add checkov config, update workflow permissions

.github/linters/.checkov.yaml

@@ -0,0 +1,2 @@
+quiet: true
+skip-check: CKV_DOCKER_7

.github/workflows/dependabot-approve-and-merge.yaml

@@ -4,11 +4,12 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   dependabot-approve-and-merge:
-    permissions:
-      contents: write
-      pull-requests: write
     secrets:
       SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN: ${{ secrets.SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN }}
     uses: senzing-factory/build-resources/.github/workflows/dependabot-approve-and-merge.yaml@v2

.github/workflows/docker-build-container.yaml

@@ -6,6 +6,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   docker-build-container:
     runs-on: ubuntu-latest

.github/workflows/docker-push-containers-to-dockerhub.yaml

@@ -5,6 +5,9 @@ on:
     tags:
       - "[0-9]+.[0-9]+.[0-9]+"
 
+permissions:
+  contents: read
+
 jobs:
   docker-push-containers-to-dockerhub:
     runs-on: ubuntu-latest

.github/workflows/pylint.yaml

@@ -2,6 +2,9 @@ name: pylint
 
 on: [push]
 
+permissions:
+  contents: read
+
 jobs:
   pylint:
     runs-on: ubuntu-latest

Dockerfile

@@ -15,10 +15,10 @@ HEALTHCHECK CMD ["/app/healthcheck.sh"]
 
 USER root
 
-# Install packages via apt.
+# Install packages via apt-get.
 
-RUN apt update \
-  && apt -y install \
+RUN apt-get update \
+  && apt-get -y install \
   gnupg2 \
   libaio1 \
   libodbc1 \
@@ -55,8 +55,8 @@ RUN mkdir -p /etc/apt/keyrings \
 
 RUN echo "deb [signed-by=/etc/apt/keyrings/adoptium.asc] https://packages.adoptium.net/artifactory/deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" >> /etc/apt/sources.list
 
-RUN apt update \
-  && apt install -y temurin-11-jdk \
+RUN apt-get update \
+  && apt-get install -y temurin-11-jdk \
   && rm -rf /var/lib/apt/lists/*
 
 # Make non-root container.