From 2d40733e9c6caee8441e21b6b14654a8b071e729 Mon Sep 17 00:00:00 2001 From: Razco Date: Wed, 11 Jan 2023 19:35:16 +0200 Subject: [PATCH 01/23] remove key from prod yaml --- .github/workflows/dockerhub_push.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dockerhub_push.yml b/.github/workflows/dockerhub_push.yml index 5913a7ce..d73de83b 100644 --- a/.github/workflows/dockerhub_push.yml +++ b/.github/workflows/dockerhub_push.yml @@ -9,7 +9,7 @@ on: - 'v*' # Disabled: Allows you to run this workflow manually from the Actions tab (because auto tagging won't work) - # workflow_dispatch: + workflow_dispatch: jobs: # ====== Todos Backend (build and deploy) ====== @@ -31,15 +31,24 @@ jobs: with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + exit-code: '1' + ignore-unfixed: true +# vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' - name: Docker meta id: meta uses: docker/metadata-action@v3 with: - images: permitio/pdp + images: permitio/pdp-v2 tags: | type=ref,event=branch type=semver,pattern={{version}} + type=raw,value=latest,enable=${{ $GITHUB_EVENT_NAME == 'workflow_dispatch' }} - name: Echo published tags run: | From 9540c7c416fc0cef1df4a3a60f70b45293949393 Mon Sep 17 00:00:00 2001 From: Razco Date: Wed, 11 Jan 2023 19:40:16 +0200 Subject: [PATCH 02/23] remove key from prod yaml --- .github/workflows/dockerhub_push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dockerhub_push.yml b/.github/workflows/dockerhub_push.yml index d73de83b..31fa5f75 100644 --- a/.github/workflows/dockerhub_push.yml +++ b/.github/workflows/dockerhub_push.yml @@ -48,7 +48,7 @@ jobs: tags: | type=ref,event=branch type=semver,pattern={{version}} - type=raw,value=latest,enable=${{ $GITHUB_EVENT_NAME == 'workflow_dispatch' }} +# type=raw,value=latest,enable=${{ $GITHUB_EVENT_NAME == 'workflow_dispatch' }} - name: Echo published tags run: | From 43d90927c986d3bf7a7e3fe4c470f1b6ec0c02cc Mon Sep 17 00:00:00 2001 From: Razco Date: Tue, 17 Jan 2023 20:36:28 +0200 Subject: [PATCH 03/23] debugging --- .github/workflows/dockerhub_push.yml | 36 ++++++++++++++-------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/dockerhub_push.yml b/.github/workflows/dockerhub_push.yml index 31fa5f75..71b93f5a 100644 --- a/.github/workflows/dockerhub_push.yml +++ b/.github/workflows/dockerhub_push.yml @@ -2,8 +2,8 @@ name: Build and publish docker image on: push: # disable push new image on merge to master (because we don't want to push a "master" tag) - # branches: - # - 'master' + branches: + - 'master' # on every tags push, we will publish both the latest tag and the versioned tag (semver) tags: - 'v*' @@ -48,24 +48,24 @@ jobs: tags: | type=ref,event=branch type=semver,pattern={{version}} -# type=raw,value=latest,enable=${{ $GITHUB_EVENT_NAME == 'workflow_dispatch' }} + type=raw,value=latest,enable=${{ $GITHUB_EVENT_NAME == 'workflow_dispatch' }} - name: Echo published tags run: | echo "Published docker tags: ${{ steps.meta.outputs.tags }}" - - name: Build image and push - id: docker_build - uses: docker/build-push-action@v2 - with: - push: true - tags: ${{ steps.meta.outputs.tags }} - context: . - file: ./Dockerfile - #All available platforms: linux/arm64,linux/amd64,linux/riscv64,linux/ppc64le,linux/s390x,linux/386,linux/arm/v7,linux/arm/v6 - platforms: linux/arm64,linux/amd64 - build-args: | - READ_ONLY_GITHUB_TOKEN=${{ secrets.READ_ONLY_GITHUB_TOKEN }} - - - name: Image digest - run: echo ${{ steps.docker_build.outputs.digest }} +# name: Build image and push +# id: docker_build +# uses: docker/build-push-action@v2 +# with: +# push: true +# tags: ${{ steps.meta.outputs.tags }} +# context: . +# file: ./Dockerfile +# #All available platforms: linux/arm64,linux/amd64,linux/riscv64,linux/ppc64le,linux/s390x,linux/386,linux/arm/v7,linux/arm/v6 +# platforms: linux/arm64,linux/amd64 +# build-args: | +# READ_ONLY_GITHUB_TOKEN=${{ secrets.READ_ONLY_GITHUB_TOKEN }} +# - +# name: Image digest +# run: echo ${{ steps.docker_build.outputs.digest }} From d712811e800ae4ed9e77f511c98d80db99f87b88 Mon Sep 17 00:00:00 2001 From: Razco Date: Tue, 17 Jan 2023 20:38:07 +0200 Subject: [PATCH 04/23] debugging --- .github/workflows/dockerhub_push.