diff --git a/.github/workflows/build_push.yml b/.github/workflows/build_push.yml index 3f0a295..68a8e76 100644 --- a/.github/workflows/build_push.yml +++ b/.github/workflows/build_push.yml @@ -52,7 +52,6 @@ jobs: permissions: packages: write - security-events: write steps: - name: Checkout project ⬇️ @@ -120,31 +119,7 @@ jobs: PANDOC_VERSION=${{ github.event.inputs.pandoc_version }} QUARTO_VERSION=${{ github.event.inputs.quarto_version }} - - name: Generate R pkg list ✏️ - shell: bash - run: | - docker run -v ${PWD}:/app ${{ steps.build_vars.outputs.IMAGE_NAME }}:${{ steps.build_vars.outputs.IMAGE_DATE_TAG }} \ - R -q -e ' - rbind(c("|-", "-|"), - installed.packages()[, c("Package", "Version")]) |> - write.table(file = "/app/r-pkg-list.csv", row.names = FALSE, quote = FALSE, sep="|")' - cat r-pkg-list.csv >> $GITHUB_STEP_SUMMARY - - - name: Run Trivy vulnerability scanner ☢️ - if: github.ref_name == 'main' - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ steps.build_vars.outputs.IMAGE_NAME }}:${{ steps.build_vars.outputs.IMAGE_DATE_TAG }} - exit-code: 0 - ignore-unfixed: true - vuln-type: "os,library" - severity: "CRITICAL,HIGH,MEDIUM" - format: "sarif" - output: "trivy-results.sarif" - timeout: 30m0s - - - name: Upload Trivy scan results to GitHub Security tab 📜 - if: github.ref_name == 'main' - uses: github/codeql-action/upload-sarif@v3 + - name: Update security artifacts + uses: boehringer-ingelheim/dv.ci-images/.github/workflows/secops.yml@secops with: - sarif_file: "trivy-results.sarif" + image_tag: "${{ steps.build_vars.outputs.IMAGE_NAME }}:${{ steps.build_vars.outputs.IMAGE_DATE_TAG }}" diff --git a/.github/workflows/secops.yml b/.github/workflows/secops.yml new file mode 100644 index 0000000..e974262 --- /dev/null +++ b/.github/workflows/secops.yml @@ -0,0 +1,52 @@ +--- +name: SecOps + +on: + workflow_dispatch: + inputs: + image_tag: + description: image:tag + required: true + default: "ghcr.io/boehringer-ingelheim/r_4.3.2_cran_2024.01.12:latest" + type: string + + push: + branches: + - seops + +jobs: + build_publish: + name: SecOps + runs-on: ubuntu-latest + + permissions: + security-events: write + + steps: + - name: Generate R pkg list ✏️ + shell: bash + run: | + docker run -v ${PWD}:/app ${{ inputs.image_tag }} \ + R -q -e ' + rbind(c("|-", "-|"), + installed.packages()[, c("Package", "Version")]) |> + write.table(file = "/app/r-pkg-list.csv", row.names = FALSE, quote = FALSE, sep="|")' + cat r-pkg-list.csv >> $GITHUB_STEP_SUMMARY + + - name: Run Trivy vulnerability scanner ☢️ + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ inputs.image_tag }} + exit-code: 0 + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH,MEDIUM" + format: "sarif" + output: "trivy-results.sarif" + timeout: 30m0s + + - name: Upload Trivy scan results to GitHub Security tab 📜 + # if: github.ref_name == 'main' + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: "trivy-results.sarif" diff --git a/Dockerfile b/Dockerfile index c9bf537..352cdf2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -31,7 +31,9 @@ COPY configs/.lintr / ENV R_LINTR_LINTER_FILE=/.lintr # Cleanup -RUN rm -rf /rocker_scripts /scripts +RUN rm -rf /rocker_scripts /scripts && \ + adduser --system --group --no-create-home ci-user +USER ci-user CMD ["/init"] diff --git a/README.md b/README.md index 0c00b02..2be4610 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,4 @@ - - -# Docker Images for CI +# Docker Images for CI [![Build and Publish Image](https://github.com/Boehringer-Ingelheim/dv.ci-images/actions/workflows/build_push.yml/badge.svg?branch=main)](https://github.com/Boehringer-Ingelheim/dv.ci-images/actions/workflows/build_push.yml) [![Check and Lint Repo](https://github.com/Boehringer-Ingelheim/dv.ci-images/actions/workflows/check.yml/badge.svg?branch=main)](https://github.com/Boehringer-Ingelheim/dv.ci-images/actions/workflows/check.yml)