add python 3.11 build + app user + trivy scan

Author: Renizmy

.circleci/config.yml

@@ -3,6 +3,8 @@ version: 2.1
 orbs:
   slack: circleci/[email protected]
   ms-teams: cloudradar-monitoring/[email protected]
+env:
+  BASE_REPO: opencti
 jobs:
   ensure_formatting:
     docker:
@@ -48,27 +50,76 @@ jobs:
       - ms-teams/report:
           only_on_fail: true
           webhook_url: $MS_TEAMS_WEBHOOK_URL
-  build-container:
+  build-container-python-3-11:
     docker:
       - image: cimg/base:stable-20.04
     steps:
       - checkout
       - setup_remote_docker
       - run:
-          name: Build opencti/python-client
+          name: Build opencti/python-client-container
           command: |
             docker run --privileged --rm tonistiigi/binfmt --install all
             CIRCLE_TAG=${CIRCLE_TAG:-nightly}
             echo "CIRCLE_TAG=${CIRCLE_TAG}"
-            BASE_REPO="opencti"
             echo "$DOCKERHUB_PASS" | docker login -u "$DOCKERHUB_USERNAME" --password-stdin
             docker buildx create --platform linux/amd64,linux/arm64 --use --name mybuilder || true
             docker buildx inspect mybuilder --bootstrap            
             docker buildx build . \
               --platform linux/amd64,linux/arm64 \
-              -t $BASE_REPO/client-python:${CIRCLE_TAG} \
-              -t $BASE_REPO/client-python:latest \
-              --push
+              -t ${{ env.BASE_REPO }}/client-python-3-11:${CIRCLE_TAG} \
+              -t ${{ env.BASE_REPO }}client-python-3-11:latest \
+              --build-arg BASE_IMAGE="python:3.11-alpine3.20" \
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ${{ env.BASE_REPO }}/client-python-3-11:latest
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+      - run:
+          name: Push image to regsitry
+          command: docker push ${{ env.BASE_REPO }}/client-python-3-11:latest --all-tags
+
+  build-container-python-3-12:
+    docker:
+      - image: cimg/base:stable-20.04
+    steps:
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Build opencti/python-client
+          command: |
+            docker run --privileged --rm tonistiigi/binfmt --install all
+            CIRCLE_TAG=${CIRCLE_TAG:-nightly}
+            echo "CIRCLE_TAG=${CIRCLE_TAG}"
+            echo "$DOCKERHUB_PASS" | docker login -u "$DOCKERHUB_USERNAME" --password-stdin
+            docker buildx create --platform linux/amd64,linux/arm64 --use --name mybuilder || true
+            docker buildx inspect mybuilder --bootstrap
+            docker buildx build . \
+              --platform linux/amd64,linux/arm64 \
+              -t ${{ env.BASE_REPO }}/client-python-3-12:${CIRCLE_TAG} \
+              -t ${{ env.BASE_REPO }}/client-python-3-12:latest \
+              --build-arg BASE_IMAGE="python:3.12-alpine3.20" \
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ${{ env.BASE_REPO }}/client-python-3-11:latest
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+      - run:
+          name: Push image to regsitry
+          command: docker push ${{ env.BASE_REPO }}/client-python-3-12:latest --all-tags
+
   build-library:
     working_directory: ~/opencti-client
     docker:

Dockerfile

@@ -7,4 +7,7 @@ COPY ./requirements.txt /opt/requirements.txt
 
 RUN apk --no-cache add git build-base libmagic libffi-dev && \
     pip3 install --no-cache-dir -r /opt/requirements.txt && \
-    apk del git build-base && rm /opt/requirements.txt
+    apk del git build-base && rm /opt/requirements.txt
+
+RUN adduser -D -g '' app
+USER app