From e8c8e5afd342249ffcb2bedd391b00fbc693da1b Mon Sep 17 00:00:00 2001 From: NyakudyaA Date: Tue, 31 Dec 2024 11:46:33 +0200 Subject: [PATCH] add security option --- .github/workflows/build-latest.yaml | 68 ++++++++++++++--------------- README.md | 8 ++++ 2 files changed, 42 insertions(+), 34 deletions(-) diff --git a/.github/workflows/build-latest.yaml b/.github/workflows/build-latest.yaml index 171d6485..991b871f 100644 --- a/.github/workflows/build-latest.yaml +++ b/.github/workflows/build-latest.yaml @@ -134,40 +134,40 @@ jobs: name: kartoza-geoserver path: /tmp/geoserver.tar -# scan_image: -# runs-on: ubuntu-latest -# timeout-minutes: 20 -# if: | -# github.actor != 'dependabot[bot]' && -# !( -# contains(github.event.pull_request.title, '[skip-release]') || -# contains(github.event.comment.body, '/skiprelease') -# ) -# needs: [run-scenario-tests] -# steps: -# - uses: actions/checkout@v4 -# - name: Download artifact -# uses: actions/download-artifact@v4 -# with: -# name: kartoza-geoserver -# path: /tmp -# - name: Load image -# run: | -# docker load --input /tmp/geoserver.tar -# - name: Run Trivy vulnerability scanner -# uses: aquasecurity/trivy-action@master -# with: -# format: 'sarif' -# ignore-unfixed: true -# image-ref: kartoza/geoserver:manual-build -# output: 'trivy-results.sarif' -# severity: 'CRITICAL,HIGH' -# vuln-type: 'os,library' -# -# - name: Upload Trivy scan results to GitHub Security tab -# uses: github/codeql-action/upload-sarif@v3 -# with: -# sarif_file: 'trivy-results.sarif' + scan_image: + runs-on: ubuntu-latest + timeout-minutes: 20 + if: | + github.actor != 'dependabot[bot]' && + !( + contains(github.event.pull_request.title, '[skip-release]') || + contains(github.event.comment.body, '/skiprelease') + ) + needs: [run-scenario-tests] + steps: + - uses: actions/checkout@v4 + - name: Download artifact + uses: actions/download-artifact@v4 + with: + name: kartoza-geoserver + path: /tmp + - name: Load image + run: | + docker load --input /tmp/geoserver.tar + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + format: 'sarif' + ignore-unfixed: true + image-ref: kartoza/geoserver:manual-build + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + vuln-type: 'os,library' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' run-scenario-tests: runs-on: ubuntu-latest diff --git a/README.md b/README.md index 4019087c..e7c353e1 100755 --- a/README.md +++ b/README.md @@ -650,6 +650,14 @@ to see if there are no issues reported there. We rely on the GeoServer community issues. For urgent upstream problems, you will need to get paid support from the developers in [GeoServer](https://geoserver.org/). +### Security Vulnerabilities +The published image uses [Trivy](https://trivy.dev/latest/) for scanning vulnerabilities. The vulnerabilities +are listed in the [security section](https://github.com/kartoza/docker-geoserver/security/code-scanning). +You can also use other tools to scan the image for vulnerabilities. If you +discover vulnerabilities related to how this image is packaged please raise it +as an issue and label it with `security` tag. For reporting other upstream security +issues please follow the guidelines from [upstream geoserver](https://github.com/geoserver/geoserver/blob/main/SECURITY.md) + Other platforms where users can ask questions and get assistance are listed below: * [Stack Exchange](https://stackexchange.com/) * [GeoServer Mailing lists](https://sourceforge.net/projects/geoserver/lists/geoserver-users)