Compare commits
19 Commits
0.2.0
...
developmen
| Author | SHA1 | Date | |
|---|---|---|---|
| 328f69ea5e | |||
| c0077e3dd8 | |||
| af6ea11079 | |||
| 5a7f32541f | |||
| dd3f18bb06 | |||
| f4b18b6cf1 | |||
| a220e5de99 | |||
| a5ffafaf9e | |||
| d17752b611 | |||
| fe05c40426 | |||
| 5a0478f47d | |||
| 1cea82f5d9 | |||
| 418034f639 | |||
| 489dde812f | |||
| c2e4e614e0 | |||
| 344071193c | |||
| 03118e59d7 | |||
| 15fea78505 | |||
| 89d3a39679 |
158
.github/workflows/container-cve-scan-development.yml
vendored
Normal file
158
.github/workflows/container-cve-scan-development.yml
vendored
Normal file
@@ -0,0 +1,158 @@
|
||||
name: Container CVE Scan (development)
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: ["development"]
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
cve-scan:
|
||||
name: Scan backend/frontend images for CVEs
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3
|
||||
|
||||
- name: Docker Hub login (for Scout)
|
||||
if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
||||
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
||||
|
||||
- name: Prepare Docker auth config for Scout container
|
||||
if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
|
||||
run: |
|
||||
mkdir -p "$RUNNER_TEMP/scout-docker-config"
|
||||
cp "$HOME/.docker/config.json" "$RUNNER_TEMP/scout-docker-config/config.json"
|
||||
chmod 600 "$RUNNER_TEMP/scout-docker-config/config.json"
|
||||
|
||||
- name: Build backend image (local)
|
||||
uses: docker/build-push-action@v6
|
||||
with:
|
||||
context: ./backend
|
||||
file: ./backend/Dockerfile
|
||||
push: false
|
||||
load: true
|
||||
tags: nexapg-backend:dev-scan
|
||||
provenance: false
|
||||
sbom: false
|
||||
|
||||
- name: Build frontend image (local)
|
||||
uses: docker/build-push-action@v6
|
||||
with:
|
||||
context: ./frontend
|
||||
file: ./frontend/Dockerfile
|
||||
push: false
|
||||
load: true
|
||||
tags: nexapg-frontend:dev-scan
|
||||
build-args: |
|
||||
VITE_API_URL=/api/v1
|
||||
provenance: false
|
||||
sbom: false
|
||||
|
||||
- name: Trivy scan (backend)
|
||||
uses: aquasecurity/trivy-action@0.24.0
|
||||
with:
|
||||
image-ref: nexapg-backend:dev-scan
|
||||
format: json
|
||||
output: trivy-backend.json
|
||||
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
|
||||
ignore-unfixed: false
|
||||
exit-code: 0
|
||||
|
||||
- name: Trivy scan (frontend)
|
||||
uses: aquasecurity/trivy-action@0.24.0
|
||||
with:
|
||||
image-ref: nexapg-frontend:dev-scan
|
||||
format: json
|
||||
output: trivy-frontend.json
|
||||
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
|
||||
ignore-unfixed: false
|
||||
exit-code: 0
|
||||
|
||||
- name: Summarize Trivy severities
|
||||
run: |
|
||||
python - <<'PY'
|
||||
import json
|
||||
from collections import Counter
|
||||
|
||||
def summarize(path):
|
||||
c = Counter()
|
||||
with open(path, "r", encoding="utf-8") as f:
|
||||
data = json.load(f)
|
||||
for result in data.get("Results", []):
|
||||
for v in result.get("Vulnerabilities", []) or []:
|
||||
c[v.get("Severity", "UNKNOWN")] += 1
|
||||
for sev in ["CRITICAL", "HIGH", "MEDIUM", "LOW", "UNKNOWN"]:
|
||||
c.setdefault(sev, 0)
|
||||
return c
|
||||
|
||||
for label, path in [("backend", "trivy-backend.json"), ("frontend", "trivy-frontend.json")]:
|
||||
s = summarize(path)
|
||||
print(f"===== Trivy {label} =====")
|
||||
print(f"CRITICAL={s['CRITICAL']} HIGH={s['HIGH']} MEDIUM={s['MEDIUM']} LOW={s['LOW']} UNKNOWN={s['UNKNOWN']}")
|
||||
print()
|
||||
PY
|
||||
|
||||
- name: Docker Scout scan (backend)
|
||||
continue-on-error: true
|
||||
run: |
|
||||
