From 8cb1e35d58b4ed7b18633e2db78d52873b905dae Mon Sep 17 00:00:00 2001 From: Maaike Date: Tue, 5 Nov 2024 11:35:40 +0100 Subject: [PATCH 1/8] add trivy.yml --- .github/workflows/trivy.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..3a997a4 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,26 @@ +name: Run Trivy vulnerability scanner + +on: [ push ] + +jobs: + main: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Build wis2downloader + run: | + docker build -t wis2downloader:test . + - name: Run Trivy vulnerability scanner on wis2downloader + uses: aquasecurity/trivy-action@0.20.0 + env: + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 + TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 + with: + image-ref: 'wis2downloader:test' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + ignorefile: '.trivyignore' \ No newline at end of file From 0aa5436766f6d3f708c14d1673e80c7813c50ad0 Mon Sep 17 00:00:00 2001 From: Maaike Date: Tue, 5 Nov 2024 11:48:51 +0100 Subject: [PATCH 2/8] provide correct path containing Dockerfile --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 3a997a4..464aac0 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -10,7 +10,7 @@ jobs: uses: actions/checkout@v2 - name: Build wis2downloader run: | - docker build -t wis2downloader:test . + docker build -t wis2downloader:test docker - name: Run Trivy vulnerability scanner on wis2downloader uses: aquasecurity/trivy-action@0.20.0 env: From 752378dbe211786fb7ceb2bae8f2160f64a7af32 Mon Sep 17 00:00:00 2001 From: Maaike Date: Tue, 5 Nov 2024 11:52:30 +0100 Subject: [PATCH 3/8] fix build --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 464aac0..fb8fa08 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -10,7 +10,7 @@ jobs: uses: actions/checkout@v2 - name: Build wis2downloader run: | - docker build -t wis2downloader:test docker + docker build -t wis2downloader:test ./docker/Dockerfile - name: Run Trivy vulnerability scanner on wis2downloader uses: aquasecurity/trivy-action@0.20.0 env: From ecf89cbbc7d07a15fee5cde196758abad4f4431d Mon Sep 17 00:00:00 2001 From: Maaike Date: Tue, 5 Nov 2024 11:54:30 +0100 Subject: [PATCH 4/8] fix build --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index fb8fa08..ea11c62 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -10,7 +10,7 @@ jobs: uses: actions/checkout@v2 - name: Build wis2downloader run: | - docker build -t wis2downloader:test ./docker/Dockerfile + docker build -t wis2downloader:test -f ./docker/Dockerfile - name: Run Trivy vulnerability scanner on wis2downloader uses: aquasecurity/trivy-action@0.20.0 env: From 1b1806537d5c0ba52df8e71808920365de6dd6f2 Mon Sep 17 00:00:00 2001 From: Maaike Date: Tue, 5 Nov 2024 11:55:46 +0100 Subject: [PATCH 5/8] fix build --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index ea11c62..aad2e9b 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -10,7 +10,7 @@ jobs: uses: actions/checkout@v2 - name: Build wis2downloader run: | - docker build -t wis2downloader:test -f ./docker/Dockerfile + docker build -t wis2downloader:test -f ./docker/Dockerfile . - name: Run Trivy vulnerability scanner on wis2downloader uses: aquasecurity/trivy-action@0.20.0 env: From eda7c02301c2324746addbab8ff442a4d0ac558c Mon Sep 17 00:00:00 2001 From: Maaike Date: Tue, 5 Nov 2024 11:58:48 +0100 Subject: [PATCH 6/8] remove pinned versions --- docker/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 7759e5a..e60b1fe 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -20,7 +20,7 @@ ENV WIS2DOWNLOADER_CONFIG "/home/wis2downloader/app/config/config.json" # Update, upgrade packages and install / clean up RUN apt-get update && \ apt-get upgrade && \ - apt-get install -y gettext-base=0.21-12 curl=7.88.1-10+deb12u6 cron=3.0pl1-162 git=1:2.39.2-1.1 && \ + apt-get install -y gettext-base curl cron git && \ rm -rf /var/lib/apt/lists/* # Now setup python env and default user From 6aa611de18ddda1af92b05f5c33211fea075a243 Mon Sep 17 00:00:00 2001 From: Maaike Date: Tue, 5 Nov 2024 12:43:30 +0100 Subject: [PATCH 7/8] hadolint ignore=DL3008 --- docker/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/docker/Dockerfile b/docker/Dockerfile index e60b1fe..18c1392 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -18,6 +18,7 @@ ENV WIS2DOWNLOADER_CONFIG "/home/wis2downloader/app/config/config.json" # Update, upgrade packages and install / clean up +# hadolint ignore=DL3008 RUN apt-get update && \ apt-get upgrade && \ apt-get install -y gettext-base curl cron git && \ From 81b77a921f450165c67fbd20ec538001de0c5df1 Mon Sep 17 00:00:00 2001 From: Maaike Date: Tue, 5 Nov 2024 12:44:27 +0100 Subject: [PATCH 8/8] fix superlinter CHECKOV and GITHUB_ACTIONS --- .github/workflows/trivy.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index aad2e9b..1d67f90 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -2,12 +2,18 @@ name: Run Trivy vulnerability scanner on: [ push ] +permissions: + contents: read + packages: write + issues: write + pull-requests: write + jobs: main: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Build wis2downloader run: | docker build -t wis2downloader:test -f ./docker/Dockerfile .