From fd2a5d89aa531a7857bca910b462d412856bd120 Mon Sep 17 00:00:00 2001 From: sinadarbouy Date: Thu, 6 Jun 2024 15:56:51 +0200 Subject: [PATCH 1/3] added github action for Docker Scout compare added Docker Scout step set correct secrets for DOCKERHUB --- .../workflows/vulnerability-comparison.yaml | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/vulnerability-comparison.yaml diff --git a/.github/workflows/vulnerability-comparison.yaml b/.github/workflows/vulnerability-comparison.yaml new file mode 100644 index 00000000..974145f9 --- /dev/null +++ b/.github/workflows/vulnerability-comparison.yaml @@ -0,0 +1,49 @@ +name: Vulnerability Comparison + +on: + pull_request: + branches: ["**"] + +env: + # Image repository, without hostname and tag + IMAGE_NAME: ${{ github.repository }} + SHA: ${{ github.event.pull_request.head.sha || github.event.after }} + +jobs: + vulnerability-comparison: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ env.SHA }} + - name: Set short SHA + id: vars + run: echo "SHA_SHORT=$(echo $GITHUB_SHA | cut -c1-7)" >> $GITHUB_ENV + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: . + load: ${{ github.event_name == 'pull_request' }} + tags: "ghcr.io/${{ env.IMAGE_NAME }}:${{ env.SHA_SHORT }}" + cache-from: type=gha + cache-to: type=gha,mode=max + - name: Authenticate to Docker + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Docker Scout + id: docker-scout + uses: docker/scout-action@v1 + with: + command: compare + image: "gatewaydio/gatewayd:latest" + to: "ghcr.io/${{ env.IMAGE_NAME }}:${{ env.SHA_SHORT }}" + ignore-unchanged: true + only-severities: critical,high + github-token: ${{ secrets.GITHUB_TOKEN }} From 170435ff8c0a773893229be595a942cc213e0313 Mon Sep 17 00:00:00 2001 From: sinadarbouy Date: Thu, 6 Jun 2024 18:35:52 +0200 Subject: [PATCH 2/3] upgrade git version --(2.45.1-r0) is not available in the Alpine repositories, and a newer version (2.45.2-r0) is available instead --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index b141c50a..0cefd282 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ ARG TARGETPLATFORM WORKDIR /gatewayd COPY . /gatewayd -RUN apk --no-cache add git=2.45.1-r0 make=4.4.1-r2 && \ +RUN apk --no-cache add git=2.45.2-r0 make=4.4.1-r2 && \ mkdir -p dist && \ make build-platform GOOS=${TARGETOS} GOARCH=${TARGETARCH} OUTPUT_DIR=dist/${TARGETOS}-${TARGETARCH} From 9153196128f32c4af90489a20f9c2bd9c5c85cbb Mon Sep 17 00:00:00 2001 From: sinadarbouy Date: Sat, 8 Jun 2024 16:43:29 +0200 Subject: [PATCH 3/3] changed dockerhub secrets to readonly --- .github/workflows/vulnerability-comparison.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/vulnerability-comparison.yaml b/.github/workflows/vulnerability-comparison.yaml index 974145f9..621a6f2f 100644 --- a/.github/workflows/vulnerability-comparison.yaml +++ b/.github/workflows/vulnerability-comparison.yaml @@ -35,8 +35,8 @@ jobs: - name: Authenticate to Docker uses: docker/login-action@v3 with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} + username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }} + password: ${{ secrets.DOCKERHUB_READONLY_TOKEN }} - name: Docker Scout id: docker-scout uses: docker/scout-action@v1