if [ -z "${{ secrets.DOCKERHUB_USERNAME }}" ] || [ -z "${{ secrets.DOCKERHUB_TOKEN }}" ]; then
|
||||
echo "Docker Hub Scout scan skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." > scout-backend.txt
|
||||
exit 0
|
||||
fi
|
||||
docker run --rm \
|
||||
-u root \
|
||||
-v /var/run/docker.sock:/var/run/docker.sock \
|
||||
-v "$RUNNER_TEMP/scout-docker-config:/root/.docker" \
|
||||
-e DOCKER_CONFIG=/root/.docker \
|
||||
-e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \
|
||||
-e DOCKER_SCOUT_HUB_PASSWORD="${{ secrets.DOCKERHUB_TOKEN }}" \
|
||||
docker/scout-cli:latest cves nexapg-backend:dev-scan \
|
||||
--only-severity critical,high,medium,low > scout-backend.txt 2>&1 || {
|
||||
echo "" >> scout-backend.txt
|
||||
echo "Docker Scout backend scan failed (non-blocking)." >> scout-backend.txt
|
||||
}
|
||||
|
||||
- name: Docker Scout scan (frontend)
|
||||
continue-on-error: true
|
||||
run: |
|
||||
if [ -z "${{ secrets.DOCKERHUB_USERNAME }}" ] || [ -z "${{ secrets.DOCKERHUB_TOKEN }}" ]; then
|
||||
echo "Docker Hub Scout scan skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." > scout-frontend.txt
|
||||
exit 0
|
||||
fi
|
||||
docker run --rm \
|
||||
-u root \
|
||||
-v /var/run/docker.sock:/var/run/docker.sock \
|
||||
-v "$RUNNER_TEMP/scout-docker-config:/root/.docker" \
|
||||
-e DOCKER_CONFIG=/root/.docker \
|
||||
-e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \
|
||||
-e DOCKER_SCOUT_HUB_PASSWORD="${{ secrets.DOCKERHUB_TOKEN }}" \
|
||||
docker/scout-cli:latest cves nexapg-frontend:dev-scan \
|
||||
--only-severity critical,high,medium,low > scout-frontend.txt 2>&1 || {
|
||||
echo "" >> scout-frontend.txt
|
||||
echo "Docker Scout frontend scan failed (non-blocking)." >> scout-frontend.txt
|
||||
}
|
||||
|
||||
- name: Print scan summary
|
||||
run: |
|
||||
echo "===== Docker Scout backend ====="
|
||||
test -f scout-backend.txt && cat scout-backend.txt || echo "scout-backend.txt not available"
|
||||
echo
|
||||
echo "===== Docker Scout frontend ====="
|
||||
test -f scout-frontend.txt && cat scout-frontend.txt || echo "scout-frontend.txt not available"
|
||||
|
||||
- name: Upload scan reports
|
||||
uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: container-cve-scan-reports
|
||||
path: |
|
||||
trivy-backend.json
|
||||
trivy-frontend.json
|
||||
scout-backend.txt
|
||||
scout-frontend.txt
|
||||
16
.github/workflows/docker-release.yml
vendored
16
.github/workflows/docker-release.yml
vendored
@@ -16,6 +16,8 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
id-token: write
|
||||
attestations: write
|
||||
|
||||
env:
|
||||
# Optional repo variable. If unset, DOCKERHUB_USERNAME is used.
|
||||
@@ -70,6 +72,13 @@ jobs:
|
||||
context: ./backend
|
||||
file: ./backend/Dockerfile
|
||||
push: true
|
||||
provenance: mode=max
|
||||
sbom: true
|
||||
labels: |
|
||||
org.opencontainers.image.title=NexaPG Backend
|
||||
org.opencontainers.image.vendor=Nesterovic IT-Services e.U.
|
||||
org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
|
||||
org.opencontainers.image.version=${{ steps.ver.outputs.clean }}
|
||||
tags: |
|
||||
${{ steps.ns.outputs.value }}/nexapg-backend:${{ steps.ver.outputs.clean }}
|
||||
${{ steps.ns.outputs.value }}/nexapg-backend:latest
|
||||
@@ -82,8 +91,15 @@ jobs:
|
||||
context: ./frontend
|
||||
file: ./frontend/Dockerfile
|
||||
push: true
|
||||
provenance: mode=max
|
||||
sbom: true
|
||||
build-args: |
|
||||
VITE_API_URL=/api/v1
|
||||
labels: |
|
||||
org.opencontainers.image.title=NexaPG Frontend
|
||||
org.opencontainers.image.vendor=Nesterovic IT-Services e.U.
