Update README.md

Signed-off-by: Tommy <contact@tommytran.io>

.github/workflows/build.yml

@@ -9,8 +9,8 @@ on:
     paths-ignore:
       - '**.md'
   schedule:
-    # Build the image regularly (each Saturday)
+    # Build the image daily
-    - cron: '0 22 * * 6'
+    - cron: '0 0 * * *'
 
 env:
   REGISTRY: ghcr.io
@@ -67,9 +67,11 @@ jobs:
         env:
           TAGS: ${{ steps.meta.outputs.tags }}
 
-  scan:
+  trivy:
-    name: Scan current image & report results
+    name: Scan current image with Trivy
     needs: build
+    permissions:
+      security-events: write
     runs-on: "ubuntu-latest"
     steps:
       - name: Run Trivy vulnerability scanner
@@ -85,4 +87,25 @@ jobs:
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: 'trivy-results.sarif'
+          category: 'trivy'
+
+  grype:
+    name: Scan current image with Grype
+    needs: build
+    permissions:
+      security-events: write
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: Run Grype vulnerability scanner
+        uses: anchore/scan-action@v3
+        id: grype
+        with:
+          image: "ghcr.io/tommytran732/matrix.to"
+          fail-build: false
+
+      - name: Upload Grype scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.grype.outputs.sarif }}
+          category: grype

.github/workflows/scan.yml

@@ -1,27 +0,0 @@
-name: Scan
-
-on:
-  workflow_dispatch:
-  schedule:
-    # Scan the image regularly (once a day)
-    - cron: '0 23 * * *'
-
-jobs:
-  scan:
-    name: Scan current image & report results
-    runs-on: "ubuntu-latest"
-    steps:
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: 'ghcr.io/tommytran732/matrix.to'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
-          output: 'trivy-results.sarif'
-          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
-          vuln-type: "os,library"
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-results.sarif'

Dockerfile

@@ -43,7 +43,9 @@ WORKDIR /home/matrix-to/matrix.to
 
 RUN git apply /home/matrix-to/matrix.to/element.patch \
     && rm -rf .git \
+    && rm -rf yarn.lock \
     && yarn \
+    && yarn cache clean \
     && yarn build
 
 COPY --from=hmalloc-builder /tmp/hardened_malloc/out/libhardened_malloc.so /usr/local/lib/

README.md

@@ -11,4 +11,10 @@ This is my own Docker image building from [the official repository](https://gith
 - Don't trust random images: build yourself if you can.
 - Default Element instance is changed from [Element.io](https://app.element.io) to [ArcticFoxes.net](https://element.arcticfoxes.net)
 - The Dockerfile builds from the main branch, as releases do not come out frequently.
-- The image comes with the [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) built from the latest tag.
+- `yarn.lock` is ignored, as upstream does not bump dependencies properly.
+
+### Features & usage
+- Unprivileged image: default UID/GID is 992.
+- Based on the latest [Alpine](https://alpinelinux.org/) container which provide more recent packages while having less attack surface.
+- Daily rebuilds keeping image up-to-date.
+- Comes with the [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) built from the latest tag, protecting against some heap-based buffer overflows.