python-swish-r/Makefile at main · sadminriley/python-swish-r · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# For scanning and reporting sadminriley/pythontest image with Trivy locally.

IMAGE_NAME ?= sadminriley/python-test
IMAGE_TAG  ?= latest
IMAGE ?= $(IMAGE_NAME):$(IMAGE_TAG)
TRIVY_SEVERITY ?= HIGH,CRITICAL,MEDIUM # you could add low and unknown if desired.
REPORT_DIR ?= reports

# Kubernetes templating
K8S_DIR ?= ops
TEMPLATED_DIR ?= rendered


.PHONY: help scan scan-json scan-ci remediate clean render-kube-tpl validate-kube-tpl validate-k8s-server

help:
	@echo "Available commands:"
	@echo "  scan              - Scan image for CVE vulnerabilities"
	@echo "  scan-json         - Scan image and generate JSON report"
	@echo "  scan-ci           - Scan image and fail on HIGH/CRITICAL"
	@echo "  rebuild           - Rebuilds image after fixing requirements.txt"
	@echo "  clean             - Runs rm -rf on outputted json report from scan-json and rendered/ dir for k8s templates"
	@echo "  render-kube-tpl   - Render Kubernetes templates using envsubst"
	@echo "  validate-k8s      - Validate rendered manifests against a live cluster. Dry run only"
	@echo ""
	@echo "Defaults:"
	@echo "  IMAGE=$(IMAGE)"

scan:
	@mkdir -p $(REPORT_DIR)
	trivy image \
	  --severity $(TRIVY_SEVERITY) \
	  $(IMAGE)


scan-json:
	@mkdir -p $(REPORT_DIR)
	trivy image \
	  --severity $(TRIVY_SEVERITY) \
	  --format json \
	  --output $(REPORT_DIR)/trivy-report.json \
	  $(IMAGE)
	@echo "JSON report written to $(REPORT_DIR)/trivy-report.json"


scan-ci:
	trivy image \
	  --severity $(TRIVY_SEVERITY) \
	  --exit-code 1 \
	  $(IMAGE)


rebuild:
	@echo "Please ensure you have actually fixed the requirements.txt before rebuilding the docker image with no cache...\n"
	@echo "Rebuilding image $(IMAGE)..."
	docker build --no-cache -t $(IMAGE) .


clean:
	rm -rf $(REPORT_DIR) $(TEMPLATED_DIR)


render-kube-tpl:
	@mkdir -p $(TEMPLATED_DIR)
	envsubst < $(K8S_DIR)/deploy.tpl.yaml > $(TEMPLATED_DIR)/deploy.yaml
	envsubst < $(K8S_DIR)/service.tpl.yaml > $(TEMPLATED_DIR)/service.yaml


validate-k8s: render-kube-tpl
	kubectl apply --dry-run=server -f $(TEMPLATED_DIR)/deploy.yaml
	kubectl apply --dry-run=server -f $(TEMPLATED_DIR)/service.yaml