Add CI/CD pipeline

.drone-manifest.yml

@@ -0,0 +1,22 @@
+image: happydomain/checker-ldap:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
+{{#if build.tags}}
+tags:
+{{#each build.tags}}
+  - {{this}}
+{{/each}}
+{{/if}}
+manifests:
+  - image: happydomain/checker-ldap:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
+    platform:
+      architecture: amd64
+      os: linux
+  - image: happydomain/checker-ldap:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
+    platform:
+      architecture: arm64
+      os: linux
+      variant: v8
+  - image: happydomain/checker-ldap:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm
+    platform:
+      architecture: arm
+      os: linux
+      variant: v7

.drone.yml

@@ -0,0 +1,187 @@
+---
+kind: pipeline
+type: docker
+name: build-amd64
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
+  - name: checker build
+    image: golang:1-alpine
+    commands:
+      - apk add --no-cache git make
+      - make
+    environment:
+      CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}"
+      CGO_ENABLED: 0
+    when:
+      event:
+        exclude:
+          - tag
+
+  - name: checker build tag
+    image: golang:1-alpine
+    commands:
+      - apk add --no-cache git make
+      - make
+    environment:
+      CHECKER_VERSION: "${DRONE_SEMVER}"
+      CGO_ENABLED: 0
+    when:
+      event:
+        - tag
+
+  - name: publish on Docker Hub
+    image: plugins/docker
+    settings:
+      repo: happydomain/checker-ldap
+      auto_tag: true
+      auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
+      dockerfile: Dockerfile
+      build_args:
+        - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT}
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+    when:
+      event:
+        exclude:
+          - tag
+
+  - name: publish on Docker Hub (tag)
+    image: plugins/docker
+    settings:
+      repo: happydomain/checker-ldap
+      auto_tag: true
+      auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
+      dockerfile: Dockerfile
+      build_args:
+        - CHECKER_VERSION=${DRONE_SEMVER}
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+    when:
+      event:
+        - tag
+
+trigger:
+  branch:
+    exclude:
+      - renovate/*
+  event:
+    - cron
+    - push
+    - tag
+
+---
+kind: pipeline
+type: docker
+name: build-arm64
+
+platform:
+  os: linux
+  arch: arm64
+
+steps:
+  - name: checker build
+    image: golang:1-alpine
+    commands:
+      - apk add --no-cache git make
+      - make
+    environment:
+      CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}"
+      CGO_ENABLED: 0
+    when:
+      event:
+        exclude:
+          - tag
+
+  - name: checker build tag
+    image: golang:1-alpine
+    commands:
+      - apk add --no-cache git make
+      - make
+    environment:
+      CHECKER_VERSION: "${DRONE_SEMVER}"
+      CGO_ENABLED: 0
+    when:
+      event:
+        - tag
+
+  - name: publish on Docker Hub
+    image: plugins/docker
+    settings:
+      repo: happydomain/checker-ldap
+      auto_tag: true
+      auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
+      dockerfile: Dockerfile
+      build_args:
+        - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT}
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+    when:
+      event:
+        exclude:
+          - tag
+
+  - name: publish on Docker Hub (tag)
+    image: plugins/docker
+    settings:
+      repo: happydomain/checker-ldap
+      auto_tag: true
+      auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
+      dockerfile: Dockerfile
+      build_args:
+        - CHECKER_VERSION=${DRONE_SEMVER}
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+    when:
+      event:
+        - tag
+
+trigger:
+  event:
+    - cron
+    - push
+    - tag
+
+---
+kind: pipeline
+name: docker-manifest
+
+platform:
+  os: linux
+  arch: arm64
+
+steps:
+  - name: publish on Docker Hub
+    image: plugins/manifest
+    settings:
+      auto_tag: true
+      ignore_missing: true
+      spec: .drone-manifest.yml
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+
+trigger:
+  branch:
+    exclude:
+      - renovate/*
+  event:
+    - cron
+    - push
+    - tag
+
+depends_on:
+  - build-amd64
+  - build-arm64

README.md

@@ -94,6 +94,26 @@ For each of `_ldap._tcp` (with fallback to port 389) and `_ldaps._tcp`
 | `bind_password` | no       | Secret. Bound only after TLS is established; never sent over cleartext.     |
 | `base_dn`       | no       | Base DN to test read access against. Requires a successful authenticated bind. |
 
+## Rules
+
+| Code                            | Description                                                                                                       | Severity            |
+|---------------------------------|-------------------------------------------------------------------------------------------------------------------|---------------------|
+| `ldap.has_srv`                  | Verifies that _ldap._tcp / _ldaps._tcp SRV records are published and resolvable.                                  | WARNING             |
+| `ldap.endpoint_reachable`       | Verifies that every discovered LDAP endpoint accepts a TCP connection.                                            | CRITICAL            |
+| `ldap.has_encrypted_transport`  | Verifies that at least one reachable endpoint offers an encrypted channel (LDAPS or StartTLS).                    | CRITICAL            |
+| `ldap.starttls_supported`       | Verifies that StartTLS is offered and succeeds on every reachable plain LDAP endpoint.                            | CRITICAL            |
+| `ldap.ldaps_handshake`          | Verifies that the direct TLS handshake succeeds on every LDAPS endpoint.                                          | CRITICAL            |
+| `ldap.starttls_on_ldaps`        | Flags servers that needlessly advertise StartTLS on the implicit-TLS LDAPS port.                                  | INFO                |
+| `ldap.ipv6_reachable`           | Verifies at least one endpoint is reachable over IPv6.                                                            | INFO                |
+| `ldap.refuses_plain_bind`       | Verifies the directory refuses authentication attempts over a cleartext channel.                                  | CRITICAL            |
+| `ldap.anonymous_search_blocked` | Flags directories that allow anonymous search of the naming context (information disclosure).                     | WARNING             |
+| `ldap.rootdse_readable`         | Verifies the RootDSE is readable over TLS and advertises naming contexts.                                         | WARNING             |
+| `ldap.sasl_mechanisms`          | Reviews the supportedSASLMechanisms posture (presence of strong mechanisms, absence of password-equivalent ones). | WARNING             |
+| `ldap.protocol_version`         | Flags servers that still advertise the deprecated LDAPv2 protocol.                                                | WARNING             |
+| `ldap.bind_credentials`         | Verifies the supplied bind credentials are accepted by the directory (only runs when bind_dn is set).             | CRITICAL            |
+| `ldap.base_dn_read`             | Verifies the bound account can read the supplied base DN (only runs when base_dn is set and bind succeeded).      | CRITICAL            |
+| `ldap.tls_quality`              | Folds the downstream TLS checker findings (certificate chain, hostname match, expiry) onto the LDAP service.      | CRITICAL            |
+
 ## License
 
 MIT (see `LICENSE` and `NOTICE`).