avatarTanvir Shahid

Summarize

Simple pre-commit hook to secure container code

Synopsis: If you compare an application with human body then code is the combination of flesh, blood & brain whereas infrastructure (HW) is the heart, skeleton & veins. Now a days, we don’t need to think about infrastructure as it’s mostly handled by GCP, AWS, Azure, DigitalOcean, and so on. Therefore, for healthier code base it is important to boost the immune system of your code. Toxins and infections are inevitable. Protein like GCP container scanning is somewhat expensive if you frequently build your staging environment and push the container into container registry for testing purpose.

A Simple Solution: Trivy is a vulnerability scanner for container images, file systems, git repositories and docker configuration files. It is open source and easy to install in almost any OS distribution. A simple pre-commit hook script in your git repo can scan your complete code base and generate a pretty nice ASCII report in your terminal like below:

go binary severity report
Dockerfile severity report

Pre-commit Few Liners Script:

Please save the file in your git repo under.git/hooks/pre-commit and make it executable by running chmod +x .git/hooks/pre-commit just in case.

#!/bin/sh
# FYI, bash is not compatible with Windows OS :)
# Check for trivy
if ! [ -x "$(command -v trivy)" ]; then
    sudo curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
    trivy fs --security-checks vuln,config ./
else
    trivy fs --security-checks vuln,config ./
fi
exit $?

Done! Happy coding.

Git
Security
Code
Vulnerability
Docker
Recommended from ReadMedium