From f4b18b6cf1e94af2b39e49e07e613dc44c3068f2 Mon Sep 17 00:00:00 2001 From: nessi Date: Sat, 14 Feb 2026 18:50:46 +0100 Subject: [PATCH 1/6] Update Docker Hub Scout config to use local login credentials Replaced the use of Docker Hub secrets with a mounted local docker configuration file for authentication. Added a check to ensure the login config exists before running scans, preventing unnecessary failures. This change enhances flexibility and aligns with local environment setups. --- .../workflows/container-cve-scan-development.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/container-cve-scan-development.yml b/.github/workflows/container-cve-scan-development.yml index 0ad28f1..073bc2d 100644 --- a/.github/workflows/container-cve-scan-development.yml +++ b/.github/workflows/container-cve-scan-development.yml @@ -98,10 +98,13 @@ jobs: echo "Docker Hub Scout scan skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." > scout-backend.txt exit 0 fi + if [ ! -f "$HOME/.docker/config.json" ]; then + echo "Docker Hub Scout scan skipped: docker login config not found in runner." > scout-backend.txt + exit 0 + fi docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \ - -e DOCKER_SCOUT_HUB_PAT="${{ secrets.DOCKERHUB_TOKEN }}" \ + -v "$HOME/.docker:/root/.docker:ro" \ docker/scout-cli:latest cves nexapg-backend:dev-scan \ --only-severity critical,high,medium,low > scout-backend.txt @@ -111,10 +114,13 @@ jobs: echo "Docker Hub Scout scan skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." > scout-frontend.txt exit 0 fi + if [ ! -f "$HOME/.docker/config.json" ]; then + echo "Docker Hub Scout scan skipped: docker login config not found in runner." > scout-frontend.txt + exit 0 + fi docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - -e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \ - -e DOCKER_SCOUT_HUB_PAT="${{ secrets.DOCKERHUB_TOKEN }}" \ + -v "$HOME/.docker:/root/.docker:ro" \ docker/scout-cli:latest cves nexapg-frontend:dev-scan \ --only-severity critical,high,medium,low > scout-frontend.txt From dd3f18bb066ff3b9dfe97535ade45024aa4e36d1 Mon Sep 17 00:00:00 2001 From: nessi Date: Sat, 14 Feb 2026 18:55:52 +0100 Subject: [PATCH 2/6] Make Docker Scout scans non-blocking and update config paths. Set `continue-on-error: true` for Docker Scout steps to ensure workflows proceed even if scans fail. Updated volume paths and environment variables for Docker config and credentials to improve scanning compatibility. --- .../container-cve-scan-development.yml | 22 +++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/.github/workflows/container-cve-scan-development.yml b/.github/workflows/container-cve-scan-development.yml index 073bc2d..3c5767b 100644 --- a/.github/workflows/container-cve-scan-development.yml +++ b/.github/workflows/container-cve-scan-development.yml @@ -93,6 +93,7 @@ jobs: PY - name: Docker Scout scan (backend) + continue-on-error: true run: | if [ -z "${{ secrets.DOCKERHUB_USERNAME }}" ] || [ -z "${{ secrets.DOCKERHUB_TOKEN }}" ]; then echo "Docker Hub Scout scan skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." > scout-backend.txt @@ -104,11 +105,18 @@ jobs: fi docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - -v "$HOME/.docker:/root/.docker:ro" \ + -v "$HOME/.docker:/home/scout/.docker:ro" \ + -e DOCKER_CONFIG=/home/scout/.docker \ + -e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \ + -e DOCKER_SCOUT_HUB_PAT="${{ secrets.DOCKERHUB_TOKEN }}" \ docker/scout-cli:latest cves nexapg-backend:dev-scan \ - --only-severity critical,high,medium,low > scout-backend.txt + --only-severity critical,high,medium,low > scout-backend.txt 2>&1 || { + echo "" >> scout-backend.txt + echo "Docker Scout backend scan failed (non-blocking)." >> scout-backend.txt + } - name: Docker Scout scan (frontend) + continue-on-error: true run: | if [ -z "${{ secrets.DOCKERHUB_USERNAME }}" ] || [ -z "${{ secrets.DOCKERHUB_TOKEN }}" ]; then echo "Docker Hub Scout scan skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." > scout-frontend.txt @@ -120,9 +128,15 @@ jobs: fi docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - -v "$HOME/.docker:/root/.docker:ro" \ + -v "$HOME/.docker:/home/scout/.docker:ro" \ + -e DOCKER_CONFIG=/home/scout/.docker \ + -e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \ + -e DOCKER_SCOUT_HUB_PAT="${{ secrets.DOCKERHUB_TOKEN }}" \ docker/scout-cli:latest cves nexapg-frontend:dev-scan \ - --only-severity critical,high,medium,low > scout-frontend.txt + --only-severity critical,high,medium,low > scout-frontend.txt 2>&1 || { + echo "" >> scout-frontend.txt + echo "Docker Scout frontend scan failed (non-blocking)." >> scout-frontend.txt + } - name: Print scan summary run: | From 5a7f32541fcef6f6d44dede79bb0171c9cbbeae9 Mon Sep 17 00:00:00 2001 From: nessi Date: Sat, 14 Feb 2026 19:03:30 +0100 Subject: [PATCH 3/6] Add Docker Scout login fallback and temporary caching. This update introduces a fallback mechanism for Docker Scout login when DockerHub credentials are unavailable, ensuring the workflow does not fail. It also replaces direct Docker config usage with temporary caching to improve flexibility and reduce dependency on runner environment setups. --- .../container-cve-scan-development.yml | 29 ++++++++++++------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/.github/workflows/container-cve-scan-development.yml b/.github/workflows/container-cve-scan-development.yml index 3c5767b..1874fb4 100644 --- a/.github/workflows/container-cve-scan-development.yml +++ b/.github/workflows/container-cve-scan-development.yml @@ -24,6 +24,21 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Docker Scout login bootstrap + continue-on-error: true + run: | + if [ -z "${{ secrets.DOCKERHUB_USERNAME }}" ] || [ -z "${{ secrets.DOCKERHUB_TOKEN }}" ]; then + echo "Docker Scout login skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." + exit 0 + fi + mkdir -p "$RUNNER_TEMP/scout-docker-config" + printf '%s' "${{ secrets.DOCKERHUB_TOKEN }}" | docker run --rm -i \ + -e DOCKER_CONFIG=/home/scout/.docker \ + -v "$RUNNER_TEMP/scout-docker-config:/home/scout/.docker" \ + docker/scout-cli:latest login \ + --username "${{ secrets.DOCKERHUB_USERNAME }}" \ + --password-stdin || true + - name: Build backend image (local) uses: docker/build-push-action@v6 with: @@ -100,15 +115,12 @@ jobs: exit 0 fi if [ ! -f "$HOME/.docker/config.json" ]; then - echo "Docker Hub Scout scan skipped: docker login config not found in runner." > scout-backend.txt - exit 0 + echo "Runner Docker config not found; continuing with Scout login cache if present." > scout-backend.txt fi docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - -v "$HOME/.docker:/home/scout/.docker:ro" \ + -v "$RUNNER_TEMP/scout-docker-config:/home/scout/.docker" \ -e DOCKER_CONFIG=/home/scout/.docker \ - -e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \ - -e DOCKER_SCOUT_HUB_PAT="${{ secrets.DOCKERHUB_TOKEN }}" \ docker/scout-cli:latest cves nexapg-backend:dev-scan \ --only-severity critical,high,medium,low > scout-backend.txt 2>&1 || { echo "" >> scout-backend.txt @@ -123,15 +135,12 @@ jobs: exit 0 fi if [ ! -f "$HOME/.docker/config.json" ]; then - echo "Docker Hub Scout scan skipped: docker login config not found in runner." > scout-frontend.txt - exit 0 + echo "Runner