mode 100755 tests/run.sh

diff --git a/.github/workflows/test-latest-container-images.yaml b/.github/workflows/test-latest-container-images.yaml
new file mode 100644
index 0000000..b25307b
--- /dev/null
+++ b/.github/workflows/test-latest-container-images.yaml
@@ -0,0 +1,49 @@
+name: Test Latest Container Images
+
+on: [push, pull_request]
+
+jobs:
+  test_images:
+    name: Test Latest Container Images with Trivy
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        context:
+          - apache
+          - fpm-alpine
+          - fpm
+    steps:
+      - name: 'Check out the repo'
+        uses: actions/checkout@v2
+
+      - name: 'Set up Docker Buildx'
+        uses: docker/setup-buildx-action@v1
+
+      - name: 'Build Container images'
+        uses: docker/build-push-action@v2
+        with:
+          context: 5.0/${{ matrix.context }}
+          push: false
+          load: true
+          tags: docker.io/martialblog/limesurvey:5-${{ matrix.context }}
+
+      - name: 'Run Structure tests'
+        uses: plexsystems/container-structure-test-action@v0.2.0
+        with:
+          image: docker.io/martialblog/limesurvey:5-${{ matrix.context }}
+          config: tests/${{ matrix.context }}-tests.yaml
+
+      - name: 'Run vulnerability scanner'
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: docker.io/martialblog/limesurvey:5-${{ matrix.context }}
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: trivy-results-5-${{ matrix.context }}.sarif
+          severity: 'CRITICAL,HIGH'
+
+      - name: 'Upload Trivy scan results to GitHub'
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: trivy-results-5-${{ matrix.context }}.sarif
+          category: "${{ matrix.context }}"
diff --git a/.github/workflows/test-lts-container-images.yaml b/.github/workflows/test-lts-container-images.yaml
new file mode 100644
index 0000000..23a6f7a
--- /dev/null
+++ b/.github/workflows/test-lts-container-images.yaml
@@ -0,0 +1,49 @@
+name: Test LTS Container Images
+
+on: [push, pull_request]
+
+jobs:
+  test_images:
+    name: Test LTS Container Images with Trivy
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        context:
+          - apache
+          - fpm-alpine
+          - fpm
+    steps:
+      - name: 'Check out the repo'
+        uses: actions/checkout@v2
+
+      - name: 'Set up Docker Buildx'
+        uses: docker/setup-buildx-action@v1
+
+      - name: 'Build Container images'
+        uses: docker/build-push-action@v2
+        with:
+          context: 3.0/${{ matrix.context }}
+          push: false
+          load: true
+          tags: docker.io/martialblog/limesurvey:3-${{ matrix.context }}
+
+      - name: 'Run Structure tests'
+        uses: plexsystems/container-structure-test-action@v0.2.0
+        with:
+          image: docker.io/martialblog/limesurvey:3-${{ matrix.context }}
+          config: tests/${{ matrix.context }}-tests.yaml
+
+      - name: 'Run vulnerability scanner'
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: docker.io/martialblog/limesurvey:3-${{ matrix.context }}
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: trivy-results-3-${{ matrix.context }}.sarif
+          severity: 'CRITICAL,HIGH'
+
+      - name: 'Upload Trivy scan results to GitHub'
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: trivy-results-3-${{ matrix.context }}.sarif
+          category: "${{ matrix.context }}"
diff --git a/Makefile b/Makefile
index c39a00e..84876a6 100644
--- a/Makefile
+++ b/Makefile
@@ -1,14 +1,14 @@
 # .PHONY: apache fpm fpm-alpine
 
 apache-lts:
-	docker build --pull -t martialblog/limesurvey:3-apache 3.0/apache
+	docker build --pull -t docker.io/martialblog/limesurvey:3-apache 3.0/apache
 apache-latest:
-	docker build --pull -t martialblog/limesurvey:5-apache 5.0/apache
+	docker build --pull -t docker.io/martialblog/limesurvey:5-apache 5.0/apache
 fpm-alpine-lts:
-	docker build --pull -t martialblog/limesurvey:3-fpm-alpine 3.0/fpm-alpine
+	docker build --pull -t docker.io/martialblog/limesurvey:3-fpm-alpine 3.0/fpm-alpine
 fpm-alpine-latest:
-	docker build --pull -t martialblog/limesurvey:5-fpm-alpine 5.0/fpm-alpine
+	docker build --pull -t docker.io/martialblog/limesurvey:5-fpm-alpine 5.0/fpm-alpine
 fpm-lts:
-	docker build --pull -t martialblog/limesurvey:3-fpm 3.0/fpm
+	docker build --pull -t docker.io/martialblog/limesurvey:3-fpm 3.0/fpm
 fpm-latest:
-	docker build --pull -t martialblog/limesurvey:5-fpm 5.0/fpm
+	docker build --pull -t docker.io/martialblog/limesurvey:5-fpm 5.0/fpm
diff --git a/README.md b/README.md
index a320cce..529bde2 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,6 @@
-[![Build Status](https://travis-ci.com/martialblog/docker-limesurvey.svg?branch=master)](https://travis-ci.com/martialblog/docker-limesurvey)
+[![Lint Dockerfile](https://github.com/martialblog/docker-limesurvey/actions/workflows/lint-dockerfiles.yaml/badge.svg)](https://github.com/martialblog/docker-limesurvey/actions/workflows/lint-dockerfiles.yaml)
+[![Test LTS Container Images](https://github.com/martialblog/docker-limesurvey/actions/workflows/test-lts-container-images.yaml/badge.svg)](https://github.com/martialblog/docker-limesurvey/actions/workflows/test-lts-container-images.yaml)
+[![Test Latest Container Images](https://github.com/martialblog/docker-limesurvey/actions/workflows/test-latest-container-images.yaml/badge.svg)](https://github.com/martialblog/docker-limesurvey/actions/workflows/test-latest-container-images.yaml)
 [![](https://images.microbadger.com/badges/image/martialblog/limesurvey.svg)](https://microbadger.com/images/martialblog/limesurvey "Get your own image badge on microbadger.com")
 
