Merge pull request #1507 from open-zaak/feature/gh-image-scan

👷 [#1502] add trivy image scaner to CI
open-zaak · Nov 15, 2023 · fee93b2 · fee93b2
2 parents 5f760f9 + f519f56
commit fee93b2
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 4 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -268,6 +268,45 @@ jobs:
           path: image.tar
           retention-days: 1
 
+  image_scan:
+    runs-on: ubuntu-latest
+    name: Scan docker image
+    needs:
+      - docker
+
+    steps:
+      - name: Download built image
+        uses: actions/download-artifact@v3
+        with:
+          name: docker-image
+      - name: Determine tag/commit hash
+        id: vars
+        run: |
+          # Strip git ref prefix from version
+          VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
+
+          # Strip "v" prefix from tag name (if present at all)
+          [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
+
+          # Use Docker `latest` tag convention
+          [ "$VERSION" == "main" ] && VERSION=latest
+
+          echo "tag=${VERSION}" >> $GITHUB_OUTPUT
+      - name: Load image
+        run: |
+          docker image load -i image.tar
+      - name: Scan image with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.IMAGE_NAME }}:${{ steps.vars.outputs.tag }}
+          format: 'sarif'
+          output: 'trivy-results-docker.sarif'
+          ignore-unfixed: true
+      - name: Upload results to GH Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results-docker.sarif'
+
   # TODO: only run if src files changed (i.e. -> exclude for docs)
   api_testplatform_standard:
     runs-on: ubuntu-latest

diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,7 @@
 # Stage 1 - Compile needed python dependencies
 FROM python:3.9-slim-bullseye AS build
 
-RUN apt-get update && apt-get install -y --no-install-recommends \
+RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
         pkg-config \
         build-essential \
         libpq-dev \
@@ -10,7 +10,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 WORKDIR /app
 
 COPY ./requirements /app/requirements
-RUN pip install pip 'setuptools<59.0' -U
+RUN pip install pip setuptools -U
 RUN pip install -r requirements/production.txt
 
 
@@ -40,10 +40,10 @@ FROM python:3.9-slim-bullseye AS production
 
 # Stage 3.1 - Set up the needed production dependencies
 # install all the dependencies for GeoDjango
-RUN apt-get update && apt-get install -y --no-install-recommends \
+RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
         # bare minimum to debug live containers
         procps \
-        vim \
+        nano \
         # serve correct Content-Type headers
         mime-support \
         # (geo) django dependencies