From f66f4d24fbf10c9255f28e92c8cbbde7d8b54a7b Mon Sep 17 00:00:00 2001
From: sorinvoicu <61691256+sorinvoicu@users.noreply.github.com>
Date: Thu, 29 Feb 2024 14:29:05 +0000
Subject: [PATCH 1/5] run as non-root user
---
Dockerfile | 4 +++-
README.md | 4 +---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/Dockerfile b/Dockerfile
index c9bf537..352cdf2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -31,7 +31,9 @@ COPY configs/.lintr /
ENV R_LINTR_LINTER_FILE=/.lintr
# Cleanup
-RUN rm -rf /rocker_scripts /scripts
+RUN rm -rf /rocker_scripts /scripts && \
+ adduser --system --group --no-create-home ci-user
+USER ci-user
CMD ["/init"]
diff --git a/README.md b/README.md
index 0c00b02..2be4610 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,4 @@
-
-
-# Docker Images for CI
+# Docker Images for CI
[](https://github.com/Boehringer-Ingelheim/dv.ci-images/actions/workflows/build_push.yml) [](https://github.com/Boehringer-Ingelheim/dv.ci-images/actions/workflows/check.yml)
From d42dcfcb3c2b75e5e69028cf43087be2f26a7809 Mon Sep 17 00:00:00 2001
From: sorinvoicu <61691256+sorinvoicu@users.noreply.github.com>
Date: Thu, 29 Feb 2024 14:36:41 +0000
Subject: [PATCH 2/5] split secops from build
---
.github/workflows/build_push.yml | 30 -----------------------
.github/workflows/secops.yml | 42 ++++++++++++++++++++++++++++++++
2 files changed, 42 insertions(+), 30 deletions(-)
create mode 100644 .github/workflows/secops.yml
diff --git a/.github/workflows/build_push.yml b/.github/workflows/build_push.yml
index 3f0a295..7ab040a 100644
--- a/.github/workflows/build_push.yml
+++ b/.github/workflows/build_push.yml
@@ -52,7 +52,6 @@ jobs:
permissions:
packages: write
- security-events: write
steps:
- name: Checkout project ⬇️
@@ -119,32 +118,3 @@ jobs:
OS_VERSION=${{ env.OS_VERSION }}
PANDOC_VERSION=${{ github.event.inputs.pandoc_version }}
QUARTO_VERSION=${{ github.event.inputs.quarto_version }}
-
- - name: Generate R pkg list ✏️
- shell: bash
- run: |
- docker run -v ${PWD}:/app ${{ steps.build_vars.outputs.IMAGE_NAME }}:${{ steps.build_vars.outputs.IMAGE_DATE_TAG }} \
- R -q -e '
- rbind(c("|-", "-|"),
- installed.packages()[, c("Package", "Version")]) |>
- write.table(file = "/app/r-pkg-list.csv", row.names = FALSE, quote = FALSE, sep="|")'
- cat r-pkg-list.csv >> $GITHUB_STEP_SUMMARY
-
- - name: Run Trivy vulnerability scanner ☢️
- if: github.ref_name == 'main'
- uses: aquasecurity/trivy-action@master
- with:
- image-ref: ${{ steps.build_vars.outputs.IMAGE_NAME }}:${{ steps.build_vars.outputs.IMAGE_DATE_TAG }}
- exit-code: 0
- ignore-unfixed: true
- vuln-type: "os,library"
- severity: "CRITICAL,HIGH,MEDIUM"
- format: "sarif"
- output: "trivy-results.sarif"
- timeout: 30m0s
-
- - name: Upload Trivy scan results to GitHub Security tab 📜
- if: github.ref_name == 'main'
- uses: github/codeql-action/upload-sarif@v3
- with:
- sarif_file: "trivy-results.sarif"
diff --git a/.github/workflows/secops.yml b/.github/workflows/secops.yml
new file mode 100644
index 0000000..adb0725
--- /dev/null
+++ b/.github/workflows/secops.yml
@@ -0,0 +1,42 @@
+---
+name: SecOps
+
+on:
+ workflow_dispatch:
+
+jobs:
+ build_publish:
+ name: Build and Publish Image
+ runs-on: ubuntu-latest
+
+ permissions:
+ security-events: write
+
+ steps:
+ # - name: Generate R pkg list ✏️
+ # shell: bash
+ # run: |
+ # docker run -v ${PWD}:/app ${{ steps.build_vars.outputs.IMAGE_NAME }}:${{ steps.build_vars.outputs.IMAGE_DATE_TAG }} \
+ # R -q -e '
+ # rbind(c("|-", "-|"),
+ # installed.packages()[, c("Package", "Version")]) |>
+ # write.table(file = "/app/r-pkg-list.csv", row.names = FALSE, quote = FALSE, sep="|")'
+ # cat r-pkg-list.csv >> $GITHUB_STEP_SUMMARY
+
+ - name: Run Trivy vulnerability scanner ☢️
+ uses: aquasecurity/trivy-action@master
+ with:
+ image-ref: ghcr.io/boehringer-ingelheim/r_4.3.2_cran_2024.01.12:latest
+ exit-code: 0
+ ignore-unfixed: true
+ vuln-type: "os,library"
+ severity: "CRITICAL,HIGH,MEDIUM"
+ format: "sarif"
