diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..5d62954 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,5 @@ +.git* +*.md +*test*.* +Dockerfile +LICENSE \ No newline at end of file diff --git a/.github/workflows/pr-scan.yml b/.github/workflows/pr-scan.yml new file mode 100644 index 0000000..04c835d --- /dev/null +++ b/.github/workflows/pr-scan.yml @@ -0,0 +1,106 @@ +name: PR Security Scan + +on: + pull_request_target: + types: [opened, synchronize, reopened] + +jobs: + scan: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - name: Check out code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 0 + submodules: 'recursive' + + - name: Build the Docker image + uses: docker/build-push-action@v5 + with: + context: . + push: false + load: true + tags: pr_image:${{ github.sha }} + + - name: Run Trivy vulnerability scanner on image + uses: aquasecurity/trivy-action@0.20.0 + with: + image-ref: 'pr_image:${{ github.sha }}' + format: 'json' + output: 'trivy-image-results.json' + severity: 'CRITICAL,HIGH' + + - name: Run Trivy vulnerability scanner on source code + uses: aquasecurity/trivy-action@0.20.0 + with: + scan-type: 'fs' + scan-ref: '.' + format: 'json' + output: 'trivy-fs-results.json' + severity: 'CRITICAL,HIGH' + + - name: Process Trivy scan results + id: process-results + uses: actions/github-script@v7 + with: + script: | + const fs = require('fs'); + let commentBody = '## Security Scan Results for PR\n\n'; + + function processResults(results, title) { + let sectionBody = `### ${title}\n\n`; + if (results.Results && results.Results.some(result => result.Vulnerabilities && result.Vulnerabilities.length > 0)) { + sectionBody += '| Package | Version | Vulnerability | Severity |\n'; + sectionBody += '|---------|---------|----------------|----------|\n'; + + const uniqueVulns = new Set(); + results.Results.forEach(result => { + if (result.Vulnerabilities) { + result.Vulnerabilities.forEach(vuln => { + const vulnKey = `${vuln.PkgName}-${vuln.InstalledVersion}-${vuln.VulnerabilityID}`; + if (!uniqueVulns.has(vulnKey)) { + uniqueVulns.add(vulnKey); + sectionBody += `| ${vuln.PkgName} | ${vuln.InstalledVersion} | [${vuln.VulnerabilityID}](https://nvd.nist.gov/vuln/detail/${vuln.VulnerabilityID}) | ${vuln.Severity} |\n`; + } + }); + } + }); + } else { + sectionBody += '🎉 No vulnerabilities found!\n'; + } + return sectionBody; + } + + try { + const imageResults = JSON.parse(fs.readFileSync('trivy-image-results.json', 'utf8')); + const fsResults = JSON.parse(fs.readFileSync('trivy-fs-results.json', 'utf8')); + + commentBody += processResults(imageResults, "Docker Image Scan Results"); + commentBody += '\n'; + commentBody += processResults(fsResults, "Source Code Scan Results"); + + } catch (error) { + commentBody += `There was an error while running the security scan: ${error.message}\n`; + commentBody += 'Please contact the core team for assistance.'; + } + + core.setOutput('comment-body', commentBody); + - name: Find Comment + uses: peter-evans/find-comment@v3 + id: fc + with: + issue-number: ${{ github.event.pull_request.number }} + comment-author: 'github-actions[bot]' + body-includes: Security Scan Results for PR + + - name: Create or update comment + uses: peter-evans/create-or-update-comment@v3 + with: + issue-number: ${{ github.event.pull_request.number }} + comment-id: ${{ steps.fc.outputs.comment-id }} + body: ${{ steps.process-results.outputs.comment-body }} + edit-mode: replace diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml deleted file mode 100644 index 3712ce8..0000000 --- a/.github/workflows/test.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: Test container structure - -on: [pull_request] - -env: - REGISTRY: docker.io - IMAGE_NAME: appwrite/base - TAG: ${{ github.event.release.tag_name }} - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Checkout the repo - uses: actions/checkout@v3 - - - name: Setup container structure test - run: | - curl -LO https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64 - chmod +x container-structure-test-linux-amd64 - sudo mv container-structure-test-linux-amd64 /usr/local/bin/container-structure-test - - - name: Run container structure test - run: | - docker build -t appwrite-base-test . - container-structure-test test --image appwrite-base-test --config tests.yaml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 6a876d7..081334d 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. -name: trivy +name: Scheduled Trivy Vulnerability Scanning on: push: diff --git a/.gitignore b/.gitignore index 485dee6..8704376 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,4 @@ .idea +*.logs +NOTES*.md +trivy-*-results.json \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 4dd57ce..22e1aae 100644 --- a/Dockerfile +++ b/Dockerfile @@ -79,7 +79,7 @@ RUN \ ./configure && \ make && make install -## Maxminddb extension +## Maxminddb Extension FROM compile AS maxmind RUN \ git clone --depth 1 --branch $PHP_MAXMINDDB_VERSION https://github.com/maxmind/MaxMind-DB-Reader-php.git && \ diff --git a/README.md b/README.md index 1b4e37c..eee6aa4 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,10 @@ # Docker Base +[![Build Status](https://img.shields.io/travis/com/appwrite/docker-base?style=flat-square)](https://travis-ci.com/appwrite/docker-base) [![Discord](https://img.shields.io/discord/564160730845151244?label=discord&style=flat-square)](https://appwrite.io/discord) [![Docker Pulls](https://img.shields.io/docker/pulls/appwrite/base?color=f02e65&style=flat-square)](https://hub.docker.com/r/appwrite/base) -[![Build Status](https://img.shields.io/travis/com/appwrite/docker-base?style=flat-square)](https://travis-ci.com/appwrite/docker-base) -[![Twitter Account](https://img.shields.io/twitter/follow/appwrite?color=00acee&label=twitter&style=flat-square)](https://twitter.com/appwrite) [![Follow Appwrite on StackShare](https://img.shields.io/badge/follow%20on-stackshare-blue?style=flat-square)](https://stackshare.io/appwrite) +[![Twitter Account](https://img.shields.io/twitter/follow/appwrite?color=00acee&label=twitter&style=flat-square)](https://twitter.com/appwrite) [Appwrite](https://appwrite.io) base docker image with applications and extensions built and installed. @@ -12,49 +12,64 @@ These instructions will cover usage information to help your run Appwrite's base docker container. -### Prerequisites +### NOTE -In order to run this container you'll need docker installed. +* For example usage `latest` is stated in the commands. The Appwrite team recommends using pinned version releases outside of development. +* We use `Docker` but you may use any compatible container runtime in its place. + +## Prerequisites + +In order to run this container you'll need the Docker runtime installed. + +**Docker** -* [Windows](https://docs.docker.com/windows/started) -* [OS X](https://docs.docker.com/mac/started/) * [Linux](https://docs.docker.com/linux/started/) +* [OS X](https://docs.docker.com/mac/started/) +* [Windows](https://docs.docker.com/windows/started) -### Usage +* [Docker buildx](https://github.com/docker/buildx) -```shell -docker run appwrite/base -``` +**Optional** -### Testing +* [GoogleContainerTools/container-structure-test](https://github.com/GoogleContainerTools/container-structure-test) for testing +* [Trivy](https://trivy.dev/) for CVE scanning -We use [Container Structure Test](https://github.com/GoogleContainerTools/container-structure-test) to run test for the docker image. In order to run test first install Container strucutre test using the following command. +## Build -```bash -curl -LO https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64 && chmod +x container-structure-test-linux-amd64 && sudo mv container-structure-test-linux-amd64 /usr/local/bin/container-structure-test +Typical building. + +```shell +docker buildx build --tag appwrite/base:latest . ``` -### Run Test +Multi-arch building. -First build and tag the docker image and then run the test using the configuration file. +```shell +docker buildx build --platform linux/amd64,linux/arm64/v8,linux/ppc64le --push --tag appwrite/base:latest . +``` -```bash -docker build -t appwrite-base-test . -container-structure-test test --config tests.yaml --image appwrite-base-test +## Scan + +```shell +trivy image --format json --pkg-types os,library --severity CRITICAL,HIGH --output trivy-image-results.json appwrite/base:latest ``` -### Build +## Test ```bash -docker build --tag appwrite/base:1.0.0 . - -docker push appwrite/base:1.0.0 +container-structure-test test --config tests.yaml --image appwrite/base:latest ``` -Multi-arch build (using [buildx](https://github.com/docker/buildx)): +## Run +```shell +docker run appwrite/base:latest ``` -docker buildx build --platform linux/amd64,linux/arm64/v8,linux/ppc64le --tag appwrite/base:1.0.0 --push . + +## Push + +```bash +docker push appwrite/base:latest ``` ## Find Us