diff --git a/.github/actions/ubuntu16-build-action/Dockerfile b/.github/actions/ubuntu16-build-action/Dockerfile deleted file mode 100644 index c43e2c564..000000000 --- a/.github/actions/ubuntu16-build-action/Dockerfile +++ /dev/null @@ -1,21 +0,0 @@ -FROM ubuntu:16.04 - -# Uncomment deb-src lines for all enabled repos. First part of single-quoted -# string (up the the !) is the pattern of the lines that will be ignored. -# Needed for apt-get build-dep call later in script -RUN sed -Ei '/.*partner/! s/^# (deb-src .*)/\1/g' /etc/apt/sources.list - -ARG DEBIAN_FRONTEND=noninteractive -RUN apt-get update -RUN apt-get install -y build-essential - -# PHP dependencies -RUN apt-get build-dep -y php7.0 -RUN apt-get install -y libmysqlclient-dev php-dev libmcrypt-dev libphp7.0-embed - -# Other tools -RUN apt-get install -y curl gdb valgrind libcurl4-openssl-dev pkg-config postgresql python-psycopg2 libpq-dev libedit-dev libreadline-dev git - -COPY build.sh /build.sh - -ENTRYPOINT ["/build.sh"] diff --git a/.github/actions/ubuntu16-build-action/action.yml b/.github/actions/ubuntu16-build-action/action.yml deleted file mode 100644 index 2a01f96da..000000000 --- a/.github/actions/ubuntu16-build-action/action.yml +++ /dev/null @@ -1,5 +0,0 @@ -name: ubuntu16-build-action -description: 'Build the agent on ubuntu 16' -runs: - using: 'docker' - image: 'Dockerfile' diff --git a/.github/actions/ubuntu16-build-action/build.sh b/.github/actions/ubuntu16-build-action/build.sh deleted file mode 100755 index 079de1ba1..000000000 --- a/.github/actions/ubuntu16-build-action/build.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -make -j $(nproc) all -make -j $(nproc) run_tests - diff --git a/.github/actions/ubuntu18-build-action/Dockerfile b/.github/actions/ubuntu18-build-action/Dockerfile deleted file mode 100644 index b9bb190db..000000000 --- a/.github/actions/ubuntu18-build-action/Dockerfile +++ /dev/null @@ -1,21 +0,0 @@ -FROM ubuntu:18.04 - -# Uncomment deb-src lines for all enabled repos. First part of single-quoted -# string (up the the !) is the pattern of the lines that will be ignored. -# Needed for apt-get build-dep call later in script -RUN sed -Ei '/.*partner/! s/^# (deb-src .*)/\1/g' /etc/apt/sources.list - -ARG DEBIAN_FRONTEND=noninteractive -RUN apt-get update -RUN apt-get install -y build-essential - -# PHP dependencies -RUN apt-get build-dep -y php7.2 -RUN apt-get install -y libmysqlclient-dev php-dev libmcrypt-dev libphp7.2-embed - -# Other tools -RUN apt-get install -y curl gdb valgrind libcurl4-openssl-dev pkg-config postgresql python-psycopg2 libpq-dev libedit-dev libreadline-dev git - -COPY build.sh /build.sh - -ENTRYPOINT ["/build.sh"] diff --git a/.github/actions/ubuntu18-build-action/action.yml b/.github/actions/ubuntu18-build-action/action.yml deleted file mode 100644 index 5b8fc28d6..000000000 --- a/.github/actions/ubuntu18-build-action/action.yml +++ /dev/null @@ -1,5 +0,0 @@ -name: ubuntu18-build-action -description: 'Build the agent on ubuntu 18' -runs: - using: 'docker' - image: 'Dockerfile' diff --git a/.github/actions/ubuntu18-build-action/build.sh b/.github/actions/ubuntu18-build-action/build.sh deleted file mode 100755 index 079de1ba1..000000000 --- a/.github/actions/ubuntu18-build-action/build.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -make -j $(nproc) all -make -j $(nproc) run_tests - diff --git a/.github/actions/ubuntu20-build-action/Dockerfile b/.github/actions/ubuntu20-build-action/Dockerfile deleted file mode 100644 index bbd6fe406..000000000 --- a/.github/actions/ubuntu20-build-action/Dockerfile +++ /dev/null @@ -1,21 +0,0 @@ -FROM ubuntu:20.04 - -# Uncomment deb-src lines for all enabled repos. First part of single-quoted -# string (up the the !) is the pattern of the lines that will be ignored. -# Needed for apt-get build-dep call later in script -RUN sed -Ei '/.*partner/! s/^# (deb-src .