Merge pull request #71 from ba-st/improve_vulnerabiltiy_scanning

Improve vulnerabiltiy scanning
ba-st · Apr 25, 2024 · 5e77dea · 5e77dea
2 parents d0dc79f + f1895dd
commit 5e77dea
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 6 deletions.
diff --git a/.github/workflows/scheduled-security-scan.yml b/.github/workflows/scheduled-security-scan.yml
@@ -8,13 +8,22 @@ jobs:
     permissions:
       contents: read
       security-events: write
-    name: Scheduled scan for vulnerabilities
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        version:
+          - latest
+          - v5
+        package:
+          - launchpad
+          - launchpad-gs64-3.7.1
+    name: Scheduled scan for vulnerabilities ${{ matrix.package }}-${{ matrix.version }}
     steps:
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: ghcr.io/${{ github.repository_owner }}/launchpad:latest
+          image-ref: ghcr.io/${{ github.repository_owner }}/${{ matrix.package }}:${{ matrix.version}}
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'

diff --git a/docker/pharo/Dockerfile b/docker/pharo/Dockerfile
@@ -3,10 +3,10 @@ FROM ghcr.io/ba-st/pharo:v11.0.0
 COPY --chown=pharo:users ./launchpad* ./
 USER root
 RUN set -eu; \
-  apt-get update; \
-  apt-get upgrade; \
-  apt-get install --assume-yes --no-install-recommends netcat-openbsd; \
-  apt-get clean; \
+  apt update; \
+  apt upgrade --assume-yes; \
+  apt install --assume-yes --no-install-recommends netcat-openbsd; \
+  apt clean; \
   rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*; \
   ln -s /opt/pharo/launchpad /usr/local/bin/launchpad; \
   ln -s /opt/pharo/launchpad-list /usr/local/bin/launchpad-list; \