Compliance by sduchesneau · Pull Request #758 · streamingfast/substreams

sduchesneau · 2026-04-30T20:12:31Z

add dependency check on "secrets detection"
Add dependency check on dependabot
Add vulnerability checks in docker build with docker scout
Tweak branches and tags where each job runs to be more logical
Bump versions so it also fixes existing dependabot high/critical alerts

…ion with dedicated secrets token

…thub workflows

sduchesneau · 2026-05-01T18:45:32Z

🔍 Vulnerabilities of `ghcr.io/streamingfast/substreams:0047400`

📦 Image Reference ghcr.io/streamingfast/substreams:0047400

digest	`sha256:63615285b77fa3abbaa297a000222789614f7a87456f94bf2d7424de53f98e87`
vulnerabilities
platform	linux/amd64
size	115 MB
packages	350

📦 Base Image ubuntu:24.04

also known as	`84bda043709f9066841484e9b8e440aa0d6d04ab49d09e367ef0fb68ace864cf` `latest` `noble` `noble-20260410`
digest	`sha256:cdb5fd928fced577cfecf12c8966e830fcdf42ee481fb0b91904eeddc2fe5eff`
vulnerabilities

UlysseCorbeil

Anything in this PR test_e2e related maybe should be in another PR of its own like "e2e tests improvements" or something, since it dosen't work and is out of scope, but minor bickering, otherwise lgtm

sduchesneau added 6 commits May 1, 2026 13:36

inform changelog of github rulesets

68c50cc

add dependabot workflow check

339f96e

tweak github workflows, run tests_e2e, add secret scanning checks

67f87f4

fix dummyBlockchainImage in tests_e2e, try secret scanning review act…

7b46c84

…ion with dedicated secrets token

bump secret-scanning-review-action@v2.2.4 version

0dcbab9

bump vulnerable dependencies, comment tests_e2e that don't work on gi…

cdf8301

…thub workflows

sduchesneau force-pushed the compliance branch from f9cf157 to cdf8301 Compare May 1, 2026 17:36

sduchesneau self-assigned this May 1, 2026

sduchesneau added 3 commits May 1, 2026 13:52

add docker-scout checks to docker workflow

ee51064

add dockerhub user/PAT for docker scout checks

76ad0a2

bump permissions for docker scout to comment PR

8426b90

force fail CI on dockerscout alert, bump golang.org/x/net for CVE

b30156a

sduchesneau requested a review from UlysseCorbeil May 1, 2026 18:59

UlysseCorbeil approved these changes May 1, 2026

View reviewed changes

sduchesneau merged commit b3c9c91 into develop May 1, 2026
6 checks passed

UlysseCorbeil deleted the compliance branch May 1, 2026 19:28

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Compliance#758

Compliance#758
sduchesneau merged 10 commits intodevelopfrom
compliance

sduchesneau commented Apr 30, 2026 •

edited

Loading

Uh oh!

sduchesneau commented May 1, 2026 •

edited

Loading

Uh oh!

UlysseCorbeil left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

sduchesneau commented Apr 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

sduchesneau commented May 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🔍 Vulnerabilities of ghcr.io/streamingfast/substreams:0047400

Uh oh!

UlysseCorbeil left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

sduchesneau commented Apr 30, 2026 •

edited

Loading

sduchesneau commented May 1, 2026 •

edited

Loading

🔍 Vulnerabilities of `ghcr.io/streamingfast/substreams:0047400`