integrate google/osv-scanner into drone ci pipeline 15 Mar 2023
in my drone ci pipeline i use the following step to run google’s osv-scanner and send an email if vulnerabilities have been found.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
steps:
# ....
- name: vulnerability scan
failure: ignore
image: anmalkov/osv-scanner
commands:
- osv=$(/root/osv-scanner --skip-git .) || status=$?
- |
test -z "$status" || sendmail -t -i -f $MAIL_FROM <<MAIL
From: $MAIL_FROM
To: $MAIL_RECIPIENTS
Subject: $MAIL_SUBJECT
$osv
MAIL
- echo "$osv"
environment:
SMTPHOST: "12.34.45.56:25"
MAIL_FROM: ci@example.com
MAIL_RECIPIENTS: security@example.com
MAIL_SUBJECT: "[ALERT] vulnerabilities in ${DRONE_REPO}"
#...
what this does:
- pull the anmalkov/osv-scanner container
- run
osv-scanner
and save the output or, on failure, save the return code - if the return code is not empty, thus vulnerablities have been found,
send the output to the email addresses in
$MAIL_RECIPIENTS
- echo the output
you’ll need to configure a proper SMTPHOST
and adjust the the other
environment variables.
note: the step configuration above will only notify you via email. to stop the pipeline you’ll need to make on of the commands produce a non-zero return code and remove the
failure: ignore
option.