Create anchore.yml

[svengo]

Add anchore grype action
https://github.com/anchore/scan-action

Summary by CodeRabbit

• New Features
  • Introduced an automated workflow for building and scanning Docker images for vulnerabilities using Anchore's Grype tool.
  • The workflow runs on code pushes, pull requests, and scheduled scans every Thursday.
  • Results are uploaded as a SARIF report for integration with GitHub Advanced Security.

[coderabbitai]

Walkthrough

This pull request introduces a new GitHub Actions workflow file named anchore.yml. The workflow automates the building of a Docker image and scans it for vulnerabilities using Anchore's Grype tool. It is triggered by pushes and pull requests to the main branch, as well as on a scheduled basis. The workflow includes steps for checking out the code, building the Docker image, scanning for vulnerabilities, and uploading the scan results as a SARIF report.

Changes

File Path	Change Summary
.github/workflows/anchore.yml	Added a new workflow for Docker image building and vulnerability scanning using Anchore Grype.

Sequence Diagram(s)

sequenceDiagram
    participant Developer
    participant GitHub Actions
    participant Docker
    participant Anchore Grype
    participant GitHub

    Developer->>GitHub Actions: Push code or create PR
    GitHub Actions->>Docker: Checkout code
    GitHub Actions->>Docker: Build Docker image
    GitHub Actions->>Anchore Grype: Scan Docker image for vulnerabilities
    Anchore Grype-->>GitHub Actions: Return scan results
    GitHub Actions->>GitHub: Upload SARIF report

Loading

🐰 "In the land of code, where bunnies play,
A workflow blooms, brightening the day.
With scans and builds, oh what a delight,
Protecting our images, keeping them bright!
So hop along, let’s code with glee,
For safety in Docker, there’s joy to see!" 🐇

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between b814328 and e0528b6.

📒 Files selected for processing (1)

• .github/workflows/anchore.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/anchore.yml

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (3)

.github/workflows/anchore.yml (3)

20-21: Consider increasing the frequency of security scans.

The current schedule (Thursday at 16:41 UTC) might not be frequent enough for security-critical Docker images. Consider running scans daily during off-peak hours to catch vulnerabilities sooner.

-    - cron: '41 16 * * 4'
+    - cron: '0 2 * * *'  # Daily at 2 AM UTC

---

36-37: Enhance Docker build security.

Consider adding --no-cache flag to ensure fresh builds and prevent cache poisoning attacks. Also, consider adding platform specification for better reproducibility.

-      run: docker build . --file Dockerfile --tag localbuild/testimage:latest
+      run: docker build . --file Dockerfile --tag localbuild/testimage:latest --no-cache --platform linux/amd64

---

45-48: Add retention policy for scan results.

Consider adding a retention period for the SARIF reports to maintain a history of security scans while managing storage efficiently.

       uses: github/codeql-action/upload-sarif@v3
       with:
         sarif_file: ${{ steps.scan.outputs.sarif }}
+        retention-days: 90

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 3aa8238 and b814328.

📒 Files selected for processing (1)

• .github/workflows/anchore.yml (1 hunks)

🔇 Additional comments (2)

.github/workflows/anchore.yml (2)

23-31: LGTM! Well-configured permissions following security best practices.

The permissions are properly scoped following the principle of least privilege, with clear documentation for each permission's purpose.

---

36-37: Verify Dockerfile location and contents.

Let's ensure the Dockerfile exists and contains proper security configurations.

✅ Verification successful

Dockerfile exists and follows security practices, but requires user configuration

The Dockerfile and its associated scripts implement several security best practices:

• Uses a specific Alpine version (3.20.3) as base
• Creates a non-root 'tor' user and group
• Runs the Tor process as non-root via su-exec
• Implements proper signature verification during build
• Includes healthcheck
• Proper permission handling in entrypoint script

However, users should be aware of:

• Default configuration in config.sh needs to be customized (nickname, contact info)
• Control port password is using a default value
• Exit policy is restrictive by default (reject :)

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify Dockerfile existence and basic security configurations

# Check if Dockerfile exists in the root
if [ -f "Dockerfile" ]; then
    echo "Dockerfile found"
    
    # Check for common security best practices
    echo "Checking Dockerfile contents:"
    grep -E "^FROM|^USER|^HEALTHCHECK|^COPY|^ADD" Dockerfile
    
    # Check if using root user
    if ! grep -q "^USER" Dockerfile; then
        echo "WARNING: No USER instruction found - container might run as root"
    fi
else
    echo "ERROR: Dockerfile not found in repository root"
fi

Length of output: 560

---

Script:

#!/bin/bash
# Let's check the complete Dockerfile contents to better understand the security context
cat Dockerfile

# Also check the referenced scripts for any security-related configurations
echo -e "\nChecking entry-point.sh:"
cat entry-point.sh

echo -e "\nChecking healthcheck.sh:"
cat healthcheck.sh

echo -e "\nChecking config.sh:"
cat config.sh

Length of output: 3180