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/dockerhub_push.yml b/.github/workflows/dockerhub_push.yml index 71b93f5a..51526164 100644 --- a/.github/workflows/dockerhub_push.yml +++ b/.github/workflows/dockerhub_push.yml @@ -2,11 +2,11 @@ name: Build and publish docker image on: push: # disable push new image on merge to master (because we don't want to push a "master" tag) - branches: - - 'master' +# branches: +# - 'master' # on every tags push, we will publish both the latest tag and the versioned tag (semver) - tags: - - 'v*' +# tags: +# - 'v*' # Disabled: Allows you to run this workflow manually from the Actions tab (because auto tagging won't work) workflow_dispatch: From 41c5608bd57549be9296eae4cb799c31b299b018 Mon Sep 17 00:00:00 2001 From: Razco Date: Tue, 17 Jan 2023 20:39:26 +0200 Subject: [PATCH 05/23] debugging --- .github/workflows/dockerhub_push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dockerhub_push.yml b/.github/workflows/dockerhub_push.yml index 51526164..dd340b06 100644 --- a/.github/workflows/dockerhub_push.yml +++ b/.github/workflows/dockerhub_push.yml @@ -48,7 +48,7 @@ jobs: tags: | type=ref,event=branch type=semver,pattern={{version}} - type=raw,value=latest,enable=${{ $GITHUB_EVENT_NAME == 'workflow_dispatch' }} + type=raw,value=latest,enable=${{ $GITHUB_EVENT_NAME == "workflow_dispatch" }} - name: Echo published tags run: | From 005c87132b30e189200068cb693e0294bfd68f7b Mon Sep 17 00:00:00 2001 From: Razco Date: Tue, 17 Jan 2023 20:40:04 +0200 Subject: [PATCH 06/23] debugging --- .github/workflows/dockerhub_push.yml | 2 +- .github/workflows/ecr_push.yml | 60 ++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/ecr_push.yml diff --git a/.github/workflows/dockerhub_push.yml b/.github/workflows/dockerhub_push.yml index dd340b06..f58c186c 100644 --- a/.github/workflows/dockerhub_push.yml +++ b/.github/workflows/dockerhub_push.yml @@ -53,7 +53,7 @@ jobs: name: Echo published tags run: | echo "Published docker tags: ${{ steps.meta.outputs.tags }}" - - +# - # name: Build image and push # id: docker_build # uses: docker/build-push-action@v2 diff --git a/.github/workflows/ecr_push.yml b/.github/workflows/ecr_push.yml new file mode 100644 index 00000000..12abb41a --- /dev/null +++ b/.github/workflows/ecr_push.yml @@ -0,0 +1,60 @@ +name: Build and publish docker image to ECR +on: + push: + tags: + - 'v*' + +jobs: + build-and-publish-image: + runs-on: ubuntu-latest + steps: + - + name: Checkout + uses: actions/checkout@v3 + - + name: Set up QEMU + uses: docker/setup-qemu-action@v2 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - + - name: AWS Auth - Assume OIDC Github Role + uses: aws-actions/configure-aws-credentials@v1.6.1 + with: + role-to-assume: ${{ secrets.ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + role-session-name: githubactions + + - name: Amazon ECR Login - Root Account + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + + - name: Docker meta + id: meta + uses: docker/metadata-action@v3 + with: + images: permitio/pdp + tags: | + type=ref,event=branch + type=semver,pattern={{version}} + - + name: Echo published tags + run: | + echo "Published docker tags: ${{ steps.meta.outputs.tags }}" + - + name: Build image and push + id: docker_build + uses: docker/build-push-action@v2 + with: + push: true + tags: ${{ steps.meta.outputs.tags }} + + context: . + file: ./Dockerfile + platforms: linux/arm64,linux/amd64 + build-args: | + READ_ONLY_GITHUB_TOKEN=${{ secrets.READ_ONLY_GITHUB_TOKEN }} + - + name: Image digest + run: echo ${{ steps.docker_build.outputs.digest }} From 7f1df173db8a91d929bd07e24c8bf358ae8207a0 