|
||||
org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
|
||||
org.opencontainers.image.version=${{ steps.ver.outputs.clean }}
|
||||
tags: |
|
||||
${{ steps.ns.outputs.value }}/nexapg-frontend:${{ steps.ver.outputs.clean }}
|
||||
${{ steps.ns.outputs.value }}/nexapg-frontend:latest
|
||||
|
||||
5
.github/workflows/pg-compat-matrix.yml
vendored
5
.github/workflows/pg-compat-matrix.yml
vendored
@@ -2,7 +2,7 @@ name: PostgreSQL Compatibility Matrix
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: ["main", "master"]
|
||||
branches: ["main", "master", "development"]
|
||||
pull_request:
|
||||
|
||||
jobs:
|
||||
@@ -11,6 +11,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
fail-fast: false
|
||||
max-parallel: 3
|
||||
matrix:
|
||||
pg_version: ["14", "15", "16", "17", "18"]
|
||||
|
||||
@@ -32,6 +33,8 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 1
|
||||
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v5
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
FROM python:3.13-slim AS base
|
||||
ARG PYTHON_BASE_IMAGE=python:3.13-alpine
|
||||
FROM ${PYTHON_BASE_IMAGE} AS base
|
||||
|
||||
ENV PYTHONDONTWRITEBYTECODE=1
|
||||
ENV PYTHONUNBUFFERED=1
|
||||
@@ -6,11 +7,17 @@ ENV PIP_NO_CACHE_DIR=1
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
RUN apt-get update \
|
||||
&& apt-get upgrade -y \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
RUN if command -v apt-get >/dev/null 2>&1; then \
|
||||
apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*; \
|
||||
elif command -v apk >/dev/null 2>&1; then \
|
||||
apk upgrade --no-cache; \
|
||||
fi
|
||||
|
||||
RUN addgroup --system app && adduser --system --ingroup app app
|
||||
RUN if addgroup --help 2>&1 | grep -q -- '--system'; then \
|
||||
addgroup --system app && adduser --system --ingroup app app; \
|
||||
else \
|
||||
addgroup -S app && adduser -S -G app app; \
|
||||
fi
|
||||
|
||||
COPY requirements.txt /app/requirements.txt
|
||||
RUN pip install --upgrade pip && pip install -r /app/requirements.txt
|
||||
|
||||
@@ -2,7 +2,7 @@ from functools import lru_cache
|
||||
from pydantic import field_validator
|
||||
from pydantic_settings import BaseSettings, SettingsConfigDict
|
||||
|
||||
NEXAPG_VERSION = "0.2.0"
|
||||
NEXAPG_VERSION = "0.2.2"
|
||||
|
||||
|
||||
class Settings(BaseSettings):
|
||||
|
||||
@@ -54,7 +54,7 @@ services:
|
||||
depends_on:
|
||||
- backend
|
||||
ports:
|
||||
- "${FRONTEND_PORT}:80"
|
||||
- "${FRONTEND_PORT}:8080"
|
||||
|
||||
volumes:
|
||||
pg_data:
|
||||
|
||||
@@ -7,9 +7,12 @@ ARG VITE_API_URL=/api/v1
|
||||
ENV VITE_API_URL=${VITE_API_URL}
|
||||
RUN npm run build
|
||||
|
||||
FROM nginx:1.29-alpine-slim
|
||||
RUN apk upgrade --no-cache
|
||||
FROM nginx:1-alpine-slim
|
||||
RUN apk upgrade --no-cache \
|
||||
&& mkdir -p /var/cache/nginx /var/run /var/log/nginx /tmp/nginx \
|
||||
&& chown -R nginx:nginx /var/cache/nginx /var/run /var/log/nginx /tmp/nginx
|
||||
COPY nginx.conf /etc/nginx/conf.d/default.conf
|
||||
COPY --from=build /app/dist /usr/share/nginx/html
|
||||
EXPOSE 80
|
||||
USER 101
|
||||
EXPOSE 8080
|
||||
HEALTHCHECK --interval=30s --timeout=3s --retries=5 CMD nginx -t || exit 1
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen 8080;
|
||||
server_name _;
|
||||
|
||||
root /usr/share/nginx/html;
|
||||
|
||||
Reference in New Issue
Block a user