From 3db05fc212a4d94b67496891a6c05cad43ea23c5 Mon Sep 17 00:00:00 2001 From: Maaike Date: Tue, 5 Nov 2024 16:27:17 +0100 Subject: [PATCH] add trivy.yml (#31) * add trivy.yml * remove pinned versions * ignore=DL3008 * fix superlinter CHECKOV and GITHUB_ACTIONS --- .github/workflows/trivy.yml | 32 ++++++++++++++++++++++++++++++++ docker/Dockerfile | 3 ++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..1d67f90 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,32 @@ +name: Run Trivy vulnerability scanner + +on: [ push ] + +permissions: + contents: read + packages: write + issues: write + pull-requests: write + +jobs: + main: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Build wis2downloader + run: | + docker build -t wis2downloader:test -f ./docker/Dockerfile . + - name: Run Trivy vulnerability scanner on wis2downloader + uses: aquasecurity/trivy-action@0.20.0 + env: + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 + TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 + with: + image-ref: 'wis2downloader:test' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + ignorefile: '.trivyignore' \ No newline at end of file diff --git a/docker/Dockerfile b/docker/Dockerfile index 7759e5a..18c1392 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -18,9 +18,10 @@ ENV WIS2DOWNLOADER_CONFIG "/home/wis2downloader/app/config/config.json" # Update, upgrade packages and install / clean up +# hadolint ignore=DL3008 RUN apt-get update && \ apt-get upgrade && \ - apt-get install -y gettext-base=0.21-12 curl=7.88.1-10+deb12u6 cron=3.0pl1-162 git=1:2.39.2-1.1 && \ + apt-get install -y gettext-base curl cron git && \ rm -rf /var/lib/apt/lists/* # Now setup python env and default user