From 23b072ea10e0b452620fb12f4e824e3c3c9f3888 Mon Sep 17 00:00:00 2001 From: alam00000 Date: Tue, 17 Mar 2026 22:54:00 +0530 Subject: [PATCH] feat: add Trivy security scan workflow and update Dockerfiles for vulnerability scanning --- .github/dependabot.yml | 5 ++ .github/workflows/trivy-scan.yml | 103 +++++++++++++++++++++++++++++++ Dockerfile | 4 ++ Dockerfile.nonroot | 2 +- 4 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/trivy-scan.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b7f273d..bdda7df 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,3 +13,8 @@ updates: directory: '/' schedule: interval: 'daily' + + - package-ecosystem: 'docker' + directory: '/' + schedule: + interval: 'weekly' diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml new file mode 100644 index 0000000..4fb8ad4 --- /dev/null +++ b/.github/workflows/trivy-scan.yml @@ -0,0 +1,103 @@ +name: Trivy Security Scan + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: '0 6 * * 1' + workflow_dispatch: + +permissions: + contents: read + security-events: write + +jobs: + scan-image: + runs-on: ubuntu-latest + strategy: + matrix: + image: + - name: bentopdf + file: Dockerfile + - name: bentopdf-nonroot + file: Dockerfile.nonroot + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build image for scanning + uses: docker/build-push-action@v6 + with: + context: . + file: ${{ matrix.image.file }} + push: false + load: true + tags: ${{ matrix.image.name }}:scan + cache-from: type=gha,scope=trivy-${{ matrix.image.name }} + cache-to: type=gha,mode=max,scope=trivy-${{ matrix.image.name }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: ${{ matrix.image.name }}:scan + format: sarif + output: trivy-${{ matrix.image.name }}.sarif + severity: CRITICAL,HIGH + exit-code: '1' + + - name: Upload Trivy results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: trivy-${{ matrix.image.name }}.sarif + category: trivy-${{ matrix.image.name }} + + scan-dependencies: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Scan npm dependencies with Trivy + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: fs + scan-ref: . + format: sarif + output: trivy-deps.sarif + severity: CRITICAL,HIGH + scanners: vuln + + - name: Upload dependency scan results + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: trivy-deps.sarif + category: trivy-dependencies + + scan-config: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Scan Dockerfiles for misconfigurations + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: config + scan-ref: . + format: sarif + output: trivy-config.sarif + severity: CRITICAL,HIGH + + - name: Upload config scan results + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: trivy-config.sarif + category: trivy-config diff --git a/Dockerfile b/Dockerfile index 1e962ad..f42cda5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -79,6 +79,10 @@ ARG BASE_URL # Set this to "true" to disable Nginx listening on IPv6 ENV DISABLE_IPV6=false +USER root +RUN apk upgrade --no-cache +USER nginx + COPY --chown=nginx:nginx --from=builder /app/dist /usr/share/nginx/html${BASE_URL%/} COPY --chown=nginx:nginx nginx.conf /etc/nginx/nginx.conf COPY --chown=nginx:nginx --chmod=755 nginx-ipv6.sh /docker-entrypoint.d/99-disable-ipv6.sh diff --git a/Dockerfile.nonroot b/Dockerfile.nonroot index 0599daf..ad0fba5 100644 --- a/Dockerfile.nonroot +++ b/Dockerfile.nonroot @@ -75,7 +75,7 @@ ENV PUID=1000 ENV PGID=1000 ENV DISABLE_IPV6=false -RUN apk add --no-cache su-exec +RUN apk upgrade --no-cache && apk add --no-cache su-exec COPY --from=builder /app/dist /usr/share/nginx/html${BASE_URL%/} COPY nginx.conf /etc/nginx/nginx.conf