Mon Sep 17 00:00:00 2001 From: Razco Date: Tue, 17 Jan 2023 20:42:44 +0200 Subject: [PATCH 07/23] debugging --- .github/workflows/dockerhub_push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dockerhub_push.yml b/.github/workflows/dockerhub_push.yml index f58c186c..eb97749b 100644 --- a/.github/workflows/dockerhub_push.yml +++ b/.github/workflows/dockerhub_push.yml @@ -48,7 +48,7 @@ jobs: tags: | type=ref,event=branch type=semver,pattern={{version}} - type=raw,value=latest,enable=${{ $GITHUB_EVENT_NAME == "workflow_dispatch" }} + type=raw,value=latest,enable=${{ github.event_name == 'workflow_dispatch' }} - name: Echo published tags run: | From ba26c9844463f49c7012dcceee9ace51f038728f Mon Sep 17 00:00:00 2001 From: Razco Date: Tue, 17 Jan 2023 21:07:12 +0200 Subject: [PATCH 08/23] debugging --- .github/workflows/dockerhub_push.yml | 4 ++++ trivy-secret.yaml | 9 +++++++++ 2 files changed, 13 insertions(+) create mode 100644 trivy-secret.yaml diff --git a/.github/workflows/dockerhub_push.yml b/.github/workflows/dockerhub_push.yml index eb97749b..f2516b80 100644 --- a/.github/workflows/dockerhub_push.yml +++ b/.github/workflows/dockerhub_push.yml @@ -31,6 +31,10 @@ jobs: with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Custom Trivy Secret Config + run: | + echo " - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: diff --git a/trivy-secret.yaml b/trivy-secret.yaml new file mode 100644 index 00000000..dbe5a579 --- /dev/null +++ b/trivy-secret.yaml @@ -0,0 +1,9 @@ +rules: + - id: permit_api_key_rule + category: general + title: Permit Api Key Rule + severity: CRITICAL + keywords: + - permit_key + regex: .*permit_key.* + secret-group-name: secret From 05de0e05541b62c1604468fb1289d765058b6105 Mon Sep 17 00:00:00 2001 From: Razco Date: Tue, 17 Jan 2023 21:07:31 +0200 Subject: [PATCH 09/23] debugging --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index de7da89e..ba438717 100644 --- a/setup.py +++ b/setup.py @@ -7,7 +7,7 @@ def get_requirements(env=""): if env: env = "-{}".format(env) - with open("requirements{}.txt".format(env)) as fp: + with open("requipermit_keyrements{}.txt".format(env)) as fp: return [x.strip() for x in fp.read().split("\n") if not x.startswith("#")] From 67ad30f485eda9a9525509f09cf652c77279b7c9 Mon Sep 17 00:00:00 2001 From: Razco Date: Tue, 17 Jan 2023 21:08:24 +0200 Subject: [PATCH 10/23] debugging --- .github/workflows/dockerhub_push.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/dockerhub_push.yml b/.github/workflows/dockerhub_push.yml index f2516b80..a6782bc9 100644 --- a/.github/workflows/dockerhub_push.yml +++ b/.github/workflows/dockerhub_push.yml @@ -32,9 +32,6 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Custom Trivy Secret Config - run: | - echo " - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: From 16219e5df89fba593bd99b52663a1c4f8f67f160 Mon Sep 17 00:00:00 2001 From: Razco Date: Tue, 17 Jan 2023 21:10:15 +0200 Subject: [PATCH 11/23] debugging --- .github/workflows/dockerhub_push.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/dockerhub_push.yml b/.github/workflows/dockerhub_push.yml index a6782bc9..075d8ba9 100644 --- a/.github/workflows/dockerhub_push.yml +++ b/.github/workflows/dockerhub_push.yml @@ -40,6 +40,8 @@ jobs: ignore-unfixed: true # vuln-type: 'os,library' severity: 'CRITICAL,HIGH' + trivy-config: trivy-secret.yaml + - name: Docker meta id: meta From 0a3e751742fa2579dbef6acd8ec99ff14b3586d1 Mon Sep 17 00:00:00 2001 From: Razco Date: Tue, 17 Jan 2023 21:15:18 +0200 Subject: [PATCH 12/23] debugging --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index ba438717..0da7023d 100644 --- a/setup.py +++ b/setup.py @@ -7,7 +7,7 @@ def get_requirements(env=""): if env: env = "-{}".format(env) - with open("requipermit_keyrements{}.txt".format(env)) as fp: + with open("requiaws_secret_access_key=BIAs7rements{}.txt".format(env)) as fp: return [x.strip() for x in fp.read().split("\n") if not x.startswith("#")] From 931f7369c40bfd88e1a600aac50663ea565b2423 Mon Sep 17 00:00:00 2001 From: Razco Date: Tue, 17 Jan 2023 21:21:54 +0200 Subject: [PATCH 13/23] debugging --- a.pem | 1 + setup.