From 7c6bccb94f12fdc62c4311be371a915033c75e90 Mon Sep 17 00:00:00 2001 From: Demonsthere Date: Wed, 5 Jun 2024 13:01:33 +0200 Subject: [PATCH] chore: add kubescape image scanner --- .docker/Dockerfile-alpine | 2 +- .docker/Dockerfile-build | 2 +- .docker/Dockerfile-distroless-static | 2 +- .github/workflows/cve-scan.yaml | 9 +++++++++ 4 files changed, 12 insertions(+), 3 deletions(-) diff --git a/.docker/Dockerfile-alpine b/.docker/Dockerfile-alpine index 56abe694d9..f8cb3edc89 100644 --- a/.docker/Dockerfile-alpine +++ b/.docker/Dockerfile-alpine @@ -1,4 +1,4 @@ -FROM alpine:3.18.3 +FROM alpine:3.20.0 RUN addgroup -S ory; \ adduser -S ory -G ory -D -H -s /bin/nologin diff --git a/.docker/Dockerfile-build b/.docker/Dockerfile-build index 711d4a5837..063dfdff91 100644 --- a/.docker/Dockerfile-build +++ b/.docker/Dockerfile-build @@ -19,7 +19,7 @@ RUN go build -o /usr/bin/oathkeeper . ######################### -FROM gcr.io/distroless/static-debian11:nonroot AS runner +FROM gcr.io/distroless/static-debian12:nonroot AS runner COPY --from=builder --chown=nonroot:nonroot /usr/bin/oathkeeper /usr/bin/oathkeeper diff --git a/.docker/Dockerfile-distroless-static b/.docker/Dockerfile-distroless-static index 91020b7c27..8bcb1a9e77 100644 --- a/.docker/Dockerfile-distroless-static +++ b/.docker/Dockerfile-distroless-static @@ -1,4 +1,4 @@ -FROM gcr.io/distroless/static-debian11:nonroot +FROM gcr.io/distroless/static-debian12:nonroot COPY --chown=nonroot:nonroot oathkeeper /usr/bin/oathkeeper EXPOSE 4455 4456 diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml index 4d99e53056..87360e02bf 100644 --- a/.github/workflows/cve-scan.yaml +++ b/.github/workflows/cve-scan.yaml @@ -48,6 +48,15 @@ jobs: uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.grype-scan.outputs.sarif }} + - name: Kubescape scanner + uses: kubescape/github-action@main + id: kubescape + with: + image: oryd/oathkeeper:${{ env.SHA_SHORT }} + verbose: true + format: pretty-printer + # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568 + severityThreshold: critical - name: Trivy Scanner uses: aquasecurity/trivy-action@master if: ${{ always() }}