add trivy.yml (#31)

* add trivy.yml

* remove pinned versions

* ignore=DL3008

* fix superlinter CHECKOV and GITHUB_ACTIONS

.github/workflows/trivy.yml

@@ -0,0 +1,32 @@
+name: Run Trivy vulnerability scanner
+
+on: [ push ]
+
+permissions:
+  contents: read
+  packages: write
+  issues: write
+  pull-requests: write
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Build wis2downloader
+        run: |
+          docker build -t wis2downloader:test -f ./docker/Dockerfile .
+      - name: Run Trivy vulnerability scanner on wis2downloader
+        uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+        with:
+          image-ref: 'wis2downloader:test'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          ignorefile: '.trivyignore'

docker/Dockerfile

@@ -18,9 +18,10 @@ ENV WIS2DOWNLOADER_CONFIG "/home/wis2downloader/app/config/config.json"
 
 
 # Update, upgrade packages and install / clean up
+# hadolint ignore=DL3008
 RUN apt-get update && \
     apt-get upgrade && \
-    apt-get install -y gettext-base=0.21-12 curl=7.88.1-10+deb12u6 cron=3.0pl1-162 git=1:2.39.2-1.1 && \
+    apt-get install -y gettext-base curl cron git && \
     rm -rf /var/lib/apt/lists/*
 
 # Now setup python env and default user