 # LimeSurvey Docker
diff --git a/tests/image_tests.yaml b/tests/apache-tests.yaml
similarity index 100%
rename from tests/image_tests.yaml
rename to tests/apache-tests.yaml
diff --git a/tests/fpm-alpine-tests.yaml b/tests/fpm-alpine-tests.yaml
new file mode 100644
index 0000000..dfdd12c
--- /dev/null
+++ b/tests/fpm-alpine-tests.yaml
@@ -0,0 +1,57 @@
+schemaVersion: "2.0.0"
+
+globalEnvVars:
+  - key: "PATH"
+    value: "/env/bin:$PATH"
+
+fileContentTests:
+  - name: 'Limesurvey admin file content'
+    path: '/var/www/html/admin/index.php'
+    expectedContents: ['LimeSurvey']
+  - name: 'Entrypoint file content'
+    path: '/var/www/html/entrypoint.sh'
+    expectedContents: ['console.php', 'ADMIN_USER']
+
+fileExistenceTests:
+  - name: 'Limesurvey files'
+    path: '/var/www/html/index.php'
+    shouldExist: true
+    permissions: '-rw-rw-r--'
+  - name: 'Limesurvey admin files'
+    path: '/var/www/html/admin/index.php'
+    shouldExist: true
+    permissions: '-rw-rw-r--'
+  - name:  "Dependencies - PHP - gd"
+    path: '/usr/local/etc/php/conf.d/docker-php-ext-gd.ini'
+    shouldExist: true
+  - name:  "Dependencies - PHP - imap"
+    path: '/usr/local/etc/php/conf.d/docker-php-ext-imap.ini'
+    shouldExist: true
+  - name:  "Dependencies - PHP - ldap"
+    path: '/usr/local/etc/php/conf.d/docker-php-ext-ldap.ini'
+    shouldExist: true
+  - name:  "Dependencies - PHP - pgsql"
+    path: '/usr/local/etc/php/conf.d/docker-php-ext-pgsql.ini'
+    shouldExist: true
+  - name:  "Dependencies - PHP - zip"
+    path: '/usr/local/etc/php/conf.d/docker-php-ext-zip.ini'
+    shouldExist: true
+  - name:  "Dependencies - PHP - sodium"
+    path: '/usr/local/etc/php/conf.d/docker-php-ext-sodium.ini'
+    shouldExist: true
+  - name:  "Dependencies - PHP - pdo_mysql"
+    path: '/usr/local/etc/php/conf.d/docker-php-ext-pdo_mysql.ini'
+    shouldExist: true
+  - name:  "Dependencies - PHP - pdo_pgsql"
+    path: '/usr/local/etc/php/conf.d/docker-php-ext-pdo_pgsql.ini'
+    shouldExist: true
+
+commandTests:
+  - name:  "Dependencies - netcat"
+    command: "apk"
+    args: ["info", "-e", "netcat-openbsd"]
+    exitCode: 0
+  - name:  "Dependencies - PHP Modules"
+    command: "php"
+    args: ["-m"]
+    expectedOutput: ["ldap", "zip", "pdo_mysql", "pdo_sqlite", "gd", "mbstring", "PDO", "imap"]
diff --git a/tests/fpm-tests.yaml b/tests/fpm-tests.yaml
new file mode 120000
index 0000000..51c451c
--- /dev/null
+++ b/tests/fpm-tests.yaml
@@ -0,0 +1 @@
+apache-tests.yaml
\ No newline at end of file
diff --git a/tests/run.sh b/tests/run.sh
deleted file mode 100755
index 68d51f1..0000000
--- a/tests/run.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/usr/bin/env bash
-
-IMAGE=$1
-
-if [ ! -f container-structure-test ]; then
-   curl -LO https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64
-   mv container-structure-test-linux-amd64 container-structure-test
-   chmod +x container-structure-test
-fi
-
-./container-structure-test test --image $IMAGE --config tests/image_tests.yaml