add content from test repo

.github/workflows/main.yaml

@@ -0,0 +1,121 @@
+---
+name: main
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: bash
+
+env:
+  HADOLINT_IMAGE: "ghcr.io/hadolint/hadolint:latest"
+  TRIVY_IMAGE: "ghcr.io/aquasecurity/trivy:latest"
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+    permissions:
+      security-events: write
+      # only required for workflows in private repositories
+      # actions: read
+      # contents: read
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+      - name: Pull images
+        run: |
+          docker pull "${HADOLINT_IMAGE}"
+          docker pull "${TRIVY_IMAGE}"
+      - name: Run Trivy - Dockerfile check
+        run: |
+          config="trivy-configs/dockerfile.yaml"
+          if [ ! -f "./${config}" ]; then
+              echo "Error: Missing ./configs/${config}"
+              exit 1
+          fi
+          docker run \
+            --rm \
+            -v $HOME/.cache/trivy:/root/.cache \
+            -v "$(pwd)":/repo \
+            "${TRIVY_IMAGE}" \
+                config \
+                --config "/repo/${config}" \
+                /repo/Dockerfile
+      - name: Run hadolint
+        run: |
+          docker run \
+            --rm \
+            -i \
+            -v "$(pwd)":/repo \
+            "${HADOLINT_IMAGE}" \
+                hadolint \
+                --config /repo/hadolint.yaml \
+                - < Dockerfile
+      - name: Build Docker image
+        run: |
+          img="ghcr.io/${{ github.repository }}"
+          version="$(grep _VERSION= Dockerfile | cut -d'"' -f2)"
+          image_revision="$(grep _IMAGE_REVISION= Dockerfile | cut -d'"' -f2)"
+          tag="${version}-${image_revision}"
+          build_ctx=$(mktemp -d)
+          cp -t "${build_ctx}" script.py
+          docker build -f Dockerfile --tag "${img}:${tag}" --tag "${img}:latest" "${build_ctx}"
+          echo "img=${img}" >> "${GITHUB_ENV}"
+          echo "tag=${tag}" >> "${GITHUB_ENV}"
+      - name: Run Trivy - image scan
+        run: |
+          reports_dir=$(mktemp -d)
+          docker inspect --format="{{index .Id}}" "${img}:${tag}" > "${reports_dir}/image-id.txt"
+
+          config="trivy-configs/image-scan.yaml"
+          if [ ! -f "./${config}" ]; then
+              echo "Error: Missing ./configs/${config}"
+              exit 1
+          fi
+
+          # Generate SARIF report for GitHub Security
+          docker run \
+              --rm \
+              -v /var/run/docker.sock:/var/run/docker.sock \
+              -v $HOME/.cache/trivy:/root/.cache \
+              -v "${reports_dir}":/reports \
+              -v "$(pwd)":/repo \
+              "${TRIVY_IMAGE}" \
+                  image \
+                  --config "/repo/${config}" \
+                  --format sarif \
+                  --output /reports/image-scan.sarif \
+                  "${img}:${tag}"
+
+          # Generate SBOM
+          docker run \
+              --rm \
+              -v /var/run/docker.sock:/var/run/docker.sock \
+              -v $HOME/.cache/trivy:/root/.cache \
+              -v "${reports_dir}":/reports \
+              -v $(pwd):/repo \
+              "${TRIVY_IMAGE}" \
+                  image \
+                  --config "/repo/${config}" \
+                  --format cyclonedx \
+                  --output /reports/trivy-sbom.json \
+                  "${img}:${tag}"
+          echo "reports_dir=${reports_dir}" >> "$GITHUB_ENV"
+      - name: Upload artifacts to GHA
+        uses: actions/upload-artifact@v4
+        with:
+          name: 'trivy-reports'
+          path: '${{ env.reports_dir }}/'
+      # - name: Upload SARIF report
+      #   uses: github/codeql-action/upload-sarif@v3
+      #   with:
+      #     sarif_file: '${{ env.reports_dir }}/image-scan.sarif'
+      #     token: "${{ secrets.GITHUB_TOKEN }}"
+      # - name: push image
+      #   run: |
+      #     echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
+      #     docker push "$img:$tag"
+      #     docker push "$img:latest"

Dockerfile

@@ -0,0 +1,26 @@
+FROM debian:12-slim@sha256:67f3931ad8cb1967beec602d8c0506af1e37e8d73c2a0b38b181ec5d8560d395
+
+ARG PACKAGE_VERSION="1.2.3"
+ARG PACKAGE_IMAGE_REVISION="1"
+
+RUN : \
+    && apt-get update -qq \
+    && DEBIAN_FRONTEND=noninteractive apt-get upgrade -qq -y --no-install-recommends \
+    && DEBIAN_FRONTEND=noninteractive apt-get install \
+         -qq -y --no-install-recommends \
+         ca-certificates \
+         curl \
+         python3 \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/* \
+    && :
+
+RUN mkdir /safe_data /safe_outputs /scratch
+
+WORKDIR /src
+COPY script.py script.py
+
+RUN groupadd --system nonroot && useradd --no-log-init --system --gid nonroot nonroot
+USER nonroot
+
+ENTRYPOINT ["python3", "script.py"]

hadolint.yaml

@@ -0,0 +1,3 @@
+ignored:
+  # Ignore "Pin versions in apt get install"
+  - DL3008

script.py

@@ -0,0 +1,6 @@
+def main() -> int:
+    print("Hello, world!")
+    return 0
+
+if __name__ == "__main__":
+    raise SystemExit(main())

trivy-configs/dockerfile.yaml

@@ -0,0 +1,10 @@
+---
+misconfiguration:
+  check-bundle-repository: ghcr.io/aquasecurity/trivy-checks:0
+  scanners:
+    - dockerfile
+severity:
+  - MEDIUM
+  - HIGH
+  - CRITICAL
+exit-code: 1

trivy-configs/image-scan.yaml

@@ -0,0 +1,13 @@
+---
+scan:
+  scanners:
+  - vuln
+  - secret
+severity:
+  - UNKNOWN
+  - LOW
+  - MEDIUM
+  - HIGH
+  - CRITICAL
+include-non-failures: true
+timeout: 30m