Add caddy-autogen app, tests, and agent policy updates
This commit is contained in:
Joachim Friberg
Executable
+95
@@ -0,0 +1,95 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
repo_root="$(cd "$(dirname "$0")/.." && pwd)"
|
||||
cd "$repo_root"
|
||||
|
||||
status=0
|
||||
warnings=0
|
||||
enforce_risk_docs=0
|
||||
|
||||
usage() {
|
||||
echo "Usage: $0 [--enforce-risk-docs]"
|
||||
}
|
||||
|
||||
if [[ "${1:-}" == "--enforce-risk-docs" ]]; then
|
||||
enforce_risk_docs=1
|
||||
shift
|
||||
fi
|
||||
|
||||
if [[ $# -ne 0 ]]; then
|
||||
usage
|
||||
exit 2
|
||||
fi
|
||||
|
||||
if [[ ! -d Apps ]]; then
|
||||
echo "ERROR: Apps/ saknas"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
while IFS= read -r compose_file; do
|
||||
app_dir="$(dirname "$compose_file")"
|
||||
app_id="$(basename "$app_dir")"
|
||||
readme_file="$app_dir/README.md"
|
||||
|
||||
if [[ "$app_id" == "_template" ]]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
if [[ ! -f "$readme_file" ]]; then
|
||||
echo "ERROR: $app_dir saknar README.md"
|
||||
status=1
|
||||
fi
|
||||
|
||||
name_line="$(rg -n '^name:\s*[a-z0-9-]+\s*$' "$compose_file" || true)"
|
||||
if [[ -z "$name_line" ]]; then
|
||||
echo "ERROR: $compose_file saknar giltigt top-level 'name' (gemener + '-')"
|
||||
status=1
|
||||
fi
|
||||
|
||||
if rg -n 'image:\s*[^[:space:]]+:latest\s*$' "$compose_file" >/dev/null; then
|
||||
echo "ERROR: $compose_file använder förbjuden image-tag ':latest'"
|
||||
status=1
|
||||
fi
|
||||
|
||||
if ! rg -n '^x-casaos:\s*$' "$compose_file" >/dev/null; then
|
||||
echo "ERROR: $compose_file saknar top-level 'x-casaos'"
|
||||
status=1
|
||||
fi
|
||||
|
||||
risk_items=()
|
||||
|
||||
if rg -n '^\s*privileged:\s*true\s*$' "$compose_file" >/dev/null; then
|
||||
risk_items+=("privileged:true")
|
||||
fi
|
||||
if rg -n '^\s*network_mode:\s*host\s*$' "$compose_file" >/dev/null; then
|
||||
risk_items+=("network_mode:host")
|
||||
fi
|
||||
if rg -n '/var/run/docker.sock' "$compose_file" >/dev/null; then
|
||||
risk_items+=("docker.sock-mount")
|
||||
fi
|
||||
|
||||
if [[ ${#risk_items[@]} -gt 0 ]]; then
|
||||
warnings=$((warnings + 1))
|
||||
echo "WARN: $compose_file använder högrisk-inställningar: ${risk_items[*]}"
|
||||
|
||||
if [[ $enforce_risk_docs -eq 1 ]]; then
|
||||
if [[ ! -f "$readme_file" ]] || ! rg -n '^##\s+(Säkerhetsavvikelser|Security Exceptions)\s*$' "$readme_file" >/dev/null; then
|
||||
echo "ERROR: $app_dir har högrisk-inställningar men README.md saknar sektion '## Säkerhetsavvikelser' (eller '## Security Exceptions')"
|
||||
status=1
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done < <(find Apps -type f -name 'docker-compose.yaml' | sort)
|
||||
|
||||
if [[ $status -ne 0 ]]; then
|
||||
echo "Validation FAILED"
|
||||
exit $status
|
||||
fi
|
||||
|
||||
if [[ $warnings -gt 0 ]]; then
|
||||
echo "Validation OK with $warnings warning(s)"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "Validation OK"
|
||||
Reference in New Issue
Block a user