diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9d7be9a..3c0a869 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,8 +9,8 @@ on: paths-ignore: - '**.md' schedule: - # Build the image regularly (each Saturday) - - cron: '0 22 * * 6' + # Build the image daily + - cron: '0 0 * * *' env: REGISTRY: ghcr.io @@ -29,11 +29,6 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - - name: Extract version for tags - run: | - echo "FULL_VERSION=$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile)" >> $GITHUB_ENV - echo "MAJOR_VERSION=$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c5)" >> $GITHUB_ENV - - name: Install cosign if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@v3 @@ -56,8 +51,6 @@ jobs: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | latest - ${{ env.FULL_VERSION }} - ${{ env.MAJOR_VERSION }} - name: Build and push Docker image id: build-and-push @@ -74,9 +67,11 @@ jobs: env: TAGS: ${{ steps.meta.outputs.tags }} - scan: - name: Scan current image & report results + trivy: + name: Scan current image with Trivy needs: build + permissions: + security-events: write runs-on: "ubuntu-latest" steps: - name: Run Trivy vulnerability scanner @@ -93,3 +88,24 @@ jobs: uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' + category: 'trivy' + + grype: + name: Scan current image with Grype + needs: build + permissions: + security-events: write + runs-on: "ubuntu-latest" + steps: + - name: Run Grype vulnerability scanner + uses: anchore/scan-action@v3 + id: grype + with: + image: "ghcr.io/tommytran732/synapse" + fail-build: false + + - name: Upload Grype scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.grype.outputs.sarif }} + category: grype \ No newline at end of file diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml deleted file mode 100644 index 64a59aa..0000000 --- a/.github/workflows/scan.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Scan - -on: - workflow_dispatch: - schedule: - # Scan the image regularly (once a day) - - cron: '0 23 * * *' - -jobs: - scan: - name: Scan current image & report results - runs-on: "ubuntu-latest" - steps: - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: 'ghcr.io/tommytran732/synapse' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' - severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' - vuln-type: "os,library" - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' diff --git a/README.md b/README.md index 591c7f5..2bfbfb2 100644 --- a/README.md +++ b/README.md @@ -5,16 +5,15 @@ [Synapse](https://github.com/matrix-org/synapse) is a [Matrix](https://matrix.org/) implementation written in Python. ### Notes -- Prebuilt images are available at `ghcr.io/tommytran732/synapse` and `quay.io/tommytran732/synapse`. +- Prebuilt images are available at `ghcr.io/tommytran732/synapse`. - Don't trust random images: build yourself if you can. - Always keep your software up-to-date: manage versions with [build-time variables](https://github.com/TommyTran732/Synapse-Docker/blob/main/Dockerfile#L1-L4). -- Images from `ghcr.io` are built every week and scanned every day for critical vulnerabilities with Trivy. I recommend that you use these images. -- Images from `quay.io` are built on every push event and scanned for vulnerabilities with Clair. ### Features & usage - Drop-in replacement for the [official image](https://github.com/matrix-org/synapse/tree/develop/docker). - Unprivileged image: you should check your volumes permissions (eg `/data`), default UID/GID is 991. - Based on the latest [Alpine](https://alpinelinux.org/) containers which provide more recent packages while having less attack surface. +- Daily rebuilds keeping the image up-to-date. - Comes with the [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) built from the latest tag, protecting against some heap-based buffer overflows. - [Mjolnir module](https://github.com/matrix-org/mjolnir/blob/main/docs/synapse_module.md) support.