Skip to content

Commit 8dd5a7a

Browse files
omer9564claude
andauthored
Fix CVEs and add docker-scout action to CI (#304)
* Remove binutils from final image to fix CVE-2025-69649 and CVE-2025-69650 Separate build-time dependencies into a virtual package (.build-deps) and remove them after pip install, eliminating vulnerable binutils from the runtime image. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Move build-deps install/remove into same RUN layer as pip install Addresses PR review feedback: installing .build-deps in one layer and removing in another still persists binutils in earlier layers, which layer-aware scanners flag. Now build-base is installed and removed within a single RUN to fully eliminate CVE-2025-69649/CVE-2025-69650. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add Docker Scout CVE scanning to PR CI pipeline Extract image build into a shared build-pdp-image job and pass the image via artifact to both pdp-tester and a new docker-scout job. Scout scans for critical/high CVEs on pull requests and uploads SARIF results to GitHub Code Scanning. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix CR comments * Add checkout step to GitHub Actions workflow for tests This update introduces a checkout step in the tests.yml workflow to ensure the code is available for subsequent steps, enhancing the CI process. * Update GitHub Actions release workflow permissions This commit adds write permissions for pull-requests and security-events in the release.yml workflow, enhancing the CI/CD process by allowing better integration with GitHub features. * Update Dockerfile to remove wget installation This commit modifies the Dockerfile by removing the installation of wget from the apk add command, streamlining the image build process. * Enhance Docker Scout CVE scanning in GitHub Actions workflow This commit updates the tests.yml workflow to include a new Docker Scout CVE gate step that specifically checks for high and critical vulnerabilities, while also modifying the existing CVE report step to include all severities without exiting on failure. This improves the security scanning process during CI/CD. --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent f694c58 commit 8dd5a7a

3 files changed

Lines changed: 85 additions & 5 deletions

File tree

.github/workflows/release.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,10 @@ jobs:
1313
# Call the reusable tests workflow.
1414
uses: ./.github/workflows/tests.yml
1515
secrets: inherit
16+
permissions:
17+
contents: read
18+
pull-requests: write
19+
security-events: write
1620

1721
build-and-push-pdp:
1822
needs: pdp-tests

.github/workflows/tests.yml

Lines changed: 74 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ jobs:
3535
pip install ".[dev]"
3636
pytest -s --cache-clear horizon/tests/
3737
38-
pdp-tester:
38+
build-pdp-image:
3939
runs-on: ubuntu-latest
4040
steps:
4141
- name: Checkout code
@@ -74,6 +74,28 @@ jobs:
7474
cache-from: type=gha
7575
cache-to: type=gha,mode=max
7676

77+
- name: Save Docker image as artifact
78+
run: docker save permitio/pdp-v2:next -o pdp-image.tar
79+
80+
- name: Upload Docker image artifact
81+
uses: actions/upload-artifact@v4
82+
with:
83+
name: pdp-image
84+
path: pdp-image.tar
85+
retention-days: 1
86+
87+
pdp-tester:
88+
runs-on: ubuntu-latest
89+
needs: build-pdp-image
90+
steps:
91+
- name: Download Docker image artifact
92+
uses: actions/download-artifact@v4
93+
with:
94+
name: pdp-image
95+
96+
- name: Load Docker image
97+
run: docker load -i pdp-image.tar
98+
7799
# Checkout the pdp-tester repository
78100
- name: Checkout pdp-tester repository
79101
uses: actions/checkout@v4
@@ -120,6 +142,57 @@ jobs:
120142
echo ""
121143
done
122144
145+
docker-scout:
146+
runs-on: ubuntu-latest
147+
needs: build-pdp-image
148+
if: github.event_name == 'pull_request'
149+
permissions:
150+
# required to upload the SARIF report
151+
security-events: write
152+
# required to download the Docker image artifact
153+
contents: read
154+
# required to create a pull request comment with the SARIF report
155+
pull-requests: write
156+
steps:
157+
- name: Checkout code
158+
uses: actions/checkout@v4
159+
- name: Download Docker image artifact
160+
uses: actions/download-artifact@v4
161+
with:
162+
name: pdp-image
163+
164+
- name: Load Docker image
165+
run: docker load -i pdp-image.tar
166+
167+
- name: Login to Docker Hub
168+
uses: docker/login-action@v3
169+
with:
170+
username: ${{ secrets.DOCKERHUB_USERNAME }}
171+
password: ${{ secrets.DOCKERHUB_TOKEN }}
172+
173+
- name: Docker Scout CVE report (all severities)
174+
uses: docker/scout-action@v1
175+
with:
176+
command: cves
177+
image: local://permitio/pdp-v2:next
178+
exit-code: false
179+
sarif-file: scout-results.sarif
180+
summary: true
181+
182+
- name: Docker Scout CVE gate (high and critical)
183+
uses: docker/scout-action@v1
184+
with:
185+
command: cves
186+
image: local://permitio/pdp-v2:next
187+
only-severities: critical,high
188+
exit-code: true
189+
190+
- name: Upload SARIF report
191+
if: always()
192+
uses: github/codeql-action/upload-sarif@v3
193+
with:
194+
sarif_file: scout-results.sarif
195+
123196
rust-ci:
124197
name: Rust CI
125198
runs-on: ubuntu-latest

Dockerfile

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -101,13 +101,14 @@ RUN addgroup -S permit -g 1001 && \
101101
# Create backup directory with permissions
102102
RUN mkdir -p /app/backup && chmod -R 777 /app/backup
103103

104-
# Install necessary libraries and delete SQLite in a single RUN command
105-
# Use cache mount for apk to speed up package downloads
104+
# Install runtime libraries and delete SQLite
105+
# Build deps (build-base, *-dev) are installed and removed in the pip install
106+
# layer to avoid persisting binutils CVEs (CVE-2025-69649, CVE-2025-69650)
106107
RUN --mount=type=cache,target=/var/cache/apk \
107108
ln -s /var/cache/apk /etc/apk/cache && \
108109
apk update && \
109110
apk upgrade && \
110-
apk add bash build-base libffi-dev libressl-dev musl-dev zlib-dev gcompat wget && \
111+
apk add bash libffi libressl gcompat && \
111112
apk del sqlite
112113

113114

@@ -139,10 +140,12 @@ USER root
139140
# Use cache mount for pip to speed up incremental builds
140141
COPY ./requirements.txt ./requirements.txt
141142
RUN --mount=type=cache,target=/root/.cache/pip \
143+
apk add --no-cache --virtual .build-deps build-base libffi-dev libressl-dev musl-dev zlib-dev && \
142144
pip install --upgrade pip setuptools && \
143145
pip install -r requirements.txt && \
144146
python -m pip uninstall -y pip setuptools wheel && \
145-
rm -r /usr/local/lib/python3.10/ensurepip
147+
rm -r /usr/local/lib/python3.10/ensurepip && \
148+
apk del .build-deps
146149

147150
USER permit
148151

0 commit comments

Comments
 (0)