ci: migrate from Trivy security scanner to Docker Scout (#125)

Djaytan · web-flow · commit 8e617bdefd85 · 2025-05-10T00:51:45.000+02:00
See https://docs.docker.com/scout/integrations/ci/gha/
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -16,7 +16,6 @@ on:
 
 permissions: { }
 
-# TODO: Migrate from Trivy to Docker Scout: https://github.com/docker/scout-action
 jobs:
   build-and-test:
     name: Build & Test
@@ -25,6 +24,7 @@ jobs:
 
     permissions:
       contents: read
+      pull-requests: write # Required to write comments to the PR about security scans results
       security-events: write # Required to upload found security gaps
 
     steps:
@@ -36,7 +36,6 @@ jobs:
       # -> "*.alpinelinux.org": Standard interactions with Alpine Linux package repositories
       # -> "cdn.fwupd.org": Firmware updates (Alpine)
       # -> "api.papermc.io": Dynamic retrieval of the PaperMC server
-      # -> "mirror.gcr.io": Downloading of the Trivy security scanner
       # -> "piston-data.mojang.com": Downloading of the Mojang server
       # -> "api.minecraftservices.com": Downloading Yggdrasil public key for Reobfuscation
       - name: Harden runner
@@ -50,10 +49,9 @@ jobs:
             objects.githubusercontent.com:443
             raw.githubusercontent.com:443
             *.docker.io:443
-            production.cloudflare.docker.com:443
+            *.docker.com:443
             dl-cdn.alpinelinux.org:443
             cdn.fwupd.org:443
-            mirror.gcr.io:443
             api.papermc.io:443
             piston-data.mojang.com:443
             api.minecraftservices.com:443
@@ -77,21 +75,23 @@ jobs:
         with:
           source: .
           workdir: src/main/docker/
-          targets: dev
-          load: true # Export to Docker - Required for tests in later steps
+          targets: test
+          load: true # Export to Docker - Required for later steps
           set: |
             *.cache-from=type=gha,timeout=20s
             *.cache-to=type=gha,mode=max,timeout=20s
 
       - name: Test
         run: src/test/docker/test.sh
 
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0
+      - name: Docker Scout
+        uses: docker/scout-action@381b657c498a4d287752e7f2cfb2b41823f566d9 # v1.17.1
         with:
-          image-ref: 'djaytan/papermc-server:dev'
-          format: sarif
-          output: results.sarif
+          command: compare, cves
+          image: 'djaytan/papermc-server:test'
+          to-latest: true
+          organization: djaytan
+          sarif-file: results.sarif
 
       - name: Upload to GitHub's code scanning dashboard
         uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
@@ -103,7 +103,7 @@ jobs:
           # because 1 configuration present on refs/heads/main was not found".
           # The warning occurs when different workflows use different categories for SARIF files on the same branch.
           #
-          # Using a single, consistent category (e.g., 'trivy') ensures all uploads are correctly associated.
+          # Using a single, consistent category (e.g., 'global') ensures all uploads are correctly associated.
           #
           # Additional details: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#uploading-more-than-one-sarif-file-for-a-commit
-          category: trivy
+          category: global
diff --git a/README.md b/README.md
@@ -51,7 +51,7 @@ $ docker run -d -it \
 * ☕ **JRE 21**, based on [Eclipse Temurin](https://hub.docker.com/_/eclipse-temurin)
   * Custom-built using `jlink` to minimize size
   * Includes all standard Java modules to ensure broad compatibility with plugins
-* 🛡️ **Frequent security scans**: By relying on [Trivy](https://trivy.dev/latest/) and [Docker Scout](https://docs.docker.com/scout/)
+* 🛡️ **Frequent security scans**: By relying on [Docker Scout](https://docs.docker.com/scout/)
 * 🔄 **Scheduled auto-updates**: Bi-monthly rebuilds to incorporate upstream security patches and PaperMC updates
 
