Merge pull request #2 from Boehringer-Ingelheim/secops

Secops

.github/workflows/build_push.yml

@@ -52,7 +52,6 @@ jobs:
 
     permissions:
       packages: write
-      security-events: write
 
     steps:
       - name: Checkout project ⬇️
@@ -120,31 +119,7 @@ jobs:
             PANDOC_VERSION=${{ github.event.inputs.pandoc_version }}
             QUARTO_VERSION=${{ github.event.inputs.quarto_version }}
 
-      - name: Generate R pkg list ✏️
-        shell: bash
-        run: |
-          docker run -v ${PWD}:/app ${{ steps.build_vars.outputs.IMAGE_NAME }}:${{ steps.build_vars.outputs.IMAGE_DATE_TAG }} \
-          R -q -e '
-          rbind(c("|-", "-|"),
-          installed.packages()[, c("Package", "Version")]) |>
-          write.table(file = "/app/r-pkg-list.csv", row.names = FALSE, quote = FALSE, sep="|")'
-          cat r-pkg-list.csv >> $GITHUB_STEP_SUMMARY
-
-      - name: Run Trivy vulnerability scanner ☢️
-        if: github.ref_name == 'main'
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: ${{ steps.build_vars.outputs.IMAGE_NAME }}:${{ steps.build_vars.outputs.IMAGE_DATE_TAG }}
-          exit-code: 0
-          ignore-unfixed: true
-          vuln-type: "os,library"
-          severity: "CRITICAL,HIGH,MEDIUM"
-          format: "sarif"
-          output: "trivy-results.sarif"
-          timeout: 30m0s
-
-      - name: Upload Trivy scan results to GitHub Security tab 📜
-        if: github.ref_name == 'main'
-        uses: github/codeql-action/upload-sarif@v3
+      - name: Update security artifacts
+        uses: boehringer-ingelheim/dv.ci-images/.github/workflows/secops.yml@secops
         with:
-          sarif_file: "trivy-results.sarif"
+          image_tag: "${{ steps.build_vars.outputs.IMAGE_NAME }}:${{ steps.build_vars.outputs.IMAGE_DATE_TAG }}"

.github/workflows/secops.yml

@@ -0,0 +1,52 @@
+---
+name: SecOps
+
+on:
+  workflow_dispatch:
+    inputs:
+      image_tag:
+        description: image:tag
+        required: true
+        default: "ghcr.io/boehringer-ingelheim/r_4.3.2_cran_2024.01.12:latest"
+        type: string
+
+  push:
+    branches:
+      - seops
+
+jobs:
+  build_publish:
+    name: SecOps
+    runs-on: ubuntu-latest
+
+    permissions:
+      security-events: write
+
+    steps:
+      - name: Generate R pkg list ✏️
+        shell: bash
+        run: |
+          docker run -v ${PWD}:/app ${{ inputs.image_tag }} \
+          R -q -e '
+          rbind(c("|-", "-|"),
+          installed.packages()[, c("Package", "Version")]) |>
+          write.table(file = "/app/r-pkg-list.csv", row.names = FALSE, quote = FALSE, sep="|")'
+          cat r-pkg-list.csv >> $GITHUB_STEP_SUMMARY
+
+      - name: Run Trivy vulnerability scanner ☢️
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ inputs.image_tag }}
+          exit-code: 0
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH,MEDIUM"
+          format: "sarif"
+          output: "trivy-results.sarif"
+          timeout: 30m0s
+
+      - name: Upload Trivy scan results to GitHub Security tab 📜
+        # if: github.ref_name == 'main'
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "trivy-results.sarif"

Dockerfile

@@ -31,7 +31,9 @@ COPY configs/.lintr /
 ENV R_LINTR_LINTER_FILE=/.lintr
 
 # Cleanup
-RUN rm -rf /rocker_scripts /scripts
+RUN rm -rf /rocker_scripts /scripts && \
+    adduser --system --group --no-create-home ci-user
+USER ci-user
 
 CMD ["/init"]
 

README.md

@@ -1,6 +1,4 @@
-<img src="configs/repo-logo.svg" align="right" height="138" alt="" />
-
-# Docker Images for CI
+# Docker Images for CI <img src="configs/repo-logo.svg" align="right" height="138" alt="" />
 
 [![Build and Publish Image](https://github.com/Boehringer-Ingelheim/dv.ci-images/actions/workflows/build_push.yml/badge.svg?branch=main)](https://github.com/Boehringer-Ingelheim/dv.ci-images/actions/workflows/build_push.yml) [![Check and Lint Repo](https://github.com/Boehringer-Ingelheim/dv.ci-images/actions/workflows/check.yml/badge.svg?branch=main)](https://github.com/Boehringer-Ingelheim/dv.ci-images/actions/workflows/check.yml)