mirror of
https://github.com/pewdiepie-archdaemon/odysseus.git
synced 2026-07-08 11:56:59 +00:00
72b586695d
Bumps the actions group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/setup-python](https://github.com/actions/setup-python) | `6.2.0` | `6.3.0` | | [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `4.1.0` | `4.2.0` | | [docker/build-push-action](https://github.com/docker/build-push-action) | `7.2.0` | `7.3.0` | | [github/codeql-action/upload-sarif](https://github.com/github/codeql-action) | `4.36.2` | `4.36.3` | | [docker/login-action](https://github.com/docker/login-action) | `4.2.0` | `4.3.0` | | [docker/metadata-action](https://github.com/docker/metadata-action) | `6.1.0` | `6.2.0` | Updates `actions/setup-python` from 6.2.0 to 6.3.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/a309ff8b426b58ec0e2a45f0f869d46889d02405...ece7cb06caefa5fff74198d8649806c4678c61a1) Updates `docker/setup-buildx-action` from 4.1.0 to 4.2.0 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5...bb05f3f5519dd87d3ba754cc423b652a5edd6d2c) Updates `docker/build-push-action` from 7.2.0 to 7.3.0 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/f9f3042f7e2789586610d6e8b85c8f03e5195baf...53b7df96c91f9c12dcc8a07bcb9ccacbed38856a) Updates `github/codeql-action/upload-sarif` from 4.36.2 to 4.36.3 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/8aad20d150bbac5944a9f9d289da16a4b0d87c1e...54f647b7e1bb85c95cddabcd46b0c578ec92bc1a) Updates `docker/login-action` from 4.2.0 to 4.3.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/650006c6eb7dba73a995cc03b0b2d7f5ca915bee...c99871dec2022cc055c062a10cc1a1310835ceb4) Updates `docker/metadata-action` from 6.1.0 to 6.2.0 - [Release notes](https://github.com/docker/metadata-action/releases) - [Commits](https://github.com/docker/metadata-action/compare/80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9...dc802804100637a589fabce1cb79ff13a1411302) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: docker/setup-buildx-action dependency-version: 4.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: docker/build-push-action dependency-version: 7.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: github/codeql-action/upload-sarif dependency-version: 4.36.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: docker/login-action dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: docker/metadata-action dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
126 lines
4.4 KiB
YAML
126 lines
4.4 KiB
YAML
# Container image vulnerability scan (advisory)
|
|
#
|
|
# Trivy builds the application image and scans it for known-vulnerable OS and
|
|
# Python packages. Advisory only -- it reports findings to the repo's Security
|
|
# tab without blocking a merge, because the image inevitably contains
|
|
# already-known CVEs in upstream packages that are not this project's bug.
|
|
#
|
|
# Split from the Dockerfile lint (container-scan.yml) for two reasons:
|
|
#
|
|
# - Least privilege. The image build runs Dockerfile instructions, which on a
|
|
# pull request are attacker-influenceable. That path (the `scan` job) is
|
|
# held to a read-only token and never publishes results. Only `publish`,
|
|
# which runs on push to main (curated, fast-forwarded from reviewed dev),
|
|
# gets security-events:write to upload SARIF.
|
|
# - Cost. Docs-only changes do not rebuild the image (paths-ignore below),
|
|
# matching docker-publish.yml. hadolint stays on the broad trigger in
|
|
# container-scan.yml so the blocking gate always reports.
|
|
|
|
name: Container scan (Trivy)
|
|
|
|
on:
|
|
pull_request:
|
|
paths-ignore:
|
|
- '**.md'
|
|
- 'docs/**'
|
|
- '.github/ISSUE_TEMPLATE/**'
|
|
push:
|
|
branches: [main]
|
|
paths-ignore:
|
|
- '**.md'
|
|
- 'docs/**'
|
|
- '.github/ISSUE_TEMPLATE/**'
|
|
workflow_dispatch:
|
|
|
|
permissions: {}
|
|
|
|
concurrency:
|
|
group: container-trivy-${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
# Pull requests and manual runs: build and scan under a read-only token.
|
|
# The build executes PR-supplied Dockerfile instructions, so this job must
|
|
# not hold any write scope, and it does not upload to the Security tab.
|
|
scan:
|
|
name: Trivy (image scan, advisory)
|
|
if: github.event_name != 'push'
|
|
runs-on: ubuntu-latest
|
|
# Advisory: a CVE in an upstream package must not block a PR.
|
|
continue-on-error: true
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Set up Buildx
|
|
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0
|
|
|
|
# Build without pushing so a broken Dockerfile is caught here, and the
|
|
# exact image we ship is what gets scanned.
|
|
- name: Build image
|
|
uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0
|
|
with:
|
|
context: .
|
|
push: false
|
|
load: true
|
|
tags: odysseus:ci
|
|
|
|
- name: Scan image with Trivy
|
|
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
|
|
with:
|
|
image-ref: odysseus:ci
|
|
format: table
|
|
ignore-unfixed: true
|
|
env:
|
|
# Pin the vuln DB source to GHCR to avoid rate-limited Docker Hub
|
|
# mirrors that flake on shared runners.
|
|
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db:2
|
|
|
|
# Push to main only: build, scan, and publish SARIF to the Security tab.
|
|
# This is the only path that runs trusted code, so it is the only one granted
|
|
# security-events:write.
|
|
publish:
|
|
name: Trivy (image scan + SARIF upload)
|
|
if: github.event_name == 'push'
|
|
runs-on: ubuntu-latest
|
|
continue-on-error: true
|
|
permissions:
|
|
contents: read
|
|
security-events: write # upload SARIF to the Security tab
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Set up Buildx
|
|
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0
|
|
|
|
- name: Build image
|
|
uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0
|
|
with:
|
|
context: .
|
|
push: false
|
|
load: true
|
|
tags: odysseus:ci
|
|
|
|
- name: Scan image with Trivy
|
|
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
|
|
with:
|
|
image-ref: odysseus:ci
|
|
format: sarif
|
|
output: trivy-results.sarif
|
|
ignore-unfixed: true
|
|
env:
|
|
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db:2
|
|
|
|
- name: Upload Trivy results
|
|
uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3
|
|
with:
|
|
sarif_file: trivy-results.sarif
|
|
category: trivy-image
|