Working on getting Trivy report into Security Tab

davidjeddy · davidjeddy · commit b08ab726f021 · 2026-03-12T14:29:46.000+01:00
diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml
@@ -34,11 +34,11 @@ jobs:
 
       - name: Build an image from Dockerfile
         run: |
-          docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{matrix.arch}} .
+          docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.SHA }}-${{matrix.arch}} .
 
       - name: Push an image
         run: |
-          docker image push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{matrix.arch}}
+          docker image push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.SHA }}-${{matrix.arch}}
 
   manifest_build_and_push_on_feature:
     if: github.ref != 'refs/heads/main'
@@ -55,8 +55,8 @@ jobs:
         run: |
             docker manifest create \
               ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.SHA }} \
-              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:amd64 \
-              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:arm64
+              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.SHA }}-amd64 \
+              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.SHA }}-arm64
 
       - name: Push manifest
         run: |
@@ -78,8 +78,8 @@ jobs:
         run: |
             docker manifest create \
               ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }} \
-              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:amd64 \
-              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:arm64
+              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.SHA }}-amd64 \
+              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.SHA }}-arm64
 
       - name: Push manifest
         run: |
diff --git a/.github/workflows/dive.yml b/.github/workflows/dive.yml
@@ -1,21 +1,27 @@
 name: Dive Test
 
-on: [pull_request]
+on: push
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_NAME: appwrite/base
+  REGISTRY: docker.io
 
 jobs:
   dive:
     runs-on: ubuntu-latest
-    name: Analyze image efficiency
     steps:
       - name: Checkout code
         uses: actions/checkout@v6.0.2
 
       - name: Build an image from Dockerfile
         run: |
-          docker image build -t appwrite/docker-base:${{ github.sha }} .
+          docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} .
 
       - name: Dive
         uses: yuichielectric/dive-action@0.0.4
         with:
           github-token: ${{ secrets.GH_TOKEN }}
-          image: appwrite/docker-base:${{ github.sha }}
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.SHA }}
diff --git a/.github/workflows/lifecycle-policy.yml b/.github/workflows/lifecycle-policy.yml
@@ -1,35 +1,36 @@
-# # https://github.com/marketplace/actions/delete-package-versions
-# # Ignore SemVer tags (proper releases)
-# # Keep 7 sha tagged images (ordred by publish datetime)
+# https://github.com/marketplace/actions/delete-package-versions
+# Ignore SemVer tags (proper releases)
+# Keep 7 sha tagged images (ordred by publish datetime)
 
-# name: Container Lifecycle Policy
+name: Container Lifecycle Policy
 
-# on:
-#   schedule:
-#     - cron: '30 9 * * *'
+on:
+  schedule:
+    - cron: '30 9 * * *'
 
-# permissions:
-#   contents: read
+permissions:
+  contents: read
 
-# env:
-#   IMAGE_NAME: appwrite/base
-#   REGISTRY: docker.io
+env:
+  IMAGE_NAME: appwrite/base
+  REGISTRY: docker.io
 
-# jobs:
-#   prune_sha_tagged_images:
-#     runs-on: ubuntu-24.04
-#     steps:
-#       - name: Login to DockerHub
-#         uses: docker/login-action@v4
-#         with:
-#           username: ${{ secrets.DOCKERHUB_USERNAME }}
-#           password: ${{ secrets.DOCKERHUB_TOKEN }}
+jobs:
+  prune_sha_tagged_images:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Login to DockerHub
+        uses: docker/login-action@v4
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-#       # https://github.com/marketplace/actions/delete-package-versions#delete-oldest-x-number-of-versions-while-ignoring-particular-package-versions
-#       # Ignore SemVer tagged images https://ihateregex.io/expr/semver/
-#       - uses: actions/delete-package-versions@v5
-#         with: 
-#           ignore-versions: '^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$'
-#           min-versions-to-keep: 7
-#           package-name: 'base'
-#           package-type: 'container'
+      # TODO pull all the images in the registry before running this. Be sure we have a backup
+      # # https://github.com/marketplace/actions/delete-package-versions#delete-oldest-x-number-of-versions-while-ignoring-particular-package-versions
+      # # Ignore SemVer tagged images https://ihateregex.io/expr/semver/
+      # - uses: actions/delete-package-versions@v5
+      #   with: 
+      #     ignore-versions: '^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$'
+      #     min-versions-to-keep: 7
+      #     package-name: 'base'
+      #     package-type: 'container'
diff --git a/.github/workflows/scheduled-trivy.yml b/.github/workflows/scheduled-trivy.yml
@@ -10,34 +10,36 @@ on:
     - cron: '43 11 * * 6'
 
 permissions:
-  contents: read
+  contents: read # for actions/checkout to fetch code
+  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+  actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+env:
+  IMAGE_NAME: appwrite/base
+  REGISTRY: docker.io
 
 jobs:
   scheduled_trivy:
-    permissions:
-      contents: read # for actions/checkout to fetch code
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
-    name: Build
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout code
         uses: actions/checkout@v6.0.2
 
       - name: Build an image from Dockerfile
         run: |
-          docker image build -t appwrite/docker-base:${{ github.sha }} .
+          docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} .
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@0.35.0
         with:
           image-ref: 'appwrite/docker-base:${{ github.sha }}'
           format: 'template'
           template: '@/contrib/sarif.tpl'
-          output: 'trivy-results.sarif'
+          output: 'trivy-image-results.sarif'
           severity: 'CRITICAL,HIGH'
 
