chore: add kubescape image scanner

ory · Jun 5, 2024 · 7c6bccb · 7c6bccb
1 parent 9add863
commit 7c6bccb
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 3 deletions.
diff --git a/.docker/Dockerfile-alpine b/.docker/Dockerfile-alpine
@@ -1,4 +1,4 @@
-FROM alpine:3.18.3
+FROM alpine:3.20.0
 
 RUN addgroup -S ory; \
     adduser -S ory -G ory -D -H -s /bin/nologin

diff --git a/.docker/Dockerfile-build b/.docker/Dockerfile-build
@@ -19,7 +19,7 @@ RUN go build -o /usr/bin/oathkeeper .
 
 #########################
 
-FROM gcr.io/distroless/static-debian11:nonroot AS runner
+FROM gcr.io/distroless/static-debian12:nonroot AS runner
 
 COPY --from=builder --chown=nonroot:nonroot /usr/bin/oathkeeper /usr/bin/oathkeeper
 

diff --git a/.docker/Dockerfile-distroless-static b/.docker/Dockerfile-distroless-static
@@ -1,4 +1,4 @@
-FROM gcr.io/distroless/static-debian11:nonroot
+FROM gcr.io/distroless/static-debian12:nonroot
 
 COPY --chown=nonroot:nonroot oathkeeper /usr/bin/oathkeeper
 EXPOSE 4455 4456

diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml
@@ -48,6 +48,15 @@ jobs:
         uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: ${{ steps.grype-scan.outputs.sarif }}
+      - name: Kubescape scanner
+        uses: kubescape/github-action@main
+        id: kubescape
+        with:
+          image: oryd/oathkeeper:${{ env.SHA_SHORT }}
+          verbose: true
+          format: pretty-printer
+          # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568
+          severityThreshold: critical
       - name: Trivy Scanner
         uses: aquasecurity/trivy-action@master
         if: ${{ always() }}