*)/\1/g' /etc/apt/sources.list - -ARG DEBIAN_FRONTEND=noninteractive -RUN apt-get update -RUN apt-get install -y build-essential - -# PHP dependencies -RUN apt-get build-dep -y php7.4 -RUN apt-get install -y libmysqlclient-dev php-dev libmcrypt-dev libphp7.4-embed - -# Other tools -RUN apt-get install -y curl gdb valgrind libcurl4-openssl-dev pkg-config postgresql libpq-dev libedit-dev libreadline-dev git - -COPY build.sh /build.sh - -ENTRYPOINT ["/build.sh"] diff --git a/.github/actions/ubuntu20-build-action/action.yml b/.github/actions/ubuntu20-build-action/action.yml deleted file mode 100644 index d42d71cf9..000000000 --- a/.github/actions/ubuntu20-build-action/action.yml +++ /dev/null @@ -1,5 +0,0 @@ -name: ubuntu20-build-action -description: 'Build the agent on ubuntu 20' -runs: - using: 'docker' - image: 'Dockerfile' diff --git a/.github/actions/ubuntu20-build-action/build.sh b/.github/actions/ubuntu20-build-action/build.sh deleted file mode 100755 index 079de1ba1..000000000 --- a/.github/actions/ubuntu20-build-action/build.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -make -j $(nproc) all -make -j $(nproc) run_tests - diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml new file mode 100644 index 000000000..98e8039ba --- /dev/null +++ b/.github/workflows/security-scan.yml @@ -0,0 +1,48 @@ +name: Security scan +on: + push: + branches: + - main + - dev + pull_request: + schedule: + - cron: '0 0 * * 0' # Every Sunday at 12:00 AM + +jobs: + trivy-scan: + runs-on: ubuntu-latest + steps: + - name: Checkout newrelic-php-agent code + uses: actions/checkout@v4 + with: + path: php-agent + - name: Run Trivy in table mode + # Table output is only useful when running on a pull request or push. + if: contains(fromJSON('["push", "pull_request"]'), github.event_name) + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: fs + scan-ref: ./php-agent + trivy-config: ./php-agent/trivy.yaml + trivyignores: ./php-agent/.trivyignore + format: table + exit-code: 1 + + - name: Run Trivy in report mode + # Only generate sarif when running nightly on the dev branch. + if: ${{ github.event_name == 'schedule' }} + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: fs + scan-ref: ./php-agent + trivy-config: ./php-agent/trivy.yaml + trivyignores: ./php-agent/.trivyignore + format: sarif + output: trivy-results.sarif + + - name: Upload Trivy scan results to GitHub Security tab + # Only upload sarif when running nightly on the dev branch. + if: ${{ github.event_name == 'schedule' }} + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: trivy-results.sarif diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 000000000..01a5782ee --- /dev/null +++ b/.trivyignore @@ -0,0 +1,2 @@ +# Ignore missing HEALTHCHECK in Dockerfile - devenv service from files/Dockerfile doesn't need it: +AVD-DS-0026 diff --git a/docker-compose.yaml b/docker-compose.yaml index 315bedbfa..21044c7c7 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -80,7 +80,6 @@ services: dockerfile: files/Dockerfile args: PHP_VER: ${PHP:-8.3} - user: ${UID}:${GID} environment: MEMCACHE_HOST: memcached diff --git a/files/Dockerfile b/files/Dockerfile index 2b327d439..3081cf1ab 100644 --- a/files/Dockerfile +++ b/files/Dockerfile @@ -148,5 +148,10 @@ ENV PS1="New Relic > " RUN echo 'alias integ="/usr/src/myapp/bin/integration_runner -agent /usr/src/myapp/agent/.libs/newrelic.so"' >> ~/.bashrc \ && echo 'alias rebuild="make -C agent clean && rm agent/Makefile && make && make tests"' >> ~/.bashrc +ARG USER=developer +ARG UID=501 +ARG GID=20 +RUN useradd --uid ${UID} --gid ${GID} --shell /bin/bash --create-home ${USER} +USER ${USER} WORKDIR /usr/src/myapp CMD ["bash"] diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 000000000..e27bd8157 --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,18 @@ +db: + repository: + - mirror.gcr.io/aquasec/trivy-db:2 + +scan: + scanners: + - vuln + - misconfig + skip-dirs: vendor + +severities: + - CRITICAL + - HIGH + - MEDIUM + - LOW + +vulnerability: + ignore-unfixed: true