From 9560832b763b414635cb858f3834ba6cf9607ca7 Mon Sep 17 00:00:00 2001
From: Jacques ROUSSEL <jacques.roussel@rouaje.com>
Date: Fri, 27 Sep 2024 16:26:28 +0200
Subject: [PATCH 1/4] =?UTF-8?q?=E2=9C=A8(ci)=20add=20security=20scan?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add a security scan for CVE with trivy
---
 .github/workflows/docker-hub.yml | 17 +++++++++++++++--
 CHANGELOG.md                     |  1 +
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker-hub.yml b/.github/workflows/docker-hub.yml
index 7ad206946..81a3c0116 100644
--- a/.github/workflows/docker-hub.yml
+++ b/.github/workflows/docker-hub.yml
@@ -1,4 +1,5 @@
 name: Docker Hub Workflow
+run-name: Docker Hub Workflow
 
 on:
   workflow_dispatch:
@@ -48,9 +49,15 @@ jobs:
         name: Login to DockerHub
         if: github.event_name != 'pull_request'
         run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin
+      -
+        name: Run trivy scan
+        uses: numerique-gouv/action-trivy-cache@main
+        with:
+          docker-build-args: '--target backend-production -f Dockerfile'
+          docker-image-name: 'docker.io/lasuite/people-backend:${{ github.sha }}'
       -
         name: Build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           target: backend-production
@@ -92,9 +99,15 @@ jobs:
         name: Login to DockerHub
         if: github.event_name != 'pull_request'
         run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin
+      -
+        name: Run trivy scan
+        uses: numerique-gouv/action-trivy-cache@main
+        with:
+          docker-build-args: '-f Dockerfile --target frontend-production'
+          docker-image-name: 'docker.io/lasuite/people-frontend:${{ github.sha }}'
       -
         name: Build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           target: frontend-production
diff --git a/CHANGELOG.md b/CHANGELOG.md
index b39df489e..02a8be460 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@ and this project adheres to
 
 ### Added
 
+- ✨(ci) add security scan #429
 - ✨(teams) register contacts on admin views
 
 ### Fixed

From b7d1e12e1f56382842c32fb71dddad2101084d90 Mon Sep 17 00:00:00 2001
From: Jacques ROUSSEL <jacques.roussel@rouaje.com>
Date: Fri, 27 Sep 2024 16:51:09 +0200
Subject: [PATCH 2/4] =?UTF-8?q?=F0=9F=9A=91=EF=B8=8F(frontend)=20fixe=20CV?=
 =?UTF-8?q?Es=20in=20frontend=20image?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Use alpine version for production image instead of debian in order
tohave less CVEs.
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 22c02ed42..fc0a9bb16 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -40,7 +40,7 @@ FROM frontend-builder-dev as frontend-builder
 RUN yarn build
 
 # ---- Front-end image ----
-FROM nginxinc/nginx-unprivileged:1.25 as frontend-production
+FROM nginxinc/nginx-unprivileged:1.26-alpine as frontend-production
 
 # Un-privileged user running the application
 ARG DOCKER_USER

From 0ab465cd8ee4061f00d6abf6ea34bc28ab81f217 Mon Sep 17 00:00:00 2001
From: Jacques ROUSSEL <jacques.roussel@rouaje.com>
Date: Fri, 27 Sep 2024 17:39:17 +0200
Subject: [PATCH 3/4] =?UTF-8?q?=F0=9F=9A=91=EF=B8=8F(backend)=20fixe=20CVE?=
 =?UTF-8?q?s=20in=20backend=20image?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Use alpine version for production image instead of debian in order
to have less CVEs.
---
 Dockerfile | 38 +++++++++++++++-----------------------
 1 file changed, 15 insertions(+), 23 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index fc0a9bb16..79c0c5bea 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,15 +1,14 @@
 # Django People
 
 # ---- base image to inherit from ----
-FROM python:3.10-slim-bullseye as base
+FROM python:3.12.6-alpine3.20 as base
 
 # Upgrade pip to its latest release to speed up dependencies installation
-RUN python -m pip install --upgrade pip
+RUN python -m pip install --upgrade pip setuptools
 
