Merge pull request #18 from sarg3nt/update-security.md--and-trivy

Update-security.md--and-trivy
sarg3nt · Oct 30, 2024 · 3a9ae34 · 3a9ae34
2 parents dd46b55 + fc3646d
commit 3a9ae34
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 4 deletions.
diff --git a/.github/workflows/patch-upgrades-release.yml b/.github/workflows/patch-upgrades-release.yml
@@ -4,9 +4,6 @@ on:
   schedule:
     - cron: '0 0 * * 0' # Runs weekly
   workflow_dispatch: # Allows manual triggering
-  pull_request:
-    branches:
-      - main
 
 permissions: read-all
 

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -48,6 +48,7 @@ jobs:
       - name: Build and push Docker image
         uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         with:
+          build-args: GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
           push: false
           tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
 

diff --git a/Dockerfile b/Dockerfile
@@ -15,6 +15,10 @@ LABEL org.opencontainers.image.source=https://github.com/sarg3nt/go-dev-containe
 
 ENV TZ='America/Los_Angeles'
 
+# Token for talking to the Github API for mise and our custom installs.
+ARG GITHUB_TOKEN=""
+ENV GITHUB_API_TOKEN=$GITHUB_TOKEN
+
 # What user will be created in the dev container and will we run under.
 # Reccomend not changing this.
 ENV USERNAME="vscode"

diff --git a/SECURITY.md b/SECURITY.md
@@ -8,5 +8,6 @@ Dependabot is used to maintain dependency versions.
 
 ## Reporting a Vulnerability
 
-Report found vulnerabilities by contacting us at [security@sarg3.net](mailto:security@sarg3.net)
+- Create an Issue for low impact vulnerabilities.
+- Report high impact vulnerabilities by contacting us at [security@sarg3.net](mailto:security@sarg3.net)