From 23d8bcf0afb98b0bfb50dd49c1c76cf729da7d11 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Mon, 4 Dec 2023 11:53:54 +0000
Subject: [PATCH] Upgrade through apt-get

---
 .github/workflows/_docker-build-deploy.yml | 28 +++++++++++-----------
 docker/tna-python/Dockerfile               |  1 +
 2 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/_docker-build-deploy.yml b/.github/workflows/_docker-build-deploy.yml
index 58e1af9..7b1edf9 100644
--- a/.github/workflows/_docker-build-deploy.yml
+++ b/.github/workflows/_docker-build-deploy.yml
@@ -89,17 +89,17 @@ jobs:
         push: true
         tags: ${{ env.IMAGE_ID }}:latest
         provenance: false
-    # - name: Scan for vulnerabilities
-    #   if: inputs.publish
-    #   id: scan
-    #   uses: crazy-max/ghaction-container-scan@v2
-    #   with:
-    #     image: ${{ env.IMAGE_ID }}:${{ env.TAG }}
-    #     dockerfile: ${{ inputs.docker-context }}/${{ inputs.dockerfile }}
-    #     severity_threshold: CRITICAL
-    #     annotations: true
-    # - name: Upload SARIF file
-    #   if: steps.scan.outputs.sarif != '' && inputs.publish
-    #   uses: github/codeql-action/upload-sarif@v2
-    #   with:
-    #     sarif_file: ${{ steps.scan.outputs.sarif }}
+    - name: Scan for vulnerabilities
+      if: inputs.publish
+      id: scan
+      uses: crazy-max/ghaction-container-scan@v2
+      with:
+        image: ${{ env.IMAGE_ID }}:${{ env.TAG }}
+        dockerfile: ${{ inputs.docker-context }}/${{ inputs.dockerfile }}
+        severity_threshold: CRITICAL
+        annotations: true
+    - name: Upload SARIF file
+      if: steps.scan.outputs.sarif != '' && inputs.publish
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: ${{ steps.scan.outputs.sarif }}
diff --git a/docker/tna-python/Dockerfile b/docker/tna-python/Dockerfile
index 8b884d4..42fbd9c 100644
--- a/docker/tna-python/Dockerfile
+++ b/docker/tna-python/Dockerfile
@@ -102,6 +102,7 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN set -eux; \
     \
     apt-get update; \
+    apt-get -y upgrade; \
     apt-get install -y --no-install-recommends curl=7.88.1-10+deb12u4 build-essential=12.9 libmagic-dev=1:5.44-3; \
     apt-get clean; \
     apt-get autoremove -y --purge; \