Nixius
/
hastebin
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
hastebin/scripts
History
Colin 618a2c1ff7
ci/woodpecker/push/woodpecker Pipeline failed Details
Security improvements and local testing scripts 
- Fix Dockerfile to run as non-root user (node) for security
- Fix phonetic key generator to always start with consonant (test fix)
- Add local security scanning scripts (SBOM, Trivy)
- Update test script to exclude security tests from mocha
- Add npm scripts for security scans
- Update .gitignore for generated files
- Update Woodpecker CI to use modern Trivy syntax and push images
 		2026-01-21 10:21:55 -05:00
..
README.md Security improvements and local testing scripts 2026-01-21 10:21:55 -05:00
install-git-hooks.sh Security improvements and local testing scripts 2026-01-21 10:21:55 -05:00
scan-sbom-image.sh Security improvements and local testing scripts 2026-01-21 10:21:55 -05:00
scan-sbom.sh Security improvements and local testing scripts 2026-01-21 10:21:55 -05:00
scan-trivy-fs.sh Security improvements and local testing scripts 2026-01-21 10:21:55 -05:00
scan-trivy-image.sh Security improvements and local testing scripts 2026-01-21 10:21:55 -05:00

README.md

Scripts

This directory contains utility scripts for the Hastebin project.

Git Hooks Installation

install-git-hooks.sh

Installs Git pre-commit hooks to prevent pushing broken code. The hook runs core tests before each commit.

Usage:

./scripts/install-git-hooks.sh

What it does:

  1. Creates a pre-commit hook in .git/hooks/pre-commit
  2. The hook runs npm run test:core before each commit
  3. If tests fail, the commit is aborted
  4. Automatically installs dependencies if node_modules is missing

Skipping the hook:

If you need to skip the pre-commit hook (not recommended), use:

git commit --no-verify

Note: The hook runs core tests only (faster than the full test suite) to keep commit times reasonable. Full tests are still run in CI/CD via Woodpecker.

Security Scanning

SBOM Generation

scan-sbom.sh

Generates a Software Bill of Materials (SBOM) for the source code using Syft. Creates SBOM files in multiple formats (table, SPDX JSON, CycloneDX JSON).

Usage:

./scripts/scan-sbom.sh
# or
npm run scan:sbom

Output files:

  • sbom.txt - Human-readable table format
  • sbom.spdx.json - SPDX JSON format
  • sbom.cyclonedx.json - CycloneDX JSON format

Requirements:

  • Syft (automatically installed if not present)

Trivy Security Scans

scan-trivy-fs.sh

Runs Trivy filesystem security scan to detect vulnerabilities and misconfigurations in the codebase and Dockerfile.

Usage:

./scripts/scan-trivy-fs.sh
# or
npm run scan:trivy

What it scans:

  • Filesystem for vulnerabilities (HIGH and CRITICAL severity)
  • Dockerfile for misconfigurations
  • Reports findings but doesn't fail (exit code 0)

Requirements:

scan-trivy-image.sh

Builds the Docker image and scans it for vulnerabilities using Trivy.

Usage:

./scripts/scan-trivy-image.sh [image-name]
# or
npm run scan:trivy:image

Default image name: hastebin:test

What it does:

  1. Builds the Docker image
  2. Scans the image for vulnerabilities (HIGH and CRITICAL severity)
  3. Fails if unfixed vulnerabilities are found (exit code 1)

Requirements:

  • Docker
  • Trivy installed

Image SBOM Generation

scan-sbom-image.sh

Builds the Docker image and generates an SBOM for it.

Usage:

./scripts/scan-sbom-image.sh [image-name]
# or
npm run scan:sbom:image

Default image name: hastebin:test

Output files:

  • sbom-image.txt - Human-readable table format
  • sbom-image.spdx.json - SPDX JSON format
  • sbom-image.cyclonedx.json - CycloneDX JSON format

Requirements:

  • Docker
  • Syft (automatically installed if not present)

Running All Scans

To run both SBOM generation and Trivy filesystem scan:

npm run scan:all

This runs:

  1. SBOM generation for source code
  2. Trivy filesystem security scan