Use endava docker hub

.github/workflows/ci.yml

@@ -0,0 +1,58 @@
+name: Security Scan
+
+on:
+  push:
+    branches:
+      - 'main'
+  schedule:
+    - cron:  '0 12 * * *' # each day at lunch time
+
+jobs:
+  security-scan:
+    name: Security Scan
+
+    runs-on: ubuntu-latest
+
+    continue-on-error: false
+
+    strategy:
+      matrix:
+        branch-name:
+          - 'release/8.0'
+          - 'release/8.1'
+          - 'release/8.2'
+    steps:
+      -   name: "Checkout code"
+          uses: actions/checkout@v3
+          with:
+            ref: ${{ matrix.branch-name }}
+      -   name: "PHP_VERSION Env"
+          run: echo "PHP_VERSION=`grep "ARG PHP_VERSION" Dockerfile | cut -f 2 -d '"'`" > GITHUB_ENV
+      -   name: "BRANCH_SHA Env"
+          run: echo "BRANCH_SHA=`git rev-parse HEAD" >> GITHUB_ENV
+
+      -   name: Run Alpine Trivy vulnerability scanner
+          uses: aquasecurity/trivy-action@master
+          with:
+            image-ref: endava/php:${{ env.PHP_VERSION }}
+            format: 'table'
+            exit-code: '0' # we don't break the build if vulnerabilities are included!
+            ignore-unfixed: true
+            vuln-type: 'os,library'
+            severity: 'CRITICAL,HIGH'
+
+      -   if: contains(github.ref, 'refs/heads/release/')
+          name: Run Alpine Trivy vulnerability scanner and upload to github security tab
+          uses: aquasecurity/trivy-action@master
+          with:
+            image-ref: endava/php:${{ env.PHP_VERSION }}
+            format: 'sarif'
+            output: 'trivy-results.sarif'
+
+      -   if: contains(github.ref, 'refs/heads/release/')
+          name: Upload Alpine Trivy scan results to GitHub Security tab
+          uses: github/codeql-action/upload-sarif@v2
+          with:
+            ref: refs/heads/${{ matrix.branch-name }}
+            sha: ${{ env.BRANCH_SHA }}
+            sarif_file: 'trivy-results.sarif'

.github/workflows/security-scan.yml

@@ -34,10 +34,10 @@ jobs:
           run: echo "BRANCH_SHA=`git rev-parse HEAD`" >> $GITHUB_ENV
 
       -   name: Pull the image
-          run: docker pull exozet/draft-docker-php:${{ env.PHP_VERSION }}
+          run: docker pull endava/php:${{ env.PHP_VERSION }}
 
       -   name: Tag also with php:${{ env.PHP_VERSION }}
-          run: docker tag exozet/draft-docker-php:${{ env.PHP_VERSION }} php-${{ env.PHP_VERSION }}
+          run: docker tag endava/php:${{ env.PHP_VERSION }} php-${{ env.PHP_VERSION }}
 
       -   name: Run Alpine Trivy vulnerability scanner
           uses: aquasecurity/trivy-action@master
@@ -95,7 +95,7 @@ jobs:
           env:
              SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
           with:
-            image: exozet/draft-docker-php:${{ env.PHP_VERSION }}
+            image: endava/php:${{ env.PHP_VERSION }}
             args: "--org=${{ secrets.SNYK_ORG }} --fail-on=upgradable --project-name=draft-docker-php:${{ env.PHP_VERSION }} --target-reference=${{ env.PHP_VERSION }}"
             command: monitor
       -   if: contains(github.ref, 'refs/heads/main')

README.md

@@ -49,7 +49,7 @@ The new approach has some advantages:
 * It ships linux/arm64/v8 and linux/amd64 version of the image
 * The web server user is root, but web requests are executed as www-data
 * The github release notes (including tool versions and php extension versions) is automatically generated if a commit is tagged
-* The release is available only as exozet/draft-docker-php:8.1.13 (no suffix for -root, -xdebug -alpine or -sudo or others)
+* The release is available only as endava/php:8.1.16 (no suffix for -root, -xdebug -alpine or -sudo or others)
 * The CI/CD pipeline includes tests to validate the image as nginx unit or apache2 delivery
 * The CI/CD pipeline only builds the latest version (if necessary we can git checkout -b 8.1.13 if you really want to fix something in a release)