+      # https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v4.32.6
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: 'trivy-image-results.sarif'
diff --git a/.github/workflows/structure-test.yml b/.github/workflows/structure-test.yml
@@ -1,11 +1,14 @@
+# https://github.com/marketplace/actions/container-structure-test-action
 name: Container Structure Test
 
-on: [pull_request]
+on: push
+
+permissions:
+  contents: read
 
 env:
   REGISTRY: docker.io
   IMAGE_NAME: appwrite/base
-  TAG: ${{ github.event.release.tag_name }}
 
 jobs:
   structure_test:
@@ -14,13 +17,12 @@ jobs:
       - name: Checkout the repo
         uses: actions/checkout@v6.0.2
 
-      - name: Setup container-structure-test
+      - name: Build an image from Dockerfile
         run: |
-          curl -LO https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64
-          chmod +x container-structure-test-linux-amd64
-          sudo mv container-structure-test-linux-amd64 /usr/local/bin/container-structure-test
+          docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} .
 
-      - name: Run container structure test
-        run: |
-          docker build -t appwrite-base-test .
-          container-structure-test test --image appwrite-base-test --config tests.yaml
+      - name: Run container structure tests
+        uses: plexsystems/container-structure-test-action@v0.1.0
+        with:
+          image: m${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          config: tests.yaml
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -1,36 +1,38 @@
+# https://github.com/aquasecurity/trivy-action
 name: Push Trivy Scan
 
 on: push
 
 permissions:
-  contents: read
+  contents: read # for actions/checkout to fetch code
+  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+  actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+env:
+  IMAGE_NAME: appwrite/base
+  REGISTRY: docker.io
 
 jobs:
   trivy:
-    permissions:
-      contents: read # for actions/checkout to fetch code
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
-    name: Build
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout code
         uses: actions/checkout@v6.0.2
 
       - name: Build an image from Dockerfile
         run: |
-          docker image build -t appwrite/docker-base:${{ github.sha }} .
+          docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} .
 
-      - name: Run Trivy vulnerability scanner
+      - name: Run Trivy vulnerability scanner (sarif report)
         uses: aquasecurity/trivy-action@0.35.0
         with:
-          image-ref: 'appwrite/docker-base:${{ github.sha }}'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
-          output: 'trivy-results.sarif'
+          format: 'sarif'
+          image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}'
+          output: 'trivy-image-results.sarif'
           severity: 'CRITICAL,HIGH'
 
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v4.32.6
+      # https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml
+      - name: Upload Trivy scan results
+        uses: github/codeql-action/upload-sarif@v4
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: '.'
diff --git a/CHANGES.md b/CHANGES.md
@@ -12,20 +12,20 @@
 * container-structure-test to check PHP version (currently set to 8.5.3)
 * container-structure-test to check swoole version (currently set to 6.2.0)
 * SECURITY.md to align with appwrite/appwrite
-* 
 
 ### Change
 
 * .github/*.yml steps updated to latest versions
 * .gitignore now includes log and scanning output rules
-* Better document use of `docker-buildx build ...` for local builds
+* Better document use of `docker buildx ...` for local builds
 * Better noted and organized the different build processes for PHP extensions
 * Date component of PHP extension shared objects directory now a build argument
 * Dockerfile compile and final stage system packages aligned
+* Github action for container-structure-test now uses a marketplace action
 * Github action runners pinned to Ubuntu 24.04
 * ImageMagick version bumped to 7.1.2.15, tests.yaml aligned to ensure new version
 * PHP version bumped to 8.5.3
-* Refactory multi-arch build process to prevent cross-arch builds requiring long wait times
+* Refactored multi-arch build process to prevent cross-arch builds requiring long wait times
 * Swoole version bumped to 6.2.0
 
 ### Fixes
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-ARG BASE_IMAGE="php:8.5.3-cli-alpine3.23"
+ARG BASE_IMAGE="phpswoole/swoole:php8.5-alpine"
 ARG PHP_BUILD_DATE="20250925"
 
 FROM $BASE_IMAGE AS compile
@@ -168,9 +168,7 @@ RUN pecl install opentelemetry-${PHP_OPENTELEMETRY_VERSION}
 FROM compile AS protobuf
 RUN pecl install protobuf-${PHP_PROTOBUF_VERSION}
 
-# FROM $BASE_IMAGE AS final
-FROM "phpswoole/swoole:php8.5-alpine" AS final
-
+FROM $BASE_IMAGE AS final
 
 # Pass in ARGS to use as label values and path components
 
diff --git a/README.md b/README.md
@@ -37,7 +37,7 @@ In order to run this container you'll need the Docker runtime installed.
 ## Build
 
 ```shell
-docker-buildx build --no-cache --tag appwrite/base:latest .
+docker buildx --no-cache --tag appwrite/base:latest .
 # exit code 0
 ```
 
@@ -77,7 +77,7 @@ docker run appwrite/base:latest php -m
 
 ## Push
 
-Note: Build of the image and push to the registry shoudl be handle by automation.
+Pushing a built image to a repository should be handle by automation.
 
 ```bash
 docker push appwrite/base:latest | tee "push-$(date +%s).log"
diff --git a/SECURITY.md b/SECURITY.md
diff --git a/TODO.md b/TODO.md
diff --git a/tests.yaml b/tests.yaml
