From d5cdd2bb04a9864b70a8524be0bd783cd45e738d Mon Sep 17 00:00:00 2001
From: Lauris BH <lauris@nix.lv>
Date: Sat, 3 Sep 2022 21:46:48 +0300
Subject: [PATCH] Add dependency security check using trivy (#1163)

---
 .woodpecker/docs.yml |  9 +++++++++
 .woodpecker/test.yml |  9 +++++++++
 .woodpecker/web.yml  | 11 +++++++++++
 3 files changed, 29 insertions(+)

diff --git a/.woodpecker/docs.yml b/.woodpecker/docs.yml
index 18e2b356c..652c2227d 100644
--- a/.woodpecker/docs.yml
+++ b/.woodpecker/docs.yml
@@ -15,6 +15,15 @@ pipeline:
       event: [push, pull_request]
       path: *when_path
 
+  securitycheck:
+    image: aquasec/trivy:latest
+    commands:
+      - trivy fs --exit-code 0 --skip-dirs node_modules/ --skip-dirs plugins/woodpecker-plugins/node_modules --severity UNKNOWN,LOW docs/
+      # TODO currently it is not fixable so just do not block currently
+      - trivy fs --exit-code 0 --skip-dirs node_modules/ --skip-dirs plugins/woodpecker-plugins/node_modules --severity MEDIUM,HIGH,CRITICAL docs/
+    when:
+      path: *when_path
+
   deploy-preview:
     image: woodpeckerci/plugin-surge-preview:next
     settings:
diff --git a/.woodpecker/test.yml b/.woodpecker/test.yml
index fcbd9a656..c35fde6cd 100644
--- a/.woodpecker/test.yml
+++ b/.woodpecker/test.yml
@@ -50,6 +50,15 @@ pipeline:
     image: mstruebing/editorconfig-checker
     group: test
 
+  securitycheck:
+    group: test
+    image: aquasec/trivy:latest
+    commands:
+      - trivy fs --exit-code 0 --skip-dirs web/ --skip-dirs docs/ --severity UNKNOWN,LOW .
+      - trivy fs --exit-code 1 --skip-dirs web/ --skip-dirs docs/ --severity MEDIUM,HIGH,CRITICAL .
+    when:
+      path: *when_path
+
   test:
     image: *golang_image
     group: test
diff --git a/.woodpecker/web.yml b/.woodpecker/web.yml
index 2a56c5364..a9389c55f 100644
--- a/.woodpecker/web.yml
+++ b/.woodpecker/web.yml
@@ -1,6 +1,8 @@
 variables:
   - &node_image 'node:16-alpine'
   - &when_path
+      # related config files
+      - ".woodpecker/web.yml"
       # web source code
       - "web/**"
 
@@ -40,6 +42,15 @@ pipeline:
     when:
       path: *when_path
 
+  securitycheck:
+    group: test
+    image: aquasec/trivy:latest
+    commands:
+      - trivy fs --exit-code 0 --skip-dirs node_modules/ --severity UNKNOWN,LOW web/
+      - trivy fs --exit-code 1 --skip-dirs node_modules/ --severity MEDIUM,HIGH,CRITICAL web/
+    when:
+      path: *when_path
+
   test:
     group: test
     image: *node_image