ci: container-scan (#257)

yxtay · web-flow · commit 8a6cef5cb2c6 · 2025-05-09T09:56:04.000Z
* ci: container-scan

* Update scans.yml

* Update compose.yaml

* Update Dockerfile
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -71,40 +71,15 @@ jobs:
       GHCR_IMAGE_NAME: ghcr.io/${{ github.repository }}
 
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          sparse-checkout: |
-            Dockerfile
-            uv.lock
-
-      - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
-        with:
-          path: |
-            var-cache-apt
-            var-lib-apt
-            root-cache-uv
-          key: buildkit-mounts-${{ runner.os }}-${{ hashFiles('**/Dockerfile', '**/*.lock') }}
-          restore-keys: |
-            buildkit-mounts-${{ runner.os }}
-
-      - uses: reproducible-containers/buildkit-cache-dance@653a570f730e3b9460adc576db523788ba59a0d7 # v3
-        with:
-          cache-map: |
-            {
-              "var-cache-apt": "/var/cache/apt",
-              "var-lib-apt": "/var/lib/apt",
-              "root-cache-uv": "/root/.cache/uv"
-            }
+      - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
 
       - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
 
       - id: build-ci
         uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6
         with:
           target: ${{ env.ENVIRONMENT }}
-          cache-from: |
-            ${{ env.GHCR_IMAGE_NAME }}:dev
-            ${{ env.GHCR_IMAGE_NAME }}:cache
+          cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache
           load: true
         env:
           ENVIRONMENT: ci
@@ -133,9 +108,7 @@ jobs:
         uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6
         with:
           target: ${{ env.ENVIRONMENT }}
-          cache-from: |
-            ${{ env.GHCR_IMAGE_NAME }}:dev
-            ${{ env.GHCR_IMAGE_NAME }}:cache
+          cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache
           cache-to: type=inline
           tags: ${{ env.GHCR_IMAGE_NAME }}:dev
           push: ${{ github.event_name == 'push' || github.ref_name == github.event.repository.default_branch }}
@@ -145,9 +118,7 @@ jobs:
       - if: ${{ github.event_name == 'push' || github.ref_name == github.event.repository.default_branch }}
         uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6
         with:
-          cache-from: |
-            ${{ env.GHCR_IMAGE_NAME }}:dev
-            ${{ env.GHCR_IMAGE_NAME }}:cache
+          cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache
           cache-to: type=registry,ref=${{ env.GHCR_IMAGE_NAME }}:cache,mode=max
           tags: ${{ steps.docker_metadata.outputs.tags }}
           labels: ${{ steps.docker_metadata.outputs.labels }}
diff --git a/.github/workflows/scans.yml b/.github/workflows/scans.yml
@@ -99,6 +99,37 @@ jobs:
         with:
           sarif_file: ${{ steps.grype.outputs.sarif }}
 
+  grype-container:
+    permissions:
+      contents: read
+      security-events: write
+
+    runs-on: ubuntu-latest
+    env:
+      GHCR_IMAGE_NAME: ghcr.io/${{ github.repository }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - id: build
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6
+        with:
+          cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache
+          load: true
+
+      - id: grype
+        uses: anchore/scan-action@2c901ab7378897c01b8efaa2d0c9bf519cc64b9e # v6
+        with:
+          image: ${{ env.IMAGE_ID }}
+          severity-cutoff: high
+          only-fixed: true
+        env:
+          IMAGE_ID: ${{ steps.build.outputs.imageid }}
+
+      - if: ${{ success() || failure() }}
+        uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3
+        with:
+          sarif_file: ${{ steps.grype.outputs.sarif }}
+
   kics:
     permissions:
       checks: write
@@ -277,6 +308,39 @@ jobs:
         with:
           sarif_file: trivy-results.sarif
 
+  trivy-container:
+    permissions:
+      contents: write
+      security-events: write
+
+    runs-on: ubuntu-latest
+    env:
+      GHCR_IMAGE_NAME: ghcr.io/${{ github.repository }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - id: build
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6
+        with:
+          cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache
+          load: true
+
+      - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30
+        with:
+          image-ref: ${{ env.IMAGE_ID}}
+          exit-code: 1
+          ignore-unfixed: true
+          severity: HIGH,CRITICAL
+          format: sarif
+          output: trivy-results.sarif
+        env:
+          IMAGE_ID: ${{ steps.build.outputs.imageid }}
+
+      - if: ${{ success() || failure() }}
+        uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3
+        with:
+          sarif_file: trivy-results.sarif
+
   trufflehog:
     permissions:
       contents: read
diff --git a/Dockerfile b/Dockerfile
@@ -13,6 +13,7 @@ RUN useradd --create-home --shell /bin/false --uid ${UID} ${USER}
 
 # set up environment
 ARG APP_HOME=/work/app
+ARG DEBIAN_FRONTEND=noninteractive
 ARG VIRTUAL_ENV=${APP_HOME}/.venv
 ENV PATH=${VIRTUAL_ENV}/bin:${PATH} \
     PYTHONFAULTHANDLER=1 \
@@ -22,12 +23,6 @@ ENV PATH=${VIRTUAL_ENV}/bin:${PATH} \
 
 WORKDIR ${APP_HOME}
 
-##
-# dev
-##
-FROM base AS dev
-
-ARG DEBIAN_FRONTEND=noninteractive
 COPY <<-EOF /etc/apt/apt.conf.d/99-disable-recommends
 APT::Install-Recommends "false";
 APT::Install-Suggests "false";
@@ -36,9 +31,17 @@ APT::AutoRemove::SuggestsImportant "false";
 EOF
 
 RUN apt-get update && \
-    apt-get install --yes --no-install-recommends \
-        build-essential \
-        curl \
+    apt-get upgrade --yes && \
+    apt-get install --yes --no-install-recommends curl \
+    && rm -rf /var/lib/apt/lists/*
+
+##
+# dev
+##
+FROM base AS dev
+
+RUN apt-get update && \
+    apt-get install --yes --no-install-recommends build-essential \
     && rm -rf /var/lib/apt/lists/*
 
 ARG PYTHONDONTWRITEBYTECODE=1
diff --git a/compose.yaml b/compose.yaml
@@ -1,3 +1,4 @@
+# kics-scan disable=451d79dc-0588-476a-ad03-3c7f0320abb3,698ed579-b239-4f8f-a388-baa4bcb13ef8
 services:
   app_dev:
     image: ghcr.io/yxtay/python-example-app:dev

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+# kics-scan disable=451d79dc-0588-476a-ad03-3c7f0320abb3,698ed579-b239-4f8f-a388-baa4bcb13ef8`
`1`	`2`	`services:`
`2`	`3`	`app_dev:`
`3`	`4`	`image: ghcr.io/yxtay/python-example-app:dev`