diff --git a/.github/docker/ubuntu-22.04.Dockerfile b/.github/docker/ubuntu-22.04.Dockerfile index e8e88caa72..09eaab03a8 100644 --- a/.github/docker/ubuntu-22.04.Dockerfile +++ b/.github/docker/ubuntu-22.04.Dockerfile @@ -67,7 +67,8 @@ RUN /opt/install_dpcpp.sh COPY install_libbacktrace.sh /opt/install_libbacktrace.sh RUN /opt/install_libbacktrace.sh -# Add a new (non-root) 'user' -ENV USER user +# Add a new (non-root) 'test_user' and switch to it +ENV USER test_user ENV USERPASS pass RUN useradd -m "${USER}" -g sudo -p "$(mkpasswd ${USERPASS})" +USER test_user diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml deleted file mode 100644 index a1063aefe8..0000000000 --- a/.github/workflows/hadolint.yml +++ /dev/null @@ -1,34 +0,0 @@ -# Runs linter for Docker files -name: Hadolint - -on: - workflow_dispatch: - push: - pull_request: - paths: - - '.github/docker/*Dockerfile' - - '.github/workflows/hadolint.yml' - -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} - cancel-in-progress: true - -permissions: - contents: read - -jobs: - linux: - name: Hadolint - runs-on: ubuntu-latest - - steps: - - name: Clone the git repo - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Run Hadolint - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 - with: - recursive: true - dockerfile: ".github/docker/*Dockerfile" - # ignore pinning apt packages to versions - ignore: DL3008 diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000000..2efb04c86a --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,50 @@ +# Runs linter for Docker files +name: Trivy + +on: + workflow_dispatch: + push: + pull_request: + paths: + - '.github/docker/*Dockerfile' + - '.github/workflows/trivy.yml' + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + linux: + name: Trivy + runs-on: ubuntu-latest + permissions: + security-events: write + + steps: + - name: Clone repo + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Run Trivy + uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # v0.17.0 + with: + scan-type: 'config' + hide-progress: false + format: 'sarif' + output: 'trivy-results.sarif' + exit-code: 1 # Fail if issue found + # file with suppressions: .trivyignore (in root dir) + + - name: Print report and trivyignore file + run: | + echo "### Trivy ignore content:" + cat .trivyignore + echo "### Trivy report:" + cat trivy-results.sarif + + - name: Upload results + uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0 + with: + sarif_file: 'trivy-results.sarif' diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000000..63749166bc --- /dev/null +++ b/.trivyignore @@ -0,0 +1,6 @@ +# Docs: https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#trivyignore + +# In docker files: +# HEALTHCHECK is not required for development, nor in CI (failed docker = failed CI). +# We're not hosting any application with usage of the dockers. +AVD-DS-0026