chore: add kubescape image scanner (#3776)

ory · Jun 6, 2024 · f7159f4 · f7159f4
1 parent af0c64f
commit f7159f4
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 3 deletions.
diff --git a/.docker/Dockerfile-alpine b/.docker/Dockerfile-alpine
@@ -1,4 +1,4 @@
-FROM alpine:3.18
+FROM alpine:3.20.0
 
 RUN addgroup -S ory; \
     adduser -S ory -G ory -D -H -s /bin/nologin

diff --git a/.docker/Dockerfile-scratch b/.docker/Dockerfile-scratch
@@ -1,4 +1,4 @@
-FROM alpine:3.18
+FROM alpine:3.20.0
 
 RUN apk --no-cache --upgrade --latest add ca-certificates
 

diff --git a/.docker/Dockerfile-sqlite b/.docker/Dockerfile-sqlite
@@ -1,4 +1,4 @@
-FROM alpine:3.18
+FROM alpine:3.20.0
 
 # Because this image is built for SQLite, we create /home/ory and /home/ory/sqlite which is owned by the ory user
 # and declare /home/ory/sqlite a volume.

diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml
@@ -48,6 +48,15 @@ jobs:
         uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: ${{ steps.grype-scan.outputs.sarif }}
+      - name: Kubescape scanner
+        uses: kubescape/github-action@main
+        id: kubescape
+        with:
+          image: oryd/hydra:${{ env.SHA_SHORT }}-sqlite
+          verbose: true
+          format: pretty-printer
+          # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568
+          severityThreshold: critical
       - name: Trivy Scanner
         uses: aquasecurity/trivy-action@master
         if: ${{ always() }}