Docker config not found; continuing with Scout login cache if present." > scout-frontend.txt fi docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - -v "$HOME/.docker:/home/scout/.docker:ro" \ + -v "$RUNNER_TEMP/scout-docker-config:/home/scout/.docker" \ -e DOCKER_CONFIG=/home/scout/.docker \ - -e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \ - -e DOCKER_SCOUT_HUB_PAT="${{ secrets.DOCKERHUB_TOKEN }}" \ docker/scout-cli:latest cves nexapg-frontend:dev-scan \ --only-severity critical,high,medium,low > scout-frontend.txt 2>&1 || { echo "" >> scout-frontend.txt From af6ea110798b0e19c6d4aaf102aa4268154524b3 Mon Sep 17 00:00:00 2001 From: nessi Date: Sat, 14 Feb 2026 19:32:50 +0100 Subject: [PATCH 4/6] Refactor Docker Scout integration in CVE scan workflow Simplified the Docker Scout configuration logic by removing unnecessary checks and utilizing Docker's standard auth configuration. Updated environment variable usage and volume mounts to streamline the setup process for scanning containers. --- .../container-cve-scan-development.yml | 34 +++++++------------ 1 file changed, 12 insertions(+), 22 deletions(-) diff --git a/.github/workflows/container-cve-scan-development.yml b/.github/workflows/container-cve-scan-development.yml index 1874fb4..bf6bdff 100644 --- a/.github/workflows/container-cve-scan-development.yml +++ b/.github/workflows/container-cve-scan-development.yml @@ -24,20 +24,12 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Docker Scout login bootstrap - continue-on-error: true + - name: Prepare Docker auth config for Scout container + if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} run: | - if [ -z "${{ secrets.DOCKERHUB_USERNAME }}" ] || [ -z "${{ secrets.DOCKERHUB_TOKEN }}" ]; then - echo "Docker Scout login skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." - exit 0 - fi mkdir -p "$RUNNER_TEMP/scout-docker-config" - printf '%s' "${{ secrets.DOCKERHUB_TOKEN }}" | docker run --rm -i \ - -e DOCKER_CONFIG=/home/scout/.docker \ - -v "$RUNNER_TEMP/scout-docker-config:/home/scout/.docker" \ - docker/scout-cli:latest login \ - --username "${{ secrets.DOCKERHUB_USERNAME }}" \ - --password-stdin || true + cp "$HOME/.docker/config.json" "$RUNNER_TEMP/scout-docker-config/config.json" + chmod 600 "$RUNNER_TEMP/scout-docker-config/config.json" - name: Build backend image (local) uses: docker/build-push-action@v6 @@ -114,13 +106,12 @@ jobs: echo "Docker Hub Scout scan skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." > scout-backend.txt exit 0 fi - if [ ! -f "$HOME/.docker/config.json" ]; then - echo "Runner Docker config not found; continuing with Scout login cache if present." > scout-backend.txt - fi docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - -v "$RUNNER_TEMP/scout-docker-config:/home/scout/.docker" \ - -e DOCKER_CONFIG=/home/scout/.docker \ + -v "$RUNNER_TEMP/scout-docker-config:/root/.docker:ro" \ + -e DOCKER_CONFIG=/root/.docker \ + -e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \ + -e DOCKER_SCOUT_HUB_PASSWORD="${{ secrets.DOCKERHUB_TOKEN }}" \ docker/scout-cli:latest cves nexapg-backend:dev-scan \ --only-severity critical,high,medium,low > scout-backend.txt 2>&1 || { echo "" >> scout-backend.txt @@ -134,13 +125,12 @@ jobs: echo "Docker Hub Scout scan skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." > scout-frontend.txt exit 0 fi - if [ ! -f "$HOME/.docker/config.json" ]; then - echo "Runner Docker config not found; continuing with Scout login cache if present." > scout-frontend.txt - fi docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - -v "$RUNNER_TEMP/scout-docker-config:/home/scout/.docker" \ - -e