From 5364fe2991621af6dfb2211111edcd78773d4cef Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Mon, 15 Mar 2021 15:10:31 -0400
Subject: [PATCH] Try to run vulnix scans

---
 .gitlab-ci.yml              |  9 ++++++++-
 ci-tools/vulnerability-scan | 25 +++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100755 ci-tools/vulnerability-scan

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5cc2737b..37d7b15f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -8,9 +8,16 @@ unit-tests:
   script:
     - "nix-shell --run 'nix-build nixos/unit-tests.nix' && cat result"
 
+vulnerability-scan:
+  stage: "test"
+  script:
+    - "ci-tools/vulnerability-scan security-report.txt"
+  artifacts:
+    paths:
+      - "security-report.txt"
+
 system-tests:
   stage: "test"
   timeout: "3 hours"
   script:
     - "nix-shell --run 'nix-build nixos/system-tests.nix'"
-
diff --git a/ci-tools/vulnerability-scan b/ci-tools/vulnerability-scan
new file mode 100755
index 00000000..355fd31c
--- /dev/null
+++ b/ci-tools/vulnerability-scan
@@ -0,0 +1,25 @@
+#!/usr/bin/env sh
+
+#
+# `morph build ...` output is like
+#
+#   Selected 2/2 hosts (name filter:-0, limits:-0):
+#             0: xx.xx.xx.xx (secrets: 1, health checks: 0)
+#             1: yy.yy.yy.yy (secrets: 2, health checks: 0)
+#
+#   /nix/store/d7spc457nnzh0rnv0f5lh1q2j435j1b9-morph
+#   nix result path:
+#   /nix/store/d7spc457nnzh0rnv0f5lh1q2j435j1b9-morph
+#
+# Get the last line so we can scan it.
+#
+
+OUTPUT=$1
+
+rm -v scan-target
+nix-shell --run '
+object=$(morph build morph/grid/testing/grid.nix 2>&1 | tail -n 1)
+ln -s "$object" scan-target
+'
+
+nix-shell -p vulnix --run 'vulnix ./scan-target/' | tee "$OUTPUT"
-- 
GitLab