morgane/EverShelf
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity

fix: switch to php:8.2-apache-bookworm, add apt upgrade, Trivy ignore-unfixed

Browse Source 
- Base image: php:8.2-apache → php:8.2-apache-bookworm (Debian 12)
  Reduces OS-level CVEs from ~1200+ to only fixable ones
- Add apt-get upgrade -y before package installs
- Trivy: add ignore-unfixed: true (suppress CVEs with no available fix)
- Pin trivy-action@0.31.0 instead of @master
- Upgrade codeql-action upload-sarif v3 → v4
This commit is contained in:
dadaloop82
2026-05-16 07:23:39 +00:00
parent 6b982b6730
commit 68906b2f28
2 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/security.yml
+6 -4
View File
@@ -27,16 +27,17 @@ jobs:
run: docker build -t evershelf:scan . run: docker build -t evershelf:scan .
- name: Run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@0.31.0
with: with:
image-ref: 'evershelf:scan' image-ref: 'evershelf:scan'
format: 'sarif' format: 'sarif'
output: 'trivy-results.sarif' output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH' severity: 'CRITICAL,HIGH'
ignore-unfixed: true
exit-code: '0' # don't fail the build, just report exit-code: '0' # don't fail the build, just report
- name: Upload Trivy SARIF to GitHub Security tab - name: Upload Trivy SARIF to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3 uses: github/codeql-action/upload-sarif@v4
with: with:
sarif_file: 'trivy-results.sarif' sarif_file: 'trivy-results.sarif'
category: 'trivy-docker' category: 'trivy-docker'
@@ -52,17 +53,18 @@ jobs:
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Run Trivy filesystem scanner - name: Run Trivy filesystem scanner
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@0.31.0
with: with:
scan-type: 'fs' scan-type: 'fs'
scan-ref: '.' scan-ref: '.'
format: 'sarif' format: 'sarif'
output: 'trivy-fs-results.sarif' output: 'trivy-fs-results.sarif'
severity: 'CRITICAL,HIGH' severity: 'CRITICAL,HIGH'
ignore-unfixed: true
exit-code: '0' exit-code: '0'
- name: Upload Trivy FS SARIF - name: Upload Trivy FS SARIF
uses: github/codeql-action/upload-sarif@v3 uses: github/codeql-action/upload-sarif@v4
with: with:
sarif_file: 'trivy-fs-results.sarif' sarif_file: 'trivy-fs-results.sarif'
category: 'trivy-fs' category: 'trivy-fs'
Dockerfile
+2 -2
View File
@@ -1,7 +1,7 @@
FROM php:8.2-apache FROM php:8.2-apache-bookworm
# Install required PHP extensions + Tesseract OCR for offline expiry date reading # Install required PHP extensions + Tesseract OCR for offline expiry date reading
RUN apt-get update && apt-get install -y \ RUN apt-get update && apt-get upgrade -y && apt-get install -y \
libsqlite3-dev \ libsqlite3-dev \
libcurl4-openssl-dev \ libcurl4-openssl-dev \
libonig-dev \ libonig-dev \