From 1a86b96af762a2d0665a5d424b74f5fcd1a187f0 Mon Sep 17 00:00:00 2001
From: sina <sinadarbouy@gmail.com>
Date: Sat, 8 Jun 2024 16:45:22 +0200
Subject: [PATCH] Feature/integrate docker scout with git hub actions (#564)

* added github action for Docker Scout compare
* added Docker Scout step
* set correct secrets for DOCKERHUB
* upgrade git version
* (2.45.1-r0) is not available in the Alpine repositories, and a newer version (2.45.2-r0) is available instead
* changed dockerhub secrets to readonly
---
 .../workflows/vulnerability-comparison.yaml   | 49 +++++++++++++++++++
 Dockerfile                                    |  2 +-
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/vulnerability-comparison.yaml

diff --git a/.github/workflows/vulnerability-comparison.yaml b/.github/workflows/vulnerability-comparison.yaml
new file mode 100644
index 00000000..621a6f2f
--- /dev/null
+++ b/.github/workflows/vulnerability-comparison.yaml
@@ -0,0 +1,49 @@
+name: Vulnerability Comparison
+
+on:
+  pull_request:
+    branches: ["**"]
+
+env:
+  # Image repository, without hostname and tag
+  IMAGE_NAME: ${{ github.repository }}
+  SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
+
+jobs:
+  vulnerability-comparison:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.SHA }}
+      - name: Set short SHA
+        id: vars
+        run: echo "SHA_SHORT=$(echo $GITHUB_SHA | cut -c1-7)" >> $GITHUB_ENV
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          load: ${{ github.event_name == 'pull_request' }}
+          tags: "ghcr.io/${{ env.IMAGE_NAME }}:${{ env.SHA_SHORT }}"
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+      - name: Authenticate to Docker
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_READONLY_TOKEN }}
+      - name: Docker Scout
+        id: docker-scout
+        uses: docker/scout-action@v1
+        with:
+          command: compare
+          image: "gatewaydio/gatewayd:latest"
+          to: "ghcr.io/${{ env.IMAGE_NAME }}:${{ env.SHA_SHORT }}"
+          ignore-unchanged: true
+          only-severities: critical,high
+          github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/Dockerfile b/Dockerfile
index b141c50a..0cefd282 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,7 +10,7 @@ ARG TARGETPLATFORM
 WORKDIR /gatewayd
 COPY . /gatewayd
 
-RUN apk --no-cache add git=2.45.1-r0 make=4.4.1-r2 && \
+RUN apk --no-cache add git=2.45.2-r0 make=4.4.1-r2 && \
     mkdir -p dist && \
     make build-platform GOOS=${TARGETOS} GOARCH=${TARGETARCH} OUTPUT_DIR=dist/${TARGETOS}-${TARGETARCH}