vulnerability-scan

#!/usr/bin/env sh

set -xeo pipefail

#
# `morph build ...` output is like
#
#   Selected 2/2 hosts (name filter:-0, limits:-0):
#             0: xx.xx.xx.xx (secrets: 1, health checks: 0)
#             1: yy.yy.yy.yy (secrets: 2, health checks: 0)
#
#   /nix/store/d7spc457nnzh0rnv0f5lh1q2j435j1b9-morph
#   nix result path:
#   /nix/store/d7spc457nnzh0rnv0f5lh1q2j435j1b9-morph
#
# Get the last line so we can scan it.
#

OUTPUT=$1

[ -e scan-target ] && rm -v scan-target
nix-shell --run '
set -x
if morph_result=$(morph build morph/grid/testing/grid.nix 2>&1); then
  object=$(echo "$morph_result" | tail -n 1)
  ln -s "$object" scan-target
else
  echo "$morph_result"
  # Signal to the GitLab CI configuration this is a non-recoverable failure.
  exit 4
fi
'

# vulnix exits with an error status if there are vulnerabilities.  We told
# GitLab to allow this by setting `allow_failure` to true in the GitLab CI
# config.
set +eo pipefail
nix-shell -p vulnix --run 'vulnix ./scan-target/' | tee "$OUTPUT"