sartography · burnettk · Dec 5, 2024 · Dec 5, 2024 · Dec 5, 2024 · Dec 5, 2024
diff --git a/.github/workflows/build_docker_images.yml b/.github/workflows/build_docker_images.yml
@@ -31,12 +31,14 @@ on:
     branches:
       - main
       - keycloak-realm-with-groups
+      - fail-fast-off
     tags: [v*]
 
 jobs:
   create_docker_images:
     runs-on: ubuntu-latest
     strategy:
+      fail-fast: false
       matrix:
         include:
           - image_name: sartography/spiffworkflow-frontend
@@ -99,34 +101,44 @@ jobs:
         uses: docker/[email protected]
         with:
           context: ${{ matrix.context }}
-          push: false  # Don't push yet
-          load: true   # Load image to local Docker daemon
+          push: false # Don't push yet
+          load: true # Load image to local Docker daemon
           tags: ${{ steps.full_tag.outputs.full_tag }}
           labels: ${{ steps.meta.outputs.labels }}
           # While we ultimately push multi-arch images (amd64/arm64) to registries, we don't want to do that before we scan for vulns.
-          # The Action can only load a single arch image into the local dockerd at a time, so we only build and test one arch here. 
+          # The Action can only load a single arch image into the local dockerd at a time, so we only build and test one arch here.
           # It's pretty likely that any vuln in amd64 is also in arm64, and vice-versa, so the trade-off seems reasonable.
-          platforms: linux/amd64 
+          platforms: linux/amd64
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/[email protected]
         with:
-          image-ref: '${{ steps.full_tag.outputs.full_tag }}'
-          scan-type: 'image'
+          image-ref: "${{ steps.full_tag.outputs.full_tag }}"
+          scan-type: "image"
           hide-progress: false
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          severity: 'CRITICAL,HIGH'
-          exit-code: 1  # Fail the workflow if critical or high vulnerabilities are found
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL"
+          exit-code: 1 # Fail the workflow if critical or high vulnerabilities are found
           timeout: 15m0s
           ignore-unfixed: true
+      - name: Check if Trivy results exist
+        if: always()
+        # trivy will fail if vulnerabilities are found but we need to upload them anyway
+        run: |
+          if [ -f "trivy-results.sarif" ]; then
+            echo "UPLOAD_TRIVY_RESULTS=true" >> "$GITHUB_ENV"
+          else
+            echo "Trivy results file not found. Skipping upload."
+            echo "UPLOAD_TRIVY_RESULTS=false" >> "$GITHUB_ENV"
+          fi
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
-        if: always()  # Run even if the Trivy scan fails
+        if: always() && env.UPLOAD_TRIVY_RESULTS == 'true'
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: "trivy-results.sarif"
 
       - name: Push Docker image
         uses: docker/[email protected]

diff --git a/connector-proxy-demo/Dockerfile b/connector-proxy-demo/Dockerfile
@@ -22,7 +22,7 @@ FROM base AS deployment
 # vim ftw
 RUN apt-get update \
   && apt-get clean -y \
-  && apt-get install -y -q git-core curl procps gunicorn3 default-mysql-client vim-tiny \
+  && apt-get install -y -q git-core curl procps gunicorn3 default-mysql-client vim-tiny libkrb5support0 libexpat1 \
   && rm -rf /var/lib/apt/lists/*
 
 RUN pip install poetry==1.6.1

diff --git a/newDockerfile b/newDockerfile
@@ -0,0 +1,6 @@
+FROM python:3.11.6-slim-bookworm AS base
+
+RUN apt-get update
+RUN apt-get install -q -y git-core curl procps gunicorn3 default-mysql-client vim-tiny
+RUN apt-get install -q -y libkrb5support0 libexpat1
+
diff --git a/spiffworkflow-backend/Dockerfile b/spiffworkflow-backend/Dockerfile
@@ -24,7 +24,7 @@ FROM base AS deployment
 # libpq5 in order to be able to use postgres at runtime
 RUN apt-get update \
   && apt-get clean -y \
-  && apt-get install -y -q git-core curl procps gunicorn3 default-mysql-client vim-tiny jq libpq5 \
+  && apt-get install -y -q git-core curl procps gunicorn3 default-mysql-client vim-tiny jq libpq5 libkrb5support0 libexpat1 \
   && rm -rf /var/lib/apt/lists/*
 
 # keep pip up to date

diff --git a/spiffworkflow-frontend/Dockerfile b/spiffworkflow-frontend/Dockerfile
@@ -14,6 +14,8 @@ RUN apt-get update \
   curl \
   procps \
   vim-tiny \
+  libkrb5support0 \
+  libexpat1 \
   && rm -rf /var/lib/apt/lists/*
 
 # this matches total memory on spiffworkflow-demo
@@ -47,6 +49,14 @@ RUN ./bin/build
 # Use nginx as the base image
 FROM nginx:1.25.4-bookworm
 
+RUN apt-get update \
+  && apt-get clean -y \
+  && apt-get install -y -q \
+  libkrb5support0 \
+  libexpat1 \
+  libaom3 \
+  && rm -rf /var/lib/apt/lists/*
+
 # Remove default nginx configuration
 RUN rm -rf /etc/nginx/conf.d/*