feat(security): skip stopped containers by default in scan task

Author: nzxl101

.github/renovate.json

@@ -1,27 +1,17 @@
 {
     "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-    "extends": [
-        "config:recommended",
-        "docker:pinDigests",
-        "group:allNonMajor",
-        "group:allDigest"
-    ],
+    "extends": ["config:recommended", "docker:pinDigests"],
+    "ignorePaths": ["**/compose.yml"],
     "customManagers": [
         {
             "customType": "regex",
-            "managerFilePatterns": [
-                "/(^|/)Dockerfile$/"
-            ],
-            "matchStrings": [
-                "# renovate: datasource=(?<datasource>.*?) lookupName=(?<packageName>.*?)(?: versioning=(?<versioning>.*?))?\\s+ARG\\s+(?<depName>.*?)_VERSION=(?<currentValue>.*)\\s"
-            ]
+            "managerFilePatterns": ["(^|/)Dockerfile$"],
+            "matchStrings": ["# renovate: datasource=(?<datasource>.*?) lookupName=(?<packageName>.*?)(?: versioning=(?<versioning>.*?))?\\s+ARG\\s+(?<depName>.*?)_VERSION=(?<currentValue>.*)\\s"]
         }
     ],
     "packageRules": [
         {
-            "matchUpdateTypes": [
-                "major"
-            ],
+            "matchUpdateTypes": ["major"],
             "minimumReleaseAge": "30 days"
         }
     ]

docker/Dockerfile

@@ -14,11 +14,13 @@ ARG COMMIT_MSG=unknown
 ENV ATTACHED_DEVICES_PERMS="/var/run/docker.sock"
 
 # Add yq for YAML processing
+# renovate: datasource=github-releases lookupName=mikefarah/yq
 ARG YQ_VERSION=v4.52.4
 RUN curl -sSf -L -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_${TARGETARCH}" \
     && chmod +x /usr/local/bin/yq
 
 # Add regctl for container digest checks
+# renovate: datasource=github-releases lookupName=regclient/regclient
 ARG REGCTL_VERSION=v0.11.2
 RUN curl -sSf -L -o /usr/local/bin/regctl "https://github.com/regclient/regclient/releases/download/${REGCTL_VERSION}/regctl-linux-${TARGETARCH}" \
     && chmod +x /usr/local/bin/regctl
@@ -30,6 +32,7 @@ COPY --from=aquasec/trivy:0.69.3@sha256:bcc376de8d77cfe086a917230e818dc9f8528e3c
 RUN curl -sSfL https://get.anchore.io/grype | sh -s -- -b /usr/local/bin
 
 # Add snyk for container vulnerability scanning
+# renovate: datasource=github-releases lookupName=snyk/cli
 ARG SNYK_VERSION=v1.1303.2
 RUN SNYK_BINARY=$( [ "$TARGETARCH" = "amd64" ] && echo "snyk-alpine" || echo "snyk-alpine-arm64" ) && \
     curl -sSf -L -o /usr/local/bin/snyk "https://github.com/snyk/cli/releases/download/${SNYK_VERSION}/${SNYK_BINARY}" && \

docker/compose.yml

@@ -36,7 +36,7 @@ services:
     volumes:
       - ./nginx.conf:/config/nginx/site-confs/default.conf:ro
     restart: unless-stopped
-    image: lscr.io/linuxserver/nginx:1.28.2@sha256:83e770521fa9370ae98f2e24029d235482b70858002515bdc56f7fad33ab6ae9
+    image: ghcr.io/linuxserver/nginx:1.28.2
 
 networks:
   isolated_nw:

root/app/www/public/ajax/settings.php

@@ -331,6 +331,13 @@
                         </td>
                         <td class="bg-secondary">How long to store past scan files (min 2 days)</td>
                     </tr>
+                    <tr class="border border-dark border-top-0 border-start-0 border-end-0">
+                        <td class="bg-secondary" scope="row">Skip stopped containers</td>
+                        <td class="bg-secondary">
+                            <input class="form-check-input" type="checkbox" id="globalSetting-securitySkipStopped" <?= $settingsTable['securitySkipStopped'] ? 'checked' : '' ?>>
+                        </td>
+                        <td class="bg-secondary">Do not automatically scan containers that are currently inactive</td>
+                    </tr>
                 </tbody>
             </table>
         </div>

root/app/www/public/crons/security.php

@@ -44,7 +44,9 @@
     $nameHash = md5($container['name']);
     $hash     = substr(preg_replace('/sha256\:/', '', $docker->getImageHash($container['image'])), 0, 4);
 
-    if (in_array($hash, $imagesScanned)) {
+    if (in_array($hash, $imagesScanned) || !str_contains($container['status'], 'running') && $settingsTable['securitySkipStopped']) {
+        logger(CRON_SECURITY_LOG, ' skipped image ' . $container['image']);
+        echo date(format: 'c') . ' skipped image ' . $container['image'] . "\n";
         continue;
     }
     $imagesScanned[] = $hash;

root/app/www/public/migrations/021_security_skip_containers.php

@@ -0,0 +1,38 @@
+<?php
+/*
+----------------------------------
+ ------  Created: 032926   ------
+ ------  nzxl	           ------
+----------------------------------
+*/
+
+$q = [];
+
+//-- ADD SKIP CONTAINER OPTION AND DELETE OLD TRIVY STUFF
+$q[] = "INSERT INTO " . SETTINGS_TABLE . "
+        (`name`, `value`)
+        VALUES
+        ('securitySkipStopped', '1')";
+$q[] = "DELETE FROM " . SETTINGS_TABLE . "
+        WHERE name = 'trivyEnabled'";
+$q[] = "DELETE FROM " . SETTINGS_TABLE . "
+        WHERE name = 'trivyScanHour'";
+$q[] = "DELETE FROM " . SETTINGS_TABLE . "
+        WHERE name = 'trivyScanLength'";
+
+//-- ALWAYS NEED TO BUMP THE MIGRATION ID
+$q[] = "UPDATE " . SETTINGS_TABLE . "
+        SET value = '021'
+        WHERE name = 'migration'";
+
+foreach ($q as $query) {
+    logger(MIGRATION_LOG, '<span class="text-success">[Q]</span> ' . preg_replace('!\s+!', ' ', $query));
+
+    $database->query($query);
+
+    if ($database->error() != 'not an error') {
+        logger(MIGRATION_LOG, '<span class="text-info">[R]</span> ' . $database->error(), 'error');
+    } else {
+        logger(MIGRATION_LOG, '<span class="text-info">[R]</span> query applied!');
+    }
+}