fix: scan docker image on cves & upgrade deps (#2373)

splunk · Mar 27, 2024 · de33bfc · de33bfc
1 parent 51e4a1b
commit de33bfc
Show file tree

Hide file tree

Showing 9 changed files with 44 additions and 24 deletions.
diff --git a/.github/workflows/ci-lite.yaml b/.github/workflows/ci-lite.yaml
@@ -154,6 +154,21 @@ jobs:
           cache-from: type=registry,ref=${{ needs.meta.outputs.container_base }}
           cache-to: type=inline
 
+  scan-docker-image-cves:
+    runs-on: ubuntu-latest
+    name: Scan docker image on CVEs
+    needs:
+      - meta
+      - build_action
+    steps:
+      - name: Run docker vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ needs.meta.outputs.container_base }}
+          format: 'table'
+          exit-code: '1'
+          severity: 'CRITICAL,HIGH'
+
   test-container:
     runs-on: ubuntu-latest
     needs:

diff --git a/.github/workflows/ci-main.yaml b/.github/workflows/ci-main.yaml
@@ -153,6 +153,21 @@ jobs:
             REVISION=${{ needs.meta.outputs.container_revision }}
           cache-from: type=registry,ref=${{ needs.meta.outputs.container_base }}
           cache-to: type=inline
+
+  scan-docker-image-cves:
+    runs-on: ubuntu-latest
+    name: Scan docker image on CVEs
+    needs:
+      - meta
+      - build_action
+    steps:
+      - name: Run docker vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ needs.meta.outputs.container_base }}
+          format: 'table'
+          exit-code: '1'
+          severity: 'CRITICAL,HIGH'
 
   test-container:
     runs-on: ubuntu-latest

diff --git a/package/Dockerfile b/package/Dockerfile
@@ -16,7 +16,7 @@
 #work.  If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
 
 
-ARG SYSLOGNG_VERSION=4.5.0
+ARG SYSLOGNG_VERSION=4.6.0
 FROM ghcr.io/axoflow/axosyslog:${SYSLOGNG_VERSION}
 
 
@@ -40,7 +40,7 @@ RUN apk add -U --upgrade --no-cache \
       wget \
       cargo \
       ca-certificates \
-    && curl -fsSL https://goss.rocks/install | GOSS_VER=v0.4.4 sh \
+    && curl -fsSL https://goss.rocks/install | GOSS_VER=v0.4.6 sh \
     && groupadd --gid 1024 syslog \
     && useradd -M -g 1024 -u 1024 syslog \
     && usermod -L syslog \

diff --git a/package/Dockerfile.lite b/package/Dockerfile.lite
@@ -16,7 +16,7 @@
 #work.  If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
 
 
-ARG SYSLOGNG_VERSION=4.5.0
+ARG SYSLOGNG_VERSION=4.6.0
 FROM ghcr.io/axoflow/axosyslog:${SYSLOGNG_VERSION}
 
 
@@ -40,7 +40,7 @@ RUN apk add -U --upgrade --no-cache \
       wget \
       cargo \
       ca-certificates \
-    && curl -fsSL https://goss.rocks/install | GOSS_VER=v0.4.4 sh \
+    && curl -fsSL https://goss.rocks/install | GOSS_VER=v0.4.6 sh \
     && groupadd --gid 1024 syslog \
     && useradd -M -g 1024 -u 1024 syslog \
     && usermod -L syslog \

diff --git a/package/etc/syslog-ng.conf b/package/etc/syslog-ng.conf
@@ -1,4 +1,4 @@
-@version:4.5
+@version:4.6
 
 
 # syslog-ng configuration file.

diff --git a/package/lite/etc/syslog-ng.conf.jinja b/package/lite/etc/syslog-ng.conf.jinja
@@ -1,4 +1,4 @@
-@version:4.5
+@version:4.6
 
 
 # syslog-ng configuration file.

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -12,6 +12,7 @@ sqlitedict = "^2.0.0"
 requests = "^2.28.1"
 shortuuid = "^1.0.11"
 pyyaml = "6.0.1"
+setuptools = ">=69.0"
 
 
 [tool.poetry.group.dev.dependencies]

diff --git a/tests/Dockerfile.nc b/tests/Dockerfile.nc
@@ -1,4 +1,4 @@
-ARG SYSLOGNG_VERSION=4.5.0
+ARG SYSLOGNG_VERSION=4.6.0
 FROM ghcr.io/axoflow/axosyslog:${SYSLOGNG_VERSION}
 
 RUN apk add -U netcat-openbsd