From 68906b2f28e0c5e7168122841b9c832eeb6f0ce5 Mon Sep 17 00:00:00 2001
From: dadaloop82 <evershelfproject@gmail.com>
Date: Sat, 16 May 2026 07:23:39 +0000
Subject: [PATCH] fix: switch to php:8.2-apache-bookworm, add apt upgrade,
 Trivy ignore-unfixed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Base image: php:8.2-apache → php:8.2-apache-bookworm (Debian 12)
  Reduces OS-level CVEs from ~1200+ to only fixable ones
- Add apt-get upgrade -y before package installs
- Trivy: add ignore-unfixed: true (suppress CVEs with no available fix)
- Pin trivy-action@0.31.0 instead of @master
- Upgrade codeql-action upload-sarif v3 → v4
---
 .github/workflows/security.yml | 10 ++++++----
 Dockerfile                     |  4 ++--
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 3c0bbf7..680e505 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -27,16 +27,17 @@ jobs:
         run: docker build -t evershelf:scan .
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.31.0
         with:
           image-ref: 'evershelf:scan'
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
+          ignore-unfixed: true
           exit-code: '0'   # don't fail the build, just report
 
       - name: Upload Trivy SARIF to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: 'trivy-results.sarif'
           category: 'trivy-docker'
@@ -52,17 +53,18 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Trivy filesystem scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.31.0
         with:
           scan-type: 'fs'
           scan-ref: '.'
           format: 'sarif'
           output: 'trivy-fs-results.sarif'
           severity: 'CRITICAL,HIGH'
+          ignore-unfixed: true
           exit-code: '0'
 
       - name: Upload Trivy FS SARIF
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: 'trivy-fs-results.sarif'
           category: 'trivy-fs'
diff --git a/Dockerfile b/Dockerfile
index 68f7d39..d565b75 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
-FROM php:8.2-apache
+FROM php:8.2-apache-bookworm
 
 # Install required PHP extensions + Tesseract OCR for offline expiry date reading
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get upgrade -y && apt-get install -y \
     libsqlite3-dev \
     libcurl4-openssl-dev \
     libonig-dev \