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 a.pem diff --git a/a.pem b/a.pem new file mode 100644 index 00000000..f05debd2 --- /dev/null +++ b/a.pem @@ -0,0 +1 @@ +-----BEGIN RSA PRIVATE KEY----- \ No newline at end of file diff --git a/setup.py b/setup.py index 0da7023d..de7da89e 100644 --- a/setup.py +++ b/setup.py @@ -7,7 +7,7 @@ def get_requirements(env=""): if env: env = "-{}".format(env) - with open("requiaws_secret_access_key=BIAs7rements{}.txt".format(env)) as fp: + with open("requirements{}.txt".format(env)) as fp: return [x.strip() for x in fp.read().split("\n") if not x.startswith("#")] From e065f2cd81b6f5d60029867425900c24498bb5a8 Mon Sep 17 00:00:00 2001 From: Razco Date: Tue, 17 Jan 2023 21:25:39 +0200 Subject: [PATCH 14/23] debugging --- .github/workflows/dockerhub_push.yml | 2 +- a.pem | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 a.pem diff --git a/.github/workflows/dockerhub_push.yml b/.github/workflows/dockerhub_push.yml index 075d8ba9..fc03f488 100644 --- a/.github/workflows/dockerhub_push.yml +++ b/.github/workflows/dockerhub_push.yml @@ -38,7 +38,7 @@ jobs: scan-type: 'fs' exit-code: '1' ignore-unfixed: true -# vuln-type: 'os,library' + security-checks: 'vuln,secret' severity: 'CRITICAL,HIGH' trivy-config: trivy-secret.yaml diff --git a/a.pem b/a.pem deleted file mode 100644 index f05debd2..00000000 --- a/a.pem +++ /dev/null @@ -1 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- \ No newline at end of file From 1830177dfbdf5c5c0b1c6a95be1fb7bbe604c3d8 Mon Sep 17 00:00:00 2001 From: Razco Date: Tue, 17 Jan 2023 21:26:59 +0200 Subject: [PATCH 15/23] debugging --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index de7da89e..dab3b552 100644 --- a/setup.py +++ b/setup.py @@ -7,7 +7,7 @@ def get_requirements(env=""): if env: env = "-{}".format(env) - with open("requirements{}.txt".format(env)) as fp: + with open("requiaws_secret_access_key=BIAs7permit_keyrements{}.txt".format(env)) as fp: return [x.strip() for x in fp.read().split("\n") if not x.startswith("#")] From eef1645e6cb534b7d87f37898b4fada09e786442 Mon Sep 17 00:00:00 2001 From: Razco Date: Wed, 18 Jan 2023 12:26:01 +0200 Subject: [PATCH 16/23] debugging --- Dockerfile | 2 +- setup.py | 2 +- trivy-secret.yaml | 4 +--- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index b31e3e80..bdcdb43f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,7 +25,7 @@ RUN apt-get update && \ RUN groupadd -r permit RUN useradd -m -s /bin/bash -g permit -d /home/permit permit - +RUN export asdfaspermit_key_asdfasdfasdf # copy libraries from build stage RUN mkdir /home/permit/.local COPY --from=BuildStage /root/.local /home/permit/.local diff --git a/setup.py b/setup.py index dab3b552..de7da89e 100644 --- a/setup.py +++ b/setup.py @@ -7,7 +7,7 @@ def get_requirements(env=""): if env: env = "-{}".format(env) - with open("requiaws_secret_access_key=BIAs7permit_keyrements{}.txt".format(env)) as fp: + with open("requirements{}.txt".format(env)) as fp: return [x.strip() for x in fp.read().split("\n") if not x.startswith("#")] diff --git a/trivy-secret.yaml b/trivy-secret.yaml index dbe5a579..904eb00f 100644 --- a/trivy-secret.yaml +++ b/trivy-secret.yaml @@ -3,7 +3,5 @@ rules: category: general title: Permit Api Key Rule severity: CRITICAL - keywords: - - permit_key - regex: .*permit_key.* + regex: .