Chore(ci) - Add Trivy to scan Docker image

.github/workflows/main.yml

@@ -360,3 +360,13 @@ jobs:
 
       - name: Build the Docker image
         run: docker build . --file Dockerfile --tag symfony-flex-backend:${{ steps.vars.outputs.DOCKER_TAG }}
+
+      - name: Scan Docker image with Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          image-ref: 'symfony-flex-backend:${{ steps.vars.outputs.DOCKER_TAG }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'

Dockerfile

@@ -1,4 +1,5 @@
-FROM php:8.3.9-fpm
+# syntax=docker/dockerfile:1.7-labs
+FROM php:8.3.10-fpm
 
 ENV APP_ENV prod
 ENV APP_DEBUG 0
@@ -18,7 +19,7 @@ RUN apt-get update \
     && rm -rf /var/lib/apt/lists/*
 
 # Copy the install-php-extensions (Easily install PHP extension in official PHP Docker containers)
-COPY --from=mlocati/php-extension-installer:2.2.18 /usr/bin/install-php-extensions /usr/local/bin/
+COPY --from=mlocati/php-extension-installer:2.4.0 /usr/bin/install-php-extensions /usr/local/bin/
 
 # Install and enable all necessary PHP extensions
 RUN install-php-extensions \
@@ -30,6 +31,14 @@ RUN install-php-extensions \
     pdo_mysql \
     zip
 
+# Install security updates
+RUN apt-get update \
+    && apt-get install -y \
+        debsecan \
+    && apt-get install --no-install-recommends -y \
+        $(debsecan --suite bookworm --format packages --only-fixed) \
+    && rm -rf /var/lib/apt/lists/*
+
 # Copy the Composer PHAR from the Composer image into the PHP image
 COPY --from=composer:2.7.7 /usr/bin/composer /usr/bin/composer
 
@@ -38,26 +47,19 @@ RUN composer completion bash > /etc/bash_completion.d/composer
 
 WORKDIR /app
 
-COPY . /app
+COPY --exclude=./docker/* . /app
 COPY ./docker/php/php.ini /usr/local/etc/php/php.ini
 COPY ./docker/php/www.conf /usr/local/etc/php-fpm.d/www.conf
 
 RUN chmod +x /app/bin/console
 RUN chmod +x /app/docker-entrypoint.sh
 RUN chmod +x /usr/bin/composer
 
-RUN curl -s https://api.github.com/repos/fabpot/local-php-security-checker/releases/latest | \
-        grep -E "browser_download_url(.+)linux_amd64" | \
-        cut -d : -f 2,3 | \
-        tr -d \" | \
-        xargs -I{} wget -O local-php-security-checker {} \
-    && mv local-php-security-checker /usr/bin/local-php-security-checker \
-    && chmod +x /usr/bin/local-php-security-checker
-
 RUN rm -rf /app/var \
     && mkdir -p /app/var \
     && rm -rf /app/public/check.php \
-    && php -d memory_limit=-1 /usr/bin/composer install --no-dev --optimize-autoloader
+    && php -d memory_limit=-1 /usr/bin/composer install --no-dev --optimize-autoloader \
+    && php /usr/bin/composer audit
 
 EXPOSE 9000
 

Dockerfile_dev

@@ -1,4 +1,4 @@
-FROM php:8.3.9-fpm
+FROM php:8.3.10-fpm
 
 # Let's use bash as a default shell with login each time
 SHELL ["/bin/bash", "--login", "-c"]
@@ -9,8 +9,8 @@ ARG HOST_GID
 
 # Declare constants
 ENV PATH "$PATH:/home/dev/.composer/vendor/bin:/app/vendor/bin"
-ENV NVM_VERSION v0.39.7
-ENV NODE_VERSION 22.4.0
+ENV NVM_VERSION v0.40.0
+ENV NODE_VERSION 22.7.0
 
 # Update package list and install necessary libraries
 RUN apt-get update \
@@ -56,7 +56,7 @@ ENV LANGUAGE en_US:en
 ENV LC_ALL en_US.UTF-8
 
 # Copy the install-php-extensions (Easily install PHP extension in official PHP Docker containers)
-COPY --from=mlocati/php-extension-installer:2.2.18 /usr/bin/install-php-extensions /usr/local/bin/
+COPY --from=mlocati/php-extension-installer:2.4.0 /usr/bin/install-php-extensions /usr/local/bin/
 
 # Enable all necessary PHP packages
 RUN install-php-extensions \
@@ -69,6 +69,14 @@ RUN install-php-extensions \
     xdebug \
     zip
 
+# Install security updates
+RUN apt-get update \
+    && apt-get install -y \
+        debsecan \
+    && apt-get install --no-install-recommends -y \
+        $(debsecan --suite bookworm --format packages --only-fixed) \
+    && rm -rf /var/lib/apt/lists/*
+
 # Copy the Composer PHAR from the Composer image into the PHP image
 COPY --from=composer:2.7.7 /usr/bin/composer /usr/bin/composer
 
@@ -85,14 +93,6 @@ COPY ./docker/php/www-dev.conf /usr/local/etc/php-fpm.d/www.conf
 
 RUN chmod -R o+s+w /usr/local/etc/php
 
-RUN curl -s https://api.github.com/repos/fabpot/local-php-security-checker/releases/latest | \
-        grep -E "browser_download_url(.+)linux_amd64" | \
-        cut -d : -f 2,3 | \
-        tr -d \" | \
-        xargs -I{} wget -O local-php-security-checker {} \
-    && mv local-php-security-checker /usr/bin/local-php-security-checker \
-    && chmod +x /usr/bin/local-php-security-checker
-
 RUN groupadd --gid ${HOST_GID} dev \
     && useradd \
         -p $(perl -e 'print crypt($ARGV[0], "password")' 'dev') \

docker-entrypoint-dev.sh

@@ -6,10 +6,11 @@ set -e
 #   0) Basic linting of current JSON configuration file
 #   1) Export needed environment variables
 #   2) Install all dependencies
-#   3) Generate JWT encryption keys
-#   4) Create database if it not exists yet
-#   5) Run possible migrations, so that database is always up to date
-#   6) Add needed symfony console autocomplete for bash
+#   3) Check if there are any security issues in dependencies
+#   4) Generate JWT encryption keys
+#   5) Create database if it not exists yet
+#   6) Run possible migrations, so that database is always up to date
+#   7) Add needed symfony console autocomplete for bash
 #
 
 # Step 0
@@ -25,15 +26,18 @@ export XDEBUG_SESSION=PHPSTORM
 COMPOSER_MEMORY_LIMIT=-1 composer install --optimize-autoloader
 
 # Step 3
-make generate-jwt-keys
+composer audit
 
 # Step 4
-./bin/console doctrine:database:create --no-interaction --if-not-exists
+make generate-jwt-keys
 
 # Step 5
-./bin/console doctrine:migrations:migrate --no-interaction --allow-no-migration --all-or-nothing
+./bin/console doctrine:database:create --no-interaction --if-not-exists
 
 # Step 6
+./bin/console doctrine:migrations:migrate --no-interaction --allow-no-migration --all-or-nothing
+
+# Step 7
 ./bin/console completion bash >> /home/dev/.bashrc
 
 exec "$@"