WIP: run trivy security scans on release docker image/composer dependencies #15
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit doesn't yet enforce the new requirement since previous version will continue to work for a short while.
…e version number detection - ref. shaarli#1961
doc: update release procedure (merge the latest release to the release branch) + use the release branch for latest release version detection
- ref. https://docs.docker.com/engine/reference/commandline/buildx_build/#platform - ref. https://docs.docker.com/build/ci/github-actions/multi-platform/ - replaces shaarli#1496 - make docker image name configurable through CI variables for easier testing
github actions: build OCI images that contain both amd64 and armv7
Drop support for PHP 7.1, 7.2 and 7.3
- run trivy from makefile so that it can be run both locally and through github actions - usage: make test_trivy TRIVY_TARGET_DOCKER_IMAGE=regist.ry/user/image:tag - tested by downgrading the base image to alpine 3.15.7 and verifying that vulnerabilities are reported (https://github.com/nodiscc/Shaarli/actions/runs/4860040980/jobs/8663400103) - TEMP/TESTING only push image to ghcr.io, run trivy on trivy branch/docker tag as well as master - ref. shaarli#1531
Hi, here are my two little plugins for Shaarli.
Update Community-and-related-software.md
tools: run trivy vulnerability scanner on the 'latest' docker image
doc: improve docs on usage of OR operator in tags search
- fixes Error response from daemon: no such image: ghcr.io/***:trivy: No such image: ghcr.io/***:trivy - introduced in shaarli#1980 but the test target branch/tag was never reverted to 'latest'
…image gihub actions: fix value of TRIVY_TARGET_DOCKER_IMAGE
…poser.lock) - run scan on each push/pull request update - can be run locally using make test_trivy_repo - exit with error code 0/success when vulnerabilities are found, as not to make the workflow fail, a separate periodic run that exits with code 1 should be added in parallel - update trivy to v0.43.0 - https://github.com/aquasecurity/trivy/releases/tag/v0.43.0 - also consider TRIVY_EXIT_CODE when running trivy on the latest docker image - ref. shaarli#1531
tools/CI: scan repository with trivy security scanner (yarn.lock, composer.lock)
Bumps [semver](https://github.com/npm/node-semver) from 5.7.1 to 5.7.2. - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/v5.7.2/CHANGELOG.md) - [Commits](npm/node-semver@v5.7.1...v5.7.2) --- updated-dependencies: - dependency-name: semver dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
tools/Makefile: update trivy to v0.43.1
…semver-5.7.2 build(deps): bump semver from 5.7.1 to 5.7.2
Clarify old and new name along with Wikipedia link.
Doc update, WebSub (formerly PubSubHubbub) plugin
Bumps [word-wrap](https://github.com/jonschlinkert/word-wrap) from 1.2.3 to 1.2.4. - [Release notes](https://github.com/jonschlinkert/word-wrap/releases) - [Commits](jonschlinkert/word-wrap@1.2.3...1.2.4) --- updated-dependencies: - dependency-name: word-wrap dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
…word-wrap-1.2.4 build(deps): bump word-wrap from 1.2.3 to 1.2.4
tools/tests: update trivy to v0.44.0
- fixes shaarli#1800 - do not push, only check that the image builds correctly - tag the image as :pr-PR_NUMBER
tools: github actions: build docker images on pull requests
INFO - Cleaning site directory
INFO - Building documentation to directory: /home/live/GIT/Shaarli/doc/html
INFO - Doc file 'index.md' contains an unrecognized relative link 'Usage#tag-cloud', it was left
as is. Did you mean 'Usage.md#tag-cloud'?
INFO - Doc file 'index.md' contains an unrecognized relative link 'Usage#picture-wall', it was
left as is. Did you mean 'Usage.md#picture-wall'?
INFO - Doc file 'index.md' contains an unrecognized relative link 'Usage#import-export', it was
left as is. Did you mean 'Usage.md#import-export'?
INFO - Doc file 'Community-and-related-software.md' contains an unrecognized relative link
'REST-API', it was left as is. Did you mean 'REST-API.md'?
INFO - Doc file 'Community-and-related-software.md' contains an unrecognized relative link
'Theming', it was left as is.
INFO - Doc file 'Installation.md' contains an unrecognized relative link
'dev/Development#third-party-libraries', it was left as is. Did you mean
'dev/Development.md#third-party-libraries'?
INFO - Doc file 'Installation.md' contains an unrecognized relative link
'Upgrade-and-migration', it was left as is. Did you mean 'Upgrade-and-migration.md'?
INFO - Doc file 'Plugins.md' contains an unrecognized relative link 'Shaarli-configuration', it
was left as is. Did you mean 'Shaarli-configuration.md'?
INFO - Doc file 'REST-API.md' contains an unrecognized relative link 'Server-configuration', it
was left as is. Did you mean 'Server-configuration.md'?
INFO - Doc file 'Reverse-proxy.md' contains an unrecognized relative link
'Shaarli-configuration', it was left as is. Did you mean 'Shaarli-configuration.md'?
INFO - Doc file 'Server-configuration.md' contains an unrecognized relative link
'Directory-structure', it was left as is.
INFO - Doc file 'Shaarli-configuration.md' contains an unrecognized relative link
'Translations', it was left as is.
INFO - Doc file 'dev/Development.md' contains an unrecognized relative link 'Unit-tests', it was
left as is. Did you mean 'Unit-tests.md'?
INFO - Doc file 'dev/Development.md' contains an unrecognized relative link 'GnuPG-signature',
it was left as is. Did you mean 'GnuPG-signature.md'?
INFO - Doc file 'dev/GnuPG-signature.md' contains an unrecognized relative link 'Release
Shaarli', it was left as is.
INFO - Doc file 'dev/Theming.md' contains an unrecognized relative link 'Shaarli-configuration',
it was left as is.
INFO - Doc file 'dev/Translations.md' contains an unrecognized relative link 'Theming', it was
left as is. Did you mean 'Theming.md'?
INFO - Documentation built in 0.40 seconds
doc: fix mkdocs build warnings/relative links
nodiscc
force-pushed
the
trivy-schedule-release
branch
2 times, most recently
from
fc7aa70 to
ea569c3
Compare
… link to shaarli debian package - fixes shaarli/shaarli-pkg-debian#8 - https://github.com/shaarli/shaarli-pkg-debian is unmaintained, please use downstream packaging repo at https://salsa.debian.org/php-team/pear/shaarli - https://github.com/shaarli/shaarli-pkg-debian will be archived after this PR is merged
doc: community/related software/integration with other platforms: add link to shaarli debian package
Signed-off-by: ArthurHoaro <[email protected]>
Signed-off-by: ArthurHoaro <[email protected]>
Signed-off-by: ArthurHoaro <[email protected]>
Signed-off-by: ArthurHoaro <[email protected]>
nodiscc
force-pushed
the
trivy-schedule-release
branch
from
ea569c3 to
c34e299
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.