Skip to content

Commit

Permalink
chore: add kubescape image scanner
Browse files Browse the repository at this point in the history
  • Loading branch information
Demonsthere committed Jun 5, 2024
1 parent 9add863 commit 7c6bccb
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 3 deletions.
2 changes: 1 addition & 1 deletion .docker/Dockerfile-alpine
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM alpine:3.18.3
FROM alpine:3.20.0

RUN addgroup -S ory; \
adduser -S ory -G ory -D -H -s /bin/nologin
Expand Down
2 changes: 1 addition & 1 deletion .docker/Dockerfile-build
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ RUN go build -o /usr/bin/oathkeeper .

#########################

FROM gcr.io/distroless/static-debian11:nonroot AS runner
FROM gcr.io/distroless/static-debian12:nonroot AS runner

COPY --from=builder --chown=nonroot:nonroot /usr/bin/oathkeeper /usr/bin/oathkeeper

Expand Down
2 changes: 1 addition & 1 deletion .docker/Dockerfile-distroless-static
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM gcr.io/distroless/static-debian11:nonroot
FROM gcr.io/distroless/static-debian12:nonroot

COPY --chown=nonroot:nonroot oathkeeper /usr/bin/oathkeeper
EXPOSE 4455 4456
Expand Down
9 changes: 9 additions & 0 deletions .github/workflows/cve-scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,15 @@ jobs:
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.grype-scan.outputs.sarif }}
- name: Kubescape scanner
uses: kubescape/github-action@main
id: kubescape
with:
image: oryd/oathkeeper:${{ env.SHA_SHORT }}
verbose: true
format: pretty-printer
# can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568
severityThreshold: critical
- name: Trivy Scanner
uses: aquasecurity/trivy-action@master
if: ${{ always() }}
Expand Down

0 comments on commit 7c6bccb

Please sign in to comment.