.github/workflows/build.yml

@@ -9,8 +9,8 @@ on:
     paths-ignore:
       - '**.md'
   schedule:
-    # Build the image daily
+    # Build the image regularly (each Saturday)
-    - cron: '0 0 * * *'
+    - cron: '0 22 * * 6'
 
 env:
   REGISTRY: ghcr.io
@@ -67,11 +67,9 @@ jobs:
         env:
           TAGS: ${{ steps.meta.outputs.tags }}
 
-  trivy:
+  scan:
-    name: Scan current image with Trivy
+    name: Scan current image & report results
     needs: build
-    permissions:
-      security-events: write
     runs-on: "ubuntu-latest"
     steps:
       - name: Run Trivy vulnerability scanner
@@ -88,24 +86,3 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'trivy-results.sarif'
-          category: 'trivy'
-
-  grype:
-    name: Scan current image with Grype
-    needs: build
-    permissions:
-      security-events: write
-    runs-on: "ubuntu-latest"
-    steps:
-      - name: Run Grype vulnerability scanner
-        uses: anchore/scan-action@v3
-        id: grype
-        with:
-          image: "ghcr.io/tommytran732/matrix.to"
-          fail-build: false
-
-      - name: Upload Grype scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: ${{ steps.grype.outputs.sarif }}
-          category: grype

.github/workflows/scan.yml

@@ -0,0 +1,27 @@
+name: Scan
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Scan the image regularly (once a day)
+    - cron: '0 23 * * *'
+
+jobs:
+  scan:
+    name: Scan current image & report results
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'ghcr.io/tommytran732/matrix.to'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
+          vuln-type: "os,library"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'

Dockerfile

@@ -43,9 +43,7 @@ WORKDIR /home/matrix-to/matrix.to
 
 RUN git apply /home/matrix-to/matrix.to/element.patch \
     && rm -rf .git \
-    && rm -rf yarn.lock \
     && yarn \
-    && yarn cache clean \
     && yarn build
 
 COPY --from=hmalloc-builder /tmp/hardened_malloc/out/libhardened_malloc.so /usr/local/lib/

README.md

@@ -11,10 +11,4 @@ This is my own Docker image building from [the official repository](https://gith
 - Don't trust random images: build yourself if you can.
 - Default Element instance is changed from [Element.io](https://app.element.io) to [ArcticFoxes.net](https://element.arcticfoxes.net)
 - The Dockerfile builds from the main branch, as releases do not come out frequently.
-- `yarn.lock` is ignored, as upstream does not bump dependencies properly.
+- The image comes with the [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) built from the latest tag.
-
-### Features & usage
-- Unprivileged image: default UID/GID is 992.
-- Based on the latest [Alpine](https://alpinelinux.org/) container which provide more recent packages while having less attack surface.
-- Daily rebuilds keeping image up-to-date.
-- Comes with the [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) built from the latest tag, protecting against some heap-based buffer overflows.