Nixius
/
hastebin
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
hastebin/scripts/README.md

139 lines
3.0 KiB
Markdown
Raw Permalink Blame History

# Scripts
This directory contains utility scripts for the Hastebin project.
## Git Hooks Installation
### `install-git-hooks.sh`
Installs Git pre-commit hooks to prevent pushing broken code. The hook runs core tests before each commit.
**Usage:**
```bash
./scripts/install-git-hooks.sh
```
**What it does:**
1. Creates a pre-commit hook in `.git/hooks/pre-commit`
2. The hook runs `npm run test:core` before each commit
3. If tests fail, the commit is aborted
4. Automatically installs dependencies if `node_modules` is missing
**Skipping the hook:**
If you need to skip the pre-commit hook (not recommended), use:
```bash
git commit --no-verify
```
**Note:** The hook runs core tests only (faster than the full test suite) to keep commit times reasonable. Full tests are still run in CI/CD via Woodpecker.
## Security Scanning
### SBOM Generation
#### `scan-sbom.sh`
Generates a Software Bill of Materials (SBOM) for the source code using Syft. Creates SBOM files in multiple formats (table, SPDX JSON, CycloneDX JSON).
**Usage:**
```bash
./scripts/scan-sbom.sh
# or
npm run scan:sbom
```
**Output files:**
- `sbom.txt` - Human-readable table format
- `sbom.spdx.json` - SPDX JSON format
- `sbom.cyclonedx.json` - CycloneDX JSON format
**Requirements:**
- Syft (automatically installed if not present)
### Trivy Security Scans
#### `scan-trivy-fs.sh`
Runs Trivy filesystem security scan to detect vulnerabilities and misconfigurations in the codebase and Dockerfile.
**Usage:**
```bash
./scripts/scan-trivy-fs.sh
# or
npm run scan:trivy
```
**What it scans:**
- Filesystem for vulnerabilities (HIGH and CRITICAL severity)
- Dockerfile for misconfigurations
- Reports findings but doesn't fail (exit code 0)
**Requirements:**
- Trivy installed (`brew install trivy` or see [Trivy installation guide](https://aquasecurity.github.io/trivy/latest/getting-started/installation/))
#### `scan-trivy-image.sh`
Builds the Docker image and scans it for vulnerabilities using Trivy.
**Usage:**
```bash
./scripts/scan-trivy-image.sh [image-name]
# or
npm run scan:trivy:image
```
**Default image name:** `hastebin:test`
**What it does:**
1. Builds the Docker image
2. Scans the image for vulnerabilities (HIGH and CRITICAL severity)
3. Fails if unfixed vulnerabilities are found (exit code 1)
**Requirements:**
- Docker
- Trivy installed
### Image SBOM Generation
#### `scan-sbom-image.sh`
Builds the Docker image and generates an SBOM for it.
**Usage:**
```bash
./scripts/scan-sbom-image.sh [image-name]
# or
npm run scan:sbom:image
```
**Default image name:** `hastebin:test`
**Output files:**
- `sbom-image.txt` - Human-readable table format
- `sbom-image.spdx.json` - SPDX JSON format
- `sbom-image.cyclonedx.json` - CycloneDX JSON format
**Requirements:**
- Docker
- Syft (automatically installed if not present)
### Running All Scans
To run both SBOM generation and Trivy filesystem scan:
```bash
npm run scan:all
```
This runs:
1. SBOM generation for source code
2. Trivy filesystem security scan
Reference in New Issue View Git Blame Copy Permalink