 ## 🛠️ Planned Features
diff --git a/src/main/docker/docker-bake.hcl b/src/main/docker/docker-bake.hcl
@@ -1,3 +1,41 @@
+########################################
+#    Multi-target Docker image build   #
+########################################
+
+# This file defines multiple build targets using Docker Bake,
+# allowing for fine-grained control over how images are built,
+# tagged, and promoted across environments (dev, test, release, etc.).
+
+# ─────────────────────────────────────
+# 🏗️ Image Targets
+# ─────────────────────────────────────
+# dev:
+#   Lightweight image for development and local testing.
+#   Uses a single architecture and avoids production overhead.
+
+# test:
+#   Image used for automated testing pipelines.
+#   Always pulls latest base layers to validate rebuild reliability.
+
+# release:
+#   Final production image, tagged for distribution.
+#   Uses full multi-arch build, add annotations, disables cache, and
+#   assigns versioned + semantic tags (e.g., latest, major, minor,
+#   timestamp).
+
+# ─────────────────────────────────────
+# 💡 Usage Notes
+# ─────────────────────────────────────
+# - Use `dev` when iterating locally.
+# - Use `test` in CI pipelines to verify integrity.
+# - Use `release` only in actual publishing pipelines.
+
+# Build with:
+#   docker buildx bake <target>
+#
+# Example:
+#   docker buildx bake dev
+
 # ========== VARIABLES ========== #
 
 # General properties
@@ -55,33 +93,32 @@ function "date" {
 
 # ========== TARGETS ========== #
 
-target "dev" {
-  description = "Builds the image for development purposes."
+target "_common" {
+  description = "Base configuration inherited by all other targets."
   args = {
     MINECRAFT_VERSION = "${MINECRAFT_VERSION}"
   }
-  tags = [
-    tag("dev")
-  ]
+}
+
+target "dev" {
+  inherits = ["_common"]
+  description = "Builds a lightweight image for development and local testing."
+  tags = [ tag("dev") ]
+}
+
+target "test" {
+  inherits = ["_common"]
+  description = "Builds a test image with fresh base layers (always pulls upstream images)."
+  pull = true
+  tags = [ tag("test") ]
 }
 
 target "release" {
-  description = "Builds the image for production purposes."
-  args = {
-    MINECRAFT_VERSION = "${MINECRAFT_VERSION}"
-  }
+  inherits = ["_common"]
+  description = "Builds and tags the production image for publishing."
   platforms = ["linux/amd64", "linux/arm64"]
   pull = true
   no-cache = true
-  # Docker tag format: <mc-version>-v<image-version>-<timestamp-YYYYMMDD>
-  tags = [
-    equal(IS_LATEST_RELEASE, true) ? tag("latest") : "",
-    equal(IS_LATEST_RELEASE, true) ? tag("${MINECRAFT_VERSION}") : "",
-    tag("${MINECRAFT_VERSION}-v${IMAGE_VERSION}"),
-    tag("${MINECRAFT_VERSION}-v${IMAGE_VERSION}-${date()}"),
-    tag("${MINECRAFT_VERSION}-v${extractMajorMinorFromSemVer(IMAGE_VERSION)}"),
-    tag("${MINECRAFT_VERSION}-v${extractMajorFromSemVer(IMAGE_VERSION)}")
-  ]
   annotations = [
     annotation("org.opencontainers.image.title", "PaperMC Server"),
     annotation("org.opencontainers.image.description", "Dockerized and fine-grained customizable PaperMC server."),
@@ -96,12 +133,15 @@ target "release" {
     notequal(REVISION, "") ? annotation("org.opencontainers.image.revision", REVISION) : ""
   ]
   attest = [
-    {
-      type = "provenance",
-      mode = "max",
-    },
-    {
-      type = "sbom",
-    }
+    { type = "provenance", mode = "max", },
+    { type = "sbom", }
+  ]
+  tags = [
+    equal(IS_LATEST_RELEASE, true) ? tag("latest") : "",
+    equal(IS_LATEST_RELEASE, true) ? tag("${MINECRAFT_VERSION}") : "",
+    tag("${MINECRAFT_VERSION}-v${IMAGE_VERSION}"),
+    tag("${MINECRAFT_VERSION}-v${IMAGE_VERSION}-${date()}"),
+    tag("${MINECRAFT_VERSION}-v${extractMajorMinorFromSemVer(IMAGE_VERSION)}"),
+    tag("${MINECRAFT_VERSION}-v${extractMajorFromSemVer(IMAGE_VERSION)}")
   ]
 }
diff --git a/src/test/docker/test.sh b/src/test/docker/test.sh
@@ -19,7 +19,7 @@ docker run --rm -d --name "$CONTAINER_NAME" \
   --memory=8GB \
   -p 25565:25565 \
   -e EULA=true \
-  'djaytan/papermc-server:dev'
+  'djaytan/papermc-server:test'
 
 cleanup() {
     echo '🛑 Automatically stopping and removing the PaperMC server container...'