 # Upgrade system packages to install security updates
-RUN apt-get update && \
-  apt-get -y upgrade && \
-  rm -rf /var/lib/apt/lists/*
+RUN apk update && \
+  apk upgrade
 
 ### ---- Front-end dependencies image ----
 FROM node:20 as frontend-deps
@@ -88,11 +87,9 @@ FROM base as link-collector
 ARG PEOPLE_STATIC_ROOT=/data/static
 
 # Install libpangocairo & rdfind
-RUN apt-get update && \
-    apt-get install -y \
-      libpangocairo-1.0-0 \
-      rdfind && \
-    rm -rf /var/lib/apt/lists/*
+RUN apk add \
+  pango \
+  rdfind
 
 # Copy installed python dependencies
 COPY --from=back-builder /install /usr/local
@@ -116,16 +113,13 @@ FROM base as core
 ENV PYTHONUNBUFFERED=1
 
 # Install required system libs
-RUN apt-get update && \
-    apt-get install -y \
-      gettext \
-      libcairo2 \
-      libffi-dev \
-      libgdk-pixbuf2.0-0 \
-      libpango-1.0-0 \
-      libpangocairo-1.0-0 \
-      shared-mime-info && \
-  rm -rf /var/lib/apt/lists/*
+RUN apk add \
+  gettext \
+  cairo \
+  libffi-dev \
+  gdk-pixbuf \
+  pango \
+  shared-mime-info
 
 # Copy entrypoint
 COPY ./docker/files/usr/local/bin/entrypoint /usr/local/bin/entrypoint
@@ -155,9 +149,7 @@ FROM core as backend-development
 USER root:root
 
 # Install psql
-RUN apt-get update && \
-    apt-get install -y postgresql-client && \
-    rm -rf /var/lib/apt/lists/*
+RUN apk add postgresql-client
 
 # Uninstall people and re-install it in editable mode along with development
 # dependencies

From 2dc0d518f5915862295074273b49c263216ea7e2 Mon Sep 17 00:00:00 2001
From: Laurent Bossavit <laurent@MacBook-Pro-de-Laurent.local>
Date: Tue, 5 Nov 2024 15:00:38 +0100
Subject: [PATCH 4/4] =?UTF-8?q?=E2=9C=A8(ci)=20add=20security=20scan?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Separate security scan from build-and-push, so we can make it optional in CI
---
 .github/workflows/docker-hub.yml | 36 ++++++++++++++++++++++++++------
 1 file changed, 30 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/docker-hub.yml b/.github/workflows/docker-hub.yml
index 81a3c0116..28b4cc6f6 100644
--- a/.github/workflows/docker-hub.yml
+++ b/.github/workflows/docker-hub.yml
@@ -16,6 +16,36 @@ env:
   DOCKER_USER: 1001:127
 
 jobs:
+  trivy-scan:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "people,secrets"
+      -
+        name: Checkout repository
+        uses: actions/checkout@v2
+        with:
+          submodules: recursive
+          token: ${{ steps.app-token.outputs.token }}
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: lasuite/people-backend
+      -
+        name: Run trivy scan
+        uses: numerique-gouv/action-trivy-cache@main
+        with:
+          docker-build-args: '--target backend-production -f Dockerfile'
+          docker-image-name: 'docker.io/lasuite/people-backend:${{ github.sha }}'
+
   build-and-push-backend:
     runs-on: ubuntu-latest
     steps:
@@ -49,12 +79,6 @@ jobs:
         name: Login to DockerHub
         if: github.event_name != 'pull_request'
         run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin
-      -
-        name: Run trivy scan
-        uses: numerique-gouv/action-trivy-cache@main
-        with:
-          docker-build-args: '--target backend-production -f Dockerfile'
-          docker-image-name: 'docker.io/lasuite/people-backend:${{ github.sha }}'
       -
         name: Build and push
         uses: docker/build-push-action@v6