Commit 8dd5a7a
Fix CVEs and add docker-scout action to CI (#304)
* Remove binutils from final image to fix CVE-2025-69649 and CVE-2025-69650
Separate build-time dependencies into a virtual package (.build-deps)
and remove them after pip install, eliminating vulnerable binutils
from the runtime image.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Move build-deps install/remove into same RUN layer as pip install
Addresses PR review feedback: installing .build-deps in one layer and
removing in another still persists binutils in earlier layers, which
layer-aware scanners flag. Now build-base is installed and removed
within a single RUN to fully eliminate CVE-2025-69649/CVE-2025-69650.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Add Docker Scout CVE scanning to PR CI pipeline
Extract image build into a shared build-pdp-image job and pass
the image via artifact to both pdp-tester and a new docker-scout
job. Scout scans for critical/high CVEs on pull requests and
uploads SARIF results to GitHub Code Scanning.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix CR comments
* Add checkout step to GitHub Actions workflow for tests
This update introduces a checkout step in the tests.yml workflow to ensure the code is available for subsequent steps, enhancing the CI process.
* Update GitHub Actions release workflow permissions
This commit adds write permissions for pull-requests and security-events in the release.yml workflow, enhancing the CI/CD process by allowing better integration with GitHub features.
* Update Dockerfile to remove wget installation
This commit modifies the Dockerfile by removing the installation of wget from the apk add command, streamlining the image build process.
* Enhance Docker Scout CVE scanning in GitHub Actions workflow
This commit updates the tests.yml workflow to include a new Docker Scout CVE gate step that specifically checks for high and critical vulnerabilities, while also modifying the existing CVE report step to include all severities without exiting on failure. This improves the security scanning process during CI/CD.
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>1 parent f694c58 commit 8dd5a7a
3 files changed
Lines changed: 85 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
16 | 20 | | |
17 | 21 | | |
18 | 22 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
35 | 35 | | |
36 | 36 | | |
37 | 37 | | |
38 | | - | |
| 38 | + | |
39 | 39 | | |
40 | 40 | | |
41 | 41 | | |
| |||
74 | 74 | | |
75 | 75 | | |
76 | 76 | | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
77 | 99 | | |
78 | 100 | | |
79 | 101 | | |
| |||
120 | 142 | | |
121 | 143 | | |
122 | 144 | | |
| 145 | + | |
| 146 | + | |
| 147 | + | |
| 148 | + | |
| 149 | + | |
| 150 | + | |
| 151 | + | |
| 152 | + | |
| 153 | + | |
| 154 | + | |
| 155 | + | |
| 156 | + | |
| 157 | + | |
| 158 | + | |
| 159 | + | |
| 160 | + | |
| 161 | + | |
| 162 | + | |
| 163 | + | |
| 164 | + | |
| 165 | + | |
| 166 | + | |
| 167 | + | |
| 168 | + | |
| 169 | + | |
| 170 | + | |
| 171 | + | |
| 172 | + | |
| 173 | + | |
| 174 | + | |
| 175 | + | |
| 176 | + | |
| 177 | + | |
| 178 | + | |
| 179 | + | |
| 180 | + | |
| 181 | + | |
| 182 | + | |
| 183 | + | |
| 184 | + | |
| 185 | + | |
| 186 | + | |
| 187 | + | |
| 188 | + | |
| 189 | + | |
| 190 | + | |
| 191 | + | |
| 192 | + | |
| 193 | + | |
| 194 | + | |
| 195 | + | |
123 | 196 | | |
124 | 197 | | |
125 | 198 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
101 | 101 | | |
102 | 102 | | |
103 | 103 | | |
104 | | - | |
105 | | - | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
106 | 107 | | |
107 | 108 | | |
108 | 109 | | |
109 | 110 | | |
110 | | - | |
| 111 | + | |
111 | 112 | | |
112 | 113 | | |
113 | 114 | | |
| |||
139 | 140 | | |
140 | 141 | | |
141 | 142 | | |
| 143 | + | |
142 | 144 | | |
143 | 145 | | |
144 | 146 | | |
145 | | - | |
| 147 | + | |
| 148 | + | |
146 | 149 | | |
147 | 150 | | |
148 | 151 | | |
| |||
0 commit comments