1
0
mirror of https://github.com/tommytran732/Matrix.to-Docker synced 2024-11-25 03:01:34 -05:00

Compare commits

..

No commits in common. "85adc95998af45295605ae81247914acc711d0ab" and "3345c8bbe734cfc0805e5749f30f2f4af8c8a190" have entirely different histories.

4 changed files with 33 additions and 37 deletions

View File

@ -9,8 +9,8 @@ on:
paths-ignore:
- '**.md'
schedule:
# Build the image daily
- cron: '0 0 * * *'
# Build the image regularly (each Saturday)
- cron: '0 22 * * 6'
env:
REGISTRY: ghcr.io
@ -67,11 +67,9 @@ jobs:
env:
TAGS: ${{ steps.meta.outputs.tags }}
trivy:
name: Scan current image with Trivy
scan:
name: Scan current image & report results
needs: build
permissions:
security-events: write
runs-on: "ubuntu-latest"
steps:
- name: Run Trivy vulnerability scanner
@ -88,24 +86,3 @@ jobs:
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
category: 'trivy'
grype:
name: Scan current image with Grype
needs: build
permissions:
security-events: write
runs-on: "ubuntu-latest"
steps:
- name: Run Grype vulnerability scanner
uses: anchore/scan-action@v3
id: grype
with:
image: "ghcr.io/tommytran732/matrix.to"
fail-build: false
- name: Upload Grype scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.grype.outputs.sarif }}
category: grype

27
.github/workflows/scan.yml vendored Normal file
View File

@ -0,0 +1,27 @@
name: Scan
on:
workflow_dispatch:
schedule:
# Scan the image regularly (once a day)
- cron: '0 23 * * *'
jobs:
scan:
name: Scan current image & report results
runs-on: "ubuntu-latest"
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/tommytran732/matrix.to'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
vuln-type: "os,library"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'

View File

@ -43,9 +43,7 @@ WORKDIR /home/matrix-to/matrix.to
RUN git apply /home/matrix-to/matrix.to/element.patch \
&& rm -rf .git \
&& rm -rf yarn.lock \
&& yarn \
&& yarn cache clean \
&& yarn build
COPY --from=hmalloc-builder /tmp/hardened_malloc/out/libhardened_malloc.so /usr/local/lib/

View File

@ -11,10 +11,4 @@ This is my own Docker image building from [the official repository](https://gith
- Don't trust random images: build yourself if you can.
- Default Element instance is changed from [Element.io](https://app.element.io) to [ArcticFoxes.net](https://element.arcticfoxes.net)
- The Dockerfile builds from the main branch, as releases do not come out frequently.
- `yarn.lock` is ignored, as upstream does not bump dependencies properly.
### Features & usage
- Unprivileged image: default UID/GID is 992.
- Based on the latest [Alpine](https://alpinelinux.org/) container which provide more recent packages while having less attack surface.
- Daily rebuilds keeping image up-to-date.
- Comes with the [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) built from the latest tag, protecting against some heap-based buffer overflows.
- The image comes with the [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) built from the latest tag.