Simple pre-commit hook to secure container code
Synopsis: If you compare an application with human body then code is the combination of flesh, blood & brain whereas infrastructure (HW) is the heart, skeleton & veins. Now a days, we don’t need to think about infrastructure as it’s mostly handled by GCP, AWS, Azure, DigitalOcean, and so on. Therefore, for healthier code base it is important to boost the immune system of your code. Toxins and infections are inevitable. Protein like GCP container scanning is somewhat expensive if you frequently build your staging environment and push the container into container registry for testing purpose.
A Simple Solution: Trivy is a vulnerability scanner for container images, file systems, git repositories and docker configuration files. It is open source and easy to install in almost any OS distribution. A simple pre-commit
hook script in your git repo can scan your complete code base and generate a pretty nice
ASCII
report in your terminal like below:
Pre-commit Few Liners Script:
Please save the file in your git repo under.git/hooks/pre-commit
and make it executable by running chmod +x .git/hooks/pre-commit
just in case.
#!/bin/sh
# FYI, bash is not compatible with Windows OS :)
# Check for trivy
if ! [ -x "$(command -v trivy)" ]; then
sudo curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
trivy fs --security-checks vuln,config ./
else
trivy fs --security-checks vuln,config ./
fi
exit $?
Done! Happy coding.