DOCKER_CONFIG=/home/scout/.docker \ + -v "$RUNNER_TEMP/scout-docker-config:/root/.docker:ro" \ + -e DOCKER_CONFIG=/root/.docker \ + -e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \ + -e DOCKER_SCOUT_HUB_PASSWORD="${{ secrets.DOCKERHUB_TOKEN }}" \ docker/scout-cli:latest cves nexapg-frontend:dev-scan \ --only-severity critical,high,medium,low > scout-frontend.txt 2>&1 || { echo "" >> scout-frontend.txt From c0077e3dd87d4adb1fae1da5630a04a38f7a85a1 Mon Sep 17 00:00:00 2001 From: nessi Date: Sat, 14 Feb 2026 19:47:34 +0100 Subject: [PATCH 5/6] Add `-u root` flag to container CVE scan workflow This ensures the container runs with root user privileges, providing better compatibility and avoiding potential permission issues. The change affects the development workflow configuration for container CVE scanning. --- .github/workflows/container-cve-scan-development.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/container-cve-scan-development.yml b/.github/workflows/container-cve-scan-development.yml index bf6bdff..15b5adc 100644 --- a/.github/workflows/container-cve-scan-development.yml +++ b/.github/workflows/container-cve-scan-development.yml @@ -107,6 +107,7 @@ jobs: exit 0 fi docker run --rm \ + -u root \ -v /var/run/docker.sock:/var/run/docker.sock \ -v "$RUNNER_TEMP/scout-docker-config:/root/.docker:ro" \ -e DOCKER_CONFIG=/root/.docker \ @@ -126,6 +127,7 @@ jobs: exit 0 fi docker run --rm \ + -u root \ -v /var/run/docker.sock:/var/run/docker.sock \ -v "$RUNNER_TEMP/scout-docker-config:/root/.docker:ro" \ -e DOCKER_CONFIG=/root/.docker \ From 328f69ea5ead55f54cba46457c9ae7bb5cedca68 Mon Sep 17 00:00:00 2001 From: nessi Date: Sat, 14 Feb 2026 22:04:58 +0100 Subject: [PATCH 6/6] Update GitHub Actions workflows for improved functionality Removed the read-only flag from Docker volume mounts in the container CVE scan workflow to allow modifications. Added `max-parallel` and `fetch-depth` configurations to the PostgreSQL compatibility matrix workflow for better performance and efficiency. --- .github/workflows/container-cve-scan-development.yml | 4 ++-- .github/workflows/pg-compat-matrix.yml | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/container-cve-scan-development.yml b/.github/workflows/container-cve-scan-development.yml index 15b5adc..b18ce44 100644 --- a/.github/workflows/container-cve-scan-development.yml +++ b/.github/workflows/container-cve-scan-development.yml @@ -109,7 +109,7 @@ jobs: docker run --rm \ -u root \ -v /var/run/docker.sock:/var/run/docker.sock \ - -v "$RUNNER_TEMP/scout-docker-config:/root/.docker:ro" \ + -v "$RUNNER_TEMP/scout-docker-config:/root/.docker" \ -e DOCKER_CONFIG=/root/.docker \ -e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \ -e DOCKER_SCOUT_HUB_PASSWORD="${{ secrets.DOCKERHUB_TOKEN }}" \ @@ -129,7 +129,7 @@ jobs: docker run --rm \ -u root \ -v /var/run/docker.sock:/var/run/docker.sock \ - -v "$RUNNER_TEMP/scout-docker-config:/root/.docker:ro" \ + -v "$RUNNER_TEMP/scout-docker-config:/root/.docker" \ -e DOCKER_CONFIG=/root/.docker \ -e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \ -e DOCKER_SCOUT_HUB_PASSWORD="${{ secrets.DOCKERHUB_TOKEN }}" \ diff --git a/.github/workflows/pg-compat-matrix.yml b/.github/workflows/pg-compat-matrix.yml index d4d923b..68345a7 100644 --- a/.github/workflows/pg-compat-matrix.yml +++ b/.github/workflows/pg-compat-matrix.yml @@ -11,6 +11,7 @@ jobs: runs-on: ubuntu-latest strategy: fail-fast: false + max-parallel: 3 matrix: pg_version: ["14", "15", "16", "17", "18"] @@ -32,6 +33,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + fetch-depth: 1 - name: Set up Python uses: actions/setup-python@v5