+ output: "trivy-results.sarif"
+ timeout: 30m0s
+
+ - name: Upload Trivy scan results to GitHub Security tab 📜
+ # if: github.ref_name == 'main'
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: "trivy-results.sarif"
From 64efae8f84866d7e51fca29393ba3205d268d630 Mon Sep 17 00:00:00 2001
From: sorinvoicu <61691256+sorinvoicu@users.noreply.github.com>
Date: Thu, 29 Feb 2024 14:42:58 +0000
Subject: [PATCH 3/5] add event
---
.github/workflows/secops.yml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/.github/workflows/secops.yml b/.github/workflows/secops.yml
index adb0725..6f9e77e 100644
--- a/.github/workflows/secops.yml
+++ b/.github/workflows/secops.yml
@@ -3,6 +3,9 @@ name: SecOps
on:
workflow_dispatch:
+ push:
+ branches:
+ - secops
jobs:
build_publish:
From 3cb9d447ee32a5cc1d36171aa8886e32e4dab469 Mon Sep 17 00:00:00 2001
From: sorinvoicu <61691256+sorinvoicu@users.noreply.github.com>
Date: Thu, 29 Feb 2024 14:56:44 +0000
Subject: [PATCH 4/5] use input
---
.github/workflows/secops.yml | 31 +++++++++++++++++--------------
1 file changed, 17 insertions(+), 14 deletions(-)
diff --git a/.github/workflows/secops.yml b/.github/workflows/secops.yml
index 6f9e77e..afbc119 100644
--- a/.github/workflows/secops.yml
+++ b/.github/workflows/secops.yml
@@ -3,33 +3,36 @@ name: SecOps
on:
workflow_dispatch:
- push:
- branches:
- - secops
+ inputs:
+ image_tag:
+ description: image:tag
+ required: false
+ default: "ghcr.io/boehringer-ingelheim/r_4.3.2_cran_2024.01.12:latest"
+ type: string
jobs:
build_publish:
- name: Build and Publish Image
+ name: SecOps
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- # - name: Generate R pkg list ✏️
- # shell: bash
- # run: |
- # docker run -v ${PWD}:/app ${{ steps.build_vars.outputs.IMAGE_NAME }}:${{ steps.build_vars.outputs.IMAGE_DATE_TAG }} \
- # R -q -e '
- # rbind(c("|-", "-|"),
- # installed.packages()[, c("Package", "Version")]) |>
- # write.table(file = "/app/r-pkg-list.csv", row.names = FALSE, quote = FALSE, sep="|")'
- # cat r-pkg-list.csv >> $GITHUB_STEP_SUMMARY
+ - name: Generate R pkg list ✏️
+ shell: bash
+ run: |
+ docker run -v ${PWD}:/app ${{ inputs.image_tag }} \
+ R -q -e '
+ rbind(c("|-", "-|"),
+ installed.packages()[, c("Package", "Version")]) |>
+ write.table(file = "/app/r-pkg-list.csv", row.names = FALSE, quote = FALSE, sep="|")'
+ cat r-pkg-list.csv >> $GITHUB_STEP_SUMMARY
- name: Run Trivy vulnerability scanner ☢️
uses: aquasecurity/trivy-action@master
with:
- image-ref: ghcr.io/boehringer-ingelheim/r_4.3.2_cran_2024.01.12:latest
+ image-ref: ${{ inputs.image_tag }}
exit-code: 0
ignore-unfixed: true
vuln-type: "os,library"
From 142d1d7e0cc18765af6f0723d75483b73baae105 Mon Sep 17 00:00:00 2001
From: sorinvoicu <61691256+sorinvoicu@users.noreply.github.com>
Date: Thu, 29 Feb 2024 15:03:32 +0000
Subject: [PATCH 5/5] .
---
.github/workflows/build_push.yml | 5 +++++
.github/workflows/secops.yml | 6 +++++-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/.github/workflows/build_push.yml b/.github/workflows/build_push.yml
index 7ab040a..68a8e76 100644
--- a/.github/workflows/build_push.yml
+++ b/.github/workflows/build_push.yml
@@ -118,3 +118,8 @@ jobs:
OS_VERSION=${{ env.OS_VERSION }}
PANDOC_VERSION=${{ github.event.inputs.pandoc_version }}
QUARTO_VERSION=${{ github.event.inputs.quarto_version }}
+
+ - name: Update security artifacts
+ uses: boehringer-ingelheim/dv.ci-images/.github/workflows/secops.yml@secops
+ with:
+ image_tag: "${{ steps.build_vars.outputs.IMAGE_NAME }}:${{ steps.build_vars.outputs.IMAGE_DATE_TAG }}"
diff --git a/.github/workflows/secops.yml b/.github/workflows/secops.yml
index afbc119..e974262 100644
--- a/.github/workflows/secops.yml
+++ b/.github/workflows/secops.yml
@@ -6,10 +6,14 @@ on:
inputs:
image_tag:
description: image:tag
- required: false
+ required: true
default: "ghcr.io/boehringer-ingelheim/r_4.3.2_cran_2024.01.12:latest"
type: string
+ push:
+ branches:
+ - seops
+
jobs:
build_publish:
name: SecOps