139 lines
3.0 KiB
Markdown
139 lines
3.0 KiB
Markdown
# Scripts
|
|
|
|
This directory contains utility scripts for the Hastebin project.
|
|
|
|
## Git Hooks Installation
|
|
|
|
### `install-git-hooks.sh`
|
|
|
|
Installs Git pre-commit hooks to prevent pushing broken code. The hook runs core tests before each commit.
|
|
|
|
**Usage:**
|
|
|
|
```bash
|
|
./scripts/install-git-hooks.sh
|
|
```
|
|
|
|
**What it does:**
|
|
|
|
1. Creates a pre-commit hook in `.git/hooks/pre-commit`
|
|
2. The hook runs `npm run test:core` before each commit
|
|
3. If tests fail, the commit is aborted
|
|
4. Automatically installs dependencies if `node_modules` is missing
|
|
|
|
**Skipping the hook:**
|
|
|
|
If you need to skip the pre-commit hook (not recommended), use:
|
|
|
|
```bash
|
|
git commit --no-verify
|
|
```
|
|
|
|
**Note:** The hook runs core tests only (faster than the full test suite) to keep commit times reasonable. Full tests are still run in CI/CD via Woodpecker.
|
|
|
|
## Security Scanning
|
|
|
|
### SBOM Generation
|
|
|
|
#### `scan-sbom.sh`
|
|
|
|
Generates a Software Bill of Materials (SBOM) for the source code using Syft. Creates SBOM files in multiple formats (table, SPDX JSON, CycloneDX JSON).
|
|
|
|
**Usage:**
|
|
|
|
```bash
|
|
./scripts/scan-sbom.sh
|
|
# or
|
|
npm run scan:sbom
|
|
```
|
|
|
|
**Output files:**
|
|
- `sbom.txt` - Human-readable table format
|
|
- `sbom.spdx.json` - SPDX JSON format
|
|
- `sbom.cyclonedx.json` - CycloneDX JSON format
|
|
|
|
**Requirements:**
|
|
- Syft (automatically installed if not present)
|
|
|
|
### Trivy Security Scans
|
|
|
|
#### `scan-trivy-fs.sh`
|
|
|
|
Runs Trivy filesystem security scan to detect vulnerabilities and misconfigurations in the codebase and Dockerfile.
|
|
|
|
**Usage:**
|
|
|
|
```bash
|
|
./scripts/scan-trivy-fs.sh
|
|
# or
|
|
npm run scan:trivy
|
|
```
|
|
|
|
**What it scans:**
|
|
- Filesystem for vulnerabilities (HIGH and CRITICAL severity)
|
|
- Dockerfile for misconfigurations
|
|
- Reports findings but doesn't fail (exit code 0)
|
|
|
|
**Requirements:**
|
|
- Trivy installed (`brew install trivy` or see [Trivy installation guide](https://aquasecurity.github.io/trivy/latest/getting-started/installation/))
|
|
|
|
#### `scan-trivy-image.sh`
|
|
|
|
Builds the Docker image and scans it for vulnerabilities using Trivy.
|
|
|
|
**Usage:**
|
|
|
|
```bash
|
|
./scripts/scan-trivy-image.sh [image-name]
|
|
# or
|
|
npm run scan:trivy:image
|
|
```
|
|
|
|
**Default image name:** `hastebin:test`
|
|
|
|
**What it does:**
|
|
1. Builds the Docker image
|
|
2. Scans the image for vulnerabilities (HIGH and CRITICAL severity)
|
|
3. Fails if unfixed vulnerabilities are found (exit code 1)
|
|
|
|
**Requirements:**
|
|
- Docker
|
|
- Trivy installed
|
|
|
|
### Image SBOM Generation
|
|
|
|
#### `scan-sbom-image.sh`
|
|
|
|
Builds the Docker image and generates an SBOM for it.
|
|
|
|
**Usage:**
|
|
|
|
```bash
|
|
./scripts/scan-sbom-image.sh [image-name]
|
|
# or
|
|
npm run scan:sbom:image
|
|
```
|
|
|
|
**Default image name:** `hastebin:test`
|
|
|
|
**Output files:**
|
|
- `sbom-image.txt` - Human-readable table format
|
|
- `sbom-image.spdx.json` - SPDX JSON format
|
|
- `sbom-image.cyclonedx.json` - CycloneDX JSON format
|
|
|
|
**Requirements:**
|
|
- Docker
|
|
- Syft (automatically installed if not present)
|
|
|
|
### Running All Scans
|
|
|
|
To run both SBOM generation and Trivy filesystem scan:
|
|
|
|
```bash
|
|
npm run scan:all
|
|
```
|
|
|
|
This runs:
|
|
1. SBOM generation for source code
|
|
2. Trivy filesystem security scan
|