1
0
mirror of https://github.com/tommytran732/Matrix.to-Docker synced 2024-11-24 18:51:34 -05:00

Compare commits

...

8 Commits

Author SHA1 Message Date
85adc95998
Update README.md
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-12 02:49:50 -07:00
621dbf7d82
Ignore yarn.lock
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-12 02:37:55 -07:00
2c88225667
Typo Fix
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-12 02:01:23 -07:00
f5dfb4801a
Disable Grype fail-build
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-12 01:58:12 -07:00
7d3dd174af
Switch Clair to Grype
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-12 01:52:46 -07:00
0924408ecd
Add clair vulnerability scanner
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-12 01:17:20 -07:00
1a9dd596ed
Change build schedule to daily
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-12 01:10:09 -07:00
fc894556bb
More granular permission control
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-12 01:07:46 -07:00
4 changed files with 37 additions and 33 deletions

View File

@ -9,8 +9,8 @@ on:
paths-ignore:
- '**.md'
schedule:
# Build the image regularly (each Saturday)
- cron: '0 22 * * 6'
# Build the image daily
- cron: '0 0 * * *'
env:
REGISTRY: ghcr.io
@ -67,9 +67,11 @@ jobs:
env:
TAGS: ${{ steps.meta.outputs.tags }}
scan:
name: Scan current image & report results
trivy:
name: Scan current image with Trivy
needs: build
permissions:
security-events: write
runs-on: "ubuntu-latest"
steps:
- name: Run Trivy vulnerability scanner
@ -85,4 +87,25 @@ jobs:
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
sarif_file: 'trivy-results.sarif'
category: 'trivy'
grype:
name: Scan current image with Grype
needs: build
permissions:
security-events: write
runs-on: "ubuntu-latest"
steps:
- name: Run Grype vulnerability scanner
uses: anchore/scan-action@v3
id: grype
with:
image: "ghcr.io/tommytran732/matrix.to"
fail-build: false
- name: Upload Grype scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.grype.outputs.sarif }}
category: grype

View File

@ -1,27 +0,0 @@
name: Scan
on:
workflow_dispatch:
schedule:
# Scan the image regularly (once a day)
- cron: '0 23 * * *'
jobs:
scan:
name: Scan current image & report results
runs-on: "ubuntu-latest"
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/tommytran732/matrix.to'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
vuln-type: "os,library"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'

View File

@ -43,7 +43,9 @@ WORKDIR /home/matrix-to/matrix.to
RUN git apply /home/matrix-to/matrix.to/element.patch \
&& rm -rf .git \
&& rm -rf yarn.lock \
&& yarn \
&& yarn cache clean \
&& yarn build
COPY --from=hmalloc-builder /tmp/hardened_malloc/out/libhardened_malloc.so /usr/local/lib/

View File

@ -11,4 +11,10 @@ This is my own Docker image building from [the official repository](https://gith
- Don't trust random images: build yourself if you can.
- Default Element instance is changed from [Element.io](https://app.element.io) to [ArcticFoxes.net](https://element.arcticfoxes.net)
- The Dockerfile builds from the main branch, as releases do not come out frequently.
- The image comes with the [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) built from the latest tag.
- `yarn.lock` is ignored, as upstream does not bump dependencies properly.
### Features & usage
- Unprivileged image: default UID/GID is 992.
- Based on the latest [Alpine](https://alpinelinux.org/) container which provide more recent packages while having less attack surface.
- Daily rebuilds keeping image up-to-date.
- Comes with the [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) built from the latest tag, protecting against some heap-based buffer overflows.