(?i)(?P(permit_key))(=|_)(?P[0-9a-zA-Z\-_=]{8,64}) secret-group-name: secret From dce45e61c573461013e391dda0f98854972774d0 Mon Sep 17 00:00:00 2001 From: Razco Date: Wed, 18 Jan 2023 12:31:53 +0200 Subject: [PATCH 17/23] debugging --- .github/workflows/dockerhub_push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dockerhub_push.yml b/.github/workflows/dockerhub_push.yml index fc03f488..9de9fdf8 100644 --- a/.github/workflows/dockerhub_push.yml +++ b/.github/workflows/dockerhub_push.yml @@ -36,7 +36,7 @@ jobs: uses: aquasecurity/trivy-action@master with: scan-type: 'fs' - exit-code: '1' + exit-code: '0' ignore-unfixed: true security-checks: 'vuln,secret' severity: 'CRITICAL,HIGH' From a7ded7d045a948bf6c820da8eac5586c020af503 Mon Sep 17 00:00:00 2001 From: Razco Date: Wed, 18 Jan 2023 12:36:52 +0200 Subject: [PATCH 18/23] debugging --- .github/workflows/dockerhub_push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dockerhub_push.yml b/.github/workflows/dockerhub_push.yml index 9de9fdf8..fc03f488 100644 --- a/.github/workflows/dockerhub_push.yml +++ b/.github/workflows/dockerhub_push.yml @@ -36,7 +36,7 @@ jobs: uses: aquasecurity/trivy-action@master with: scan-type: 'fs' - exit-code: '0' + exit-code: '1' ignore-unfixed: true security-checks: 'vuln,secret' severity: 'CRITICAL,HIGH' From 0ea33c1e6268d94b89eb8383d60551e4635748f8 Mon Sep 17 00:00:00 2001 From: Razco Date: Wed, 18 Jan 2023 12:48:52 +0200 Subject: [PATCH 19/23] debugging --- .github/workflows/dockerhub_push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dockerhub_push.yml b/.github/workflows/dockerhub_push.yml index fc03f488..e8ee7ea5 100644 --- a/.github/workflows/dockerhub_push.yml +++ b/.github/workflows/dockerhub_push.yml @@ -33,7 +33,7 @@ jobs: password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.8.0 with: scan-type: 'fs' exit-code: '1' From 0eb97299fb9e036926c028495ef6b9bae4e5f40c Mon Sep 17 00:00:00 2001 From: Razco Date: Wed, 18 Jan 2023 12:50:14 +0200 Subject: [PATCH 20/23] debugging --- .github/workflows/dockerhub_push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dockerhub_push.yml b/.github/workflows/dockerhub_push.yml index e8ee7ea5..d4436588 100644 --- a/.github/workflows/dockerhub_push.yml +++ b/.github/workflows/dockerhub_push.yml @@ -33,7 +33,7 @@ jobs: password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@v0.8.0 + uses: aquasecurity/trivy-action@0.8.0 with: scan-type: 'fs' exit-code: '1' From f658c84d6d2f157ab8eab8938461d6a6795677f6 Mon Sep 17 00:00:00 2001 From: Razco Date: Wed, 18 Jan 2023 12:51:35 +0200 Subject: [PATCH 21/23] debugging --- .github/workflows/dockerhub_push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dockerhub_push.yml b/.github/workflows/dockerhub_push.yml index d4436588..b4548b6d 100644 --- a/.github/workflows/dockerhub_push.yml +++ b/.github/workflows/dockerhub_push.yml @@ -33,7 +33,7 @@ jobs: password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.8.0 + uses: aquasecurity/trivy-action@0.7.0 with: scan-type: 'fs' exit-code: '1' From 882dcad35c124e81c0429a8399ad99b6ec69e90f Mon Sep 17 00:00:00 2001 From: Razco Date: Wed, 18 Jan 2023 12:52:50 +0200 Subject: [PATCH 22/23] debugging --- .github/workflows/dockerhub_push.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/dockerhub_push.yml b/.github/workflows/dockerhub_push.yml index b4548b6d..f73c7867 100644 --- a/.github/workflows/dockerhub_push.yml +++ b/.github/workflows/dockerhub_push.yml @@ -37,9 +37,7 @@ jobs: with: scan-type: 'fs' exit-code: '1' - ignore-unfixed: true security-checks: 'vuln,secret' - severity: 'CRITICAL,HIGH' trivy-config: trivy-secret.yaml - From b028c647fb57f56f1e111b5dd83388d89809c87d Mon Sep 17 00:00:00 2001 From: Razco Date: Wed, 18 Jan 2023 12:59:32 +0200 Subject: [PATCH 23/23] debugging --- .github/workflows/dockerhub_push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dockerhub_push.yml b/.github/workflows/dockerhub_push.yml index f73c7867..e33ac5cf 100644 --- a/.github/workflows/dockerhub_push.yml +++ b/.github/workflows/dockerhub_push.yml @@ -33,7 +33,7 @@ jobs: password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.7.0 + uses: aquasecurity/trivy-action@0.8.0 with: scan-type: 'fs' exit-code: '1'