Set up known-vulnerability scanning for container images

[ericcornelissen]

Relates to #81, #119, #123

Summary

Expand auditing to cover the container images (Containerfile and Containerfile.dev) so as to stay on secure base images.

Suggestions, tips, thoughts are welcome.

Goals

The solution:

• (must) be runnable by anyone.
• (must) allow for ignoring specific vulnerabilities manually.
• (ideally) allows for ignoring vulnerabilities without fixes.

Tests

I tried out Docker Scout and the following make target worked reasonably well. However, it didn't work as expected (it detected a known vulnerability in OpenSSL (correct) but it suggested downgrading the base image (from docker.io/golang:1.21.5-alpine3.19) to docker.io/golang:1.20-alpine3.19, seemingly because it's more popular, even though it achieves nothing).

.PHONY: audit-container
audit-container: container dev-img
	@echo 'Auditing production container...'
	@docker scout cves \
		--exit-code \
		--format 'only-packages' \
		--only-fixed \
		--only-package-type 'apk' \
		'ericornelissen/ades'
	@echo 'Auditing development container...'
	@docker scout cves \
		--exit-code \
		--format 'only-packages' \
		--only-fixed \
		--only-package-type 'apk' \
		'ades-dev-img'