Merge pull request #2846 from tarlepp/chore(ci)/trivy

tarlepp · web-flow · commit 6569353da1d1 · 2024-09-07T12:51:39.000+03:00
Chore(ci) - Add Trivy to scan Docker image
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -360,3 +360,13 @@ jobs:
 
       - name: Build the Docker image
         run: docker build . --file Dockerfile --tag symfony-flex-backend:${{ steps.vars.outputs.DOCKER_TAG }}
+
+      - name: Scan Docker image with Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          image-ref: 'symfony-flex-backend:${{ steps.vars.outputs.DOCKER_TAG }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
diff --git a/Dockerfile b/Dockerfile
@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1.7-labs
 FROM php:8.3.10-fpm
 
 ENV APP_ENV prod
@@ -30,6 +31,14 @@ RUN install-php-extensions \
     pdo_mysql \
     zip
 
+# Install security updates
+RUN apt-get update \
+    && apt-get install -y \
+        debsecan \
+    && apt-get install --no-install-recommends -y \
+        $(debsecan --suite bookworm --format packages --only-fixed) \
+    && rm -rf /var/lib/apt/lists/*
+
 # Copy the Composer PHAR from the Composer image into the PHP image
 COPY --from=composer:2.7.7 /usr/bin/composer /usr/bin/composer
 
@@ -38,26 +47,19 @@ RUN composer completion bash > /etc/bash_completion.d/composer
 
 WORKDIR /app
 
-COPY . /app
+COPY --exclude=./docker/* . /app
 COPY ./docker/php/php.ini /usr/local/etc/php/php.ini
 COPY ./docker/php/www.conf /usr/local/etc/php-fpm.d/www.conf
 
 RUN chmod +x /app/bin/console
 RUN chmod +x /app/docker-entrypoint.sh
 RUN chmod +x /usr/bin/composer
 
-RUN curl -s https://api.github.com/repos/fabpot/local-php-security-checker/releases/latest | \
-        grep -E "browser_download_url(.+)linux_amd64" | \
-        cut -d : -f 2,3 | \
-        tr -d \" | \
-        xargs -I{} wget -O local-php-security-checker {} \
-    && mv local-php-security-checker /usr/bin/local-php-security-checker \
-    && chmod +x /usr/bin/local-php-security-checker
-
 RUN rm -rf /app/var \
     && mkdir -p /app/var \
     && rm -rf /app/public/check.php \
-    && php -d memory_limit=-1 /usr/bin/composer install --no-dev --optimize-autoloader
+    && php -d memory_limit=-1 /usr/bin/composer install --no-dev --optimize-autoloader \
+    && php /usr/bin/composer audit
 
 EXPOSE 9000
 
diff --git a/Dockerfile_dev b/Dockerfile_dev
@@ -69,6 +69,14 @@ RUN install-php-extensions \
     xdebug \
     zip
 
+# Install security updates
+RUN apt-get update \
+    && apt-get install -y \
+        debsecan \
+    && apt-get install --no-install-recommends -y \
+        $(debsecan --suite bookworm --format packages --only-fixed) \
+    && rm -rf /var/lib/apt/lists/*
+
 # Copy the Composer PHAR from the Composer image into the PHP image
 COPY --from=composer:2.7.7 /usr/bin/composer /usr/bin/composer
 
@@ -85,14 +93,6 @@ COPY ./docker/php/www-dev.conf /usr/local/etc/php-fpm.d/www.conf
 
 RUN chmod -R o+s+w /usr/local/etc/php
 
-RUN curl -s https://api.github.com/repos/fabpot/local-php-security-checker/releases/latest | \
-        grep -E "browser_download_url(.+)linux_amd64" | \
-        cut -d : -f 2,3 | \
-        tr -d \" | \
-        xargs -I{} wget -O local-php-security-checker {} \
-    && mv local-php-security-checker /usr/bin/local-php-security-checker \
-    && chmod +x /usr/bin/local-php-security-checker
-
 RUN groupadd --gid ${HOST_GID} dev \
     && useradd \
         -p $(perl -e 'print crypt($ARGV[0], "password")' 'dev') \
diff --git a/docker-entrypoint-dev.sh b/docker-entrypoint-dev.sh
@@ -6,10 +6,11 @@ set -e
 #   0) Basic linting of current JSON configuration file
 #   1) Export needed environment variables
 #   2) Install all dependencies
-#   3) Generate JWT encryption keys
-#   4) Create database if it not exists yet
-#   5) Run possible migrations, so that database is always up to date
-#   6) Add needed symfony console autocomplete for bash
+#   3) Check if there are any security issues in dependencies
+#   4) Generate JWT encryption keys
+#   5) Create database if it not exists yet
+#   6) Run possible migrations, so that database is always up to date
+#   7) Add needed symfony console autocomplete for bash
 #
 
 # Step 0
@@ -25,15 +26,18 @@ export XDEBUG_SESSION=PHPSTORM
 COMPOSER_MEMORY_LIMIT=-1 composer install --optimize-autoloader
 
 # Step 3
-make generate-jwt-keys
+composer audit
 
 # Step 4
-./bin/console doctrine:database:create --no-interaction --if-not-exists
+make generate-jwt-keys
 
 # Step 5
-./bin/console doctrine:migrations:migrate --no-interaction --allow-no-migration --all-or-nothing
+./bin/console doctrine:database:create --no-interaction --if-not-exists
 
 # Step 6
+./bin/console doctrine:migrations:migrate --no-interaction --allow-no-migration --all-or-nothing
+
+# Step 7
 ./bin/console completion bash >> /home/dev/.bashrc
 
 exec "$@"
