From d9cd459655508039e7c279c3b64a0391fef0b7eb Mon Sep 17 00:00:00 2001 From: Gabriel Omar Cotelli Date: Thu, 25 Apr 2024 10:49:34 -0300 Subject: [PATCH 1/3] Schedule vulnerability scan over latest and version branches --- .github/workflows/scheduled-security-scan.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scheduled-security-scan.yml b/.github/workflows/scheduled-security-scan.yml index 033d9d2..93f6e62 100644 --- a/.github/workflows/scheduled-security-scan.yml +++ b/.github/workflows/scheduled-security-scan.yml @@ -8,13 +8,19 @@ jobs: permissions: contents: read security-events: write - name: Scheduled scan for vulnerabilities runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + version: + - latest + - v5 + name: Scheduled scan for vulnerabilities ${{ matrix.version }} steps: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: ghcr.io/${{ github.repository_owner }}/launchpad:latest + image-ref: ghcr.io/${{ github.repository_owner }}/launchpad:${{ matrix.version}} format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' From d562cbbbbbb22e959b3956e8fe278b81f413303c Mon Sep 17 00:00:00 2001 From: Gabriel Omar Cotelli Date: Thu, 25 Apr 2024 10:55:22 -0300 Subject: [PATCH 2/3] Fix Pharo dockerfile --- docker/pharo/Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docker/pharo/Dockerfile b/docker/pharo/Dockerfile index d19d5b1..e125bca 100644 --- a/docker/pharo/Dockerfile +++ b/docker/pharo/Dockerfile @@ -3,10 +3,10 @@ FROM ghcr.io/ba-st/pharo:v11.0.0 COPY --chown=pharo:users ./launchpad* ./ USER root RUN set -eu; \ - apt-get update; \ - apt-get upgrade; \ - apt-get install --assume-yes --no-install-recommends netcat-openbsd; \ - apt-get clean; \ + apt update; \ + apt upgrade --assume-yes; \ + apt install --assume-yes --no-install-recommends netcat-openbsd; \ + apt clean; \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*; \ ln -s /opt/pharo/launchpad /usr/local/bin/launchpad; \ ln -s /opt/pharo/launchpad-list /usr/local/bin/launchpad-list; \ From f1895dd9baf25edc55ec29b70efa83ef5168b478 Mon Sep 17 00:00:00 2001 From: Gabriel Omar Cotelli Date: Thu, 25 Apr 2024 11:02:06 -0300 Subject: [PATCH 3/3] Also scan gs64-3.7.1 package --- .github/workflows/scheduled-security-scan.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scheduled-security-scan.yml b/.github/workflows/scheduled-security-scan.yml index 93f6e62..d3845bf 100644 --- a/.github/workflows/scheduled-security-scan.yml +++ b/.github/workflows/scheduled-security-scan.yml @@ -15,12 +15,15 @@ jobs: version: - latest - v5 - name: Scheduled scan for vulnerabilities ${{ matrix.version }} + package: + - launchpad + - launchpad-gs64-3.7.1 + name: Scheduled scan for vulnerabilities ${{ matrix.package }}-${{ matrix.version }} steps: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: ghcr.io/${{ github.repository_owner }}/launchpad:${{ matrix.version}} + image-ref: ghcr.io/${{ github.repository_owner }}/${{ matrix.package }}:${{ matrix.version}} format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH'