diff --git a/.github/workflows/docker-dev.yaml b/.github/workflows/docker-dev.yaml index 66ce385..56debb9 100644 --- a/.github/workflows/docker-dev.yaml +++ b/.github/workflows/docker-dev.yaml @@ -55,24 +55,24 @@ jobs: context: ${{ env.CONTEXT }} file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} - - - name: Linting image with hadolint - id: hadolint - uses: hadolint/hadolint-action@v3.1.0 - with: - dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} - - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}' - format: 'sarif' - output: 'trivy-results.sarif' - - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - if: always() - with: - sarif_file: 'trivy-results.sarif' \ No newline at end of file + - + name: Linting Dockerfile with hadolint + id: hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + + - + name: Run Trivy container image vulnerability scanner + uses: aquasecurity/trivy-action@0.12.0 + with: + image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}' + format: 'sarif' + output: 'trivy-results.sarif' + + - + name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 9c5d46d..056ba3a 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -56,15 +56,15 @@ jobs: file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} - - name: Linting image with hadolint + name: Linting Dockerfile with hadolint id: hadolint uses: hadolint/hadolint-action@v3.1.0 with: dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master + name: Run Trivy container image vulnerability scanner + uses: aquasecurity/trivy-action@0.12.0 with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}' format: 'sarif' diff --git a/ckan-pycsw/Dockerfile b/ckan-pycsw/Dockerfile index 9266af1..75f300c 100644 --- a/ckan-pycsw/Dockerfile +++ b/ckan-pycsw/Dockerfile @@ -23,12 +23,12 @@ WORKDIR ${APP_DIR} RUN groupadd --gid $USER_GID $USERNAME \ && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME && \ chown -R $USERNAME:$USERNAME $APP_DIR && \ - apt-get -q -y update && apt-get install -y \ - wget && \ - DEBIAN_FRONTEND=noninteractive apt-get -yq install gettext-base && \ - wget -O /wait-for https://raw.githubusercontent.com/eficode/wait-for/v2.2.3/wait-for && \ + apt-get -q -y update && apt-get install -y --no-install-recommends && \ + wget=1.21-1+deb11u1 \ + gettext-base=0.21-4 && \ + wget --progress=dot:mega -O /wait-for https://raw.githubusercontent.com/eficode/wait-for/v2.2.4/wait-for && \ chmod +x /wait-for && \ - python3 -m pip install pdm && \ + python3 -m pip install --no-cache-dir pdm==2.9.2 && \ rm -rf /var/lib/apt/lists/* COPY pyproject.toml pdm.lock ./ diff --git a/ckan-pycsw/Dockerfile.dev b/ckan-pycsw/Dockerfile.dev index 91ba5b9..89a80f2 100644 --- a/ckan-pycsw/Dockerfile.dev +++ b/ckan-pycsw/Dockerfile.dev @@ -18,13 +18,13 @@ ENV DEV_MODE=True ENV PYCSW_DEV_PORT=5678 ENV TIMEOUT=300 -RUN apt-get -q -y update && apt-get install -y \ - wget \ - procps && \ - DEBIAN_FRONTEND=noninteractive apt-get -yq install gettext-base && \ - wget -O /wait-for https://raw.githubusercontent.com/eficode/wait-for/v2.2.4/wait-for && \ +RUN apt-get -q -y update && apt-get install -y --no-install-recommends && \ + wget=1.21-1+deb11u1 \ + gettext-base=0.21-4 \ + procps=2:3.3.17-5 && \ + wget --progress=dot:mega -O /wait-for https://raw.githubusercontent.com/eficode/wait-for/v2.2.4/wait-for && \ chmod +x /wait-for && \ - python3 -m pip install pdm debugpy && \ + python3 -m pip install --no-cache-dir pdm==2.9.2 && \ rm -rf /var/lib/apt/lists/* WORKDIR ${APP_DIR}