Compare commits
13 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| a220e5de99 | |||
| a5ffafaf9e | |||
| d17752b611 | |||
| fe05c40426 | |||
| 5a0478f47d | |||
| 1cea82f5d9 | |||
| 418034f639 | |||
| 489dde812f | |||
| c2e4e614e0 | |||
| 344071193c | |||
| 03118e59d7 | |||
| 15fea78505 | |||
| 89d3a39679 |
137
.github/workflows/container-cve-scan-development.yml
vendored
Normal file
137
.github/workflows/container-cve-scan-development.yml
vendored
Normal file
@@ -0,0 +1,137 @@
|
|||||||
|
name: Container CVE Scan (development)
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches: ["development"]
|
||||||
|
workflow_dispatch:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
cve-scan:
|
||||||
|
name: Scan backend/frontend images for CVEs
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Set up Docker Buildx
|
||||||
|
uses: docker/setup-buildx-action@v3
|
||||||
|
|
||||||
|
- name: Docker Hub login (for Scout)
|
||||||
|
if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
|
||||||
|
uses: docker/login-action@v3
|
||||||
|
with:
|
||||||
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
||||||
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
||||||
|
|
||||||
|
- name: Build backend image (local)
|
||||||
|
uses: docker/build-push-action@v6
|
||||||
|
with:
|
||||||
|
context: ./backend
|
||||||
|
file: ./backend/Dockerfile
|
||||||
|
push: false
|
||||||
|
load: true
|
||||||
|
tags: nexapg-backend:dev-scan
|
||||||
|
provenance: false
|
||||||
|
sbom: false
|
||||||
|
|
||||||
|
- name: Build frontend image (local)
|
||||||
|
uses: docker/build-push-action@v6
|
||||||
|
with:
|
||||||
|
context: ./frontend
|
||||||
|
file: ./frontend/Dockerfile
|
||||||
|
push: false
|
||||||
|
load: true
|
||||||
|
tags: nexapg-frontend:dev-scan
|
||||||
|
build-args: |
|
||||||
|
VITE_API_URL=/api/v1
|
||||||
|
provenance: false
|
||||||
|
sbom: false
|
||||||
|
|
||||||
|
- name: Trivy scan (backend)
|
||||||
|
uses: aquasecurity/trivy-action@0.24.0
|
||||||
|
with:
|
||||||
|
image-ref: nexapg-backend:dev-scan
|
||||||
|
format: json
|
||||||
|
output: trivy-backend.json
|
||||||
|
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
|
||||||
|
ignore-unfixed: false
|
||||||
|
exit-code: 0
|
||||||
|
|
||||||
|
- name: Trivy scan (frontend)
|
||||||
|
uses: aquasecurity/trivy-action@0.24.0
|
||||||
|
with:
|
||||||
|
image-ref: nexapg-frontend:dev-scan
|
||||||
|
format: json
|
||||||
|
output: trivy-frontend.json
|
||||||
|
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
|
||||||
|
ignore-unfixed: false
|
||||||
|
exit-code: 0
|
||||||
|
|
||||||
|
- name: Summarize Trivy severities
|
||||||
|
run: |
|
||||||
|
python - <<'PY'
|
||||||
|
import json
|
||||||
|
from collections import Counter
|
||||||
|
|
||||||
|
def summarize(path):
|
||||||
|
c = Counter()
|
||||||
|
with open(path, "r", encoding="utf-8") as f:
|
||||||
|
data = json.load(f)
|
||||||
|
for result in data.get("Results", []):
|
||||||
|
for v in result.get("Vulnerabilities", []) or []:
|
||||||
|
c[v.get("Severity", "UNKNOWN")] += 1
|
||||||
|
for sev in ["CRITICAL", "HIGH", "MEDIUM", "LOW", "UNKNOWN"]:
|
||||||
|
c.setdefault(sev, 0)
|
||||||
|
return c
|
||||||
|
|
||||||
|
for label, path in [("backend", "trivy-backend.json"), ("frontend", "trivy-frontend.json")]:
|
||||||
|
s = summarize(path)
|
||||||
|
print(f"===== Trivy {label} =====")
|
||||||
|
print(f"CRITICAL={s['CRITICAL']} HIGH={s['HIGH']} MEDIUM={s['MEDIUM']} LOW={s['LOW']} UNKNOWN={s['UNKNOWN']}")
|
||||||
|
print()
|
||||||
|
PY
|
||||||
|
|
||||||
|
- name: Docker Scout scan (backend)
|
||||||
|
run: |
|
||||||
|
if [ -z "${{ secrets.DOCKERHUB_USERNAME }}" ] || [ -z "${{ secrets.DOCKERHUB_TOKEN }}" ]; then
|
||||||
|
echo "Docker Hub Scout scan skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." > scout-backend.txt
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
docker run --rm \
|
||||||
|
-v /var/run/docker.sock:/var/run/docker.sock \
|
||||||
|
-e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \
|
||||||
|
-e DOCKER_SCOUT_HUB_PAT="${{ secrets.DOCKERHUB_TOKEN }}" \
|
||||||
|
docker/scout-cli:latest cves nexapg-backend:dev-scan \
|
||||||
|
--only-severity critical,high,medium,low > scout-backend.txt
|
||||||
|
|
||||||
|
- name: Docker Scout scan (frontend)
|
||||||
|
run: |
|
||||||
|
if [ -z "${{ secrets.DOCKERHUB_USERNAME }}" ] || [ -z "${{ secrets.DOCKERHUB_TOKEN }}" ]; then
|
||||||
|
echo "Docker Hub Scout scan skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." > scout-frontend.txt
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
docker run --rm \
|
||||||
|
-v /var/run/docker.sock:/var/run/docker.sock \
|
||||||
|
-e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \
|
||||||
|
-e DOCKER_SCOUT_HUB_PAT="${{ secrets.DOCKERHUB_TOKEN }}" \
|
||||||
|
docker/scout-cli:latest cves nexapg-frontend:dev-scan \
|
||||||
|
--only-severity critical,high,medium,low > scout-frontend.txt
|
||||||
|
|
||||||
|
- name: Print scan summary
|
||||||
|
run: |
|
||||||
|
echo "===== Docker Scout backend ====="
|
||||||
|
test -f scout-backend.txt && cat scout-backend.txt || echo "scout-backend.txt not available"
|
||||||
|
echo
|
||||||
|
echo "===== Docker Scout frontend ====="
|
||||||
|
test -f scout-frontend.txt && cat scout-frontend.txt || echo "scout-frontend.txt not available"
|
||||||
|
|
||||||
|
- name: Upload scan reports
|
||||||
|
uses: actions/upload-artifact@v3
|
||||||
|
with:
|
||||||
|
name: container-cve-scan-reports
|
||||||
|
path: |
|
||||||
|
trivy-backend.json
|
||||||
|
trivy-frontend.json
|
||||||
|
scout-backend.txt
|
||||||
|
scout-frontend.txt
|
||||||
16
.github/workflows/docker-release.yml
vendored
16
.github/workflows/docker-release.yml
vendored
@@ -16,6 +16,8 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: read
|
||||||
|
id-token: write
|
||||||
|
attestations: write
|
||||||
|
|
||||||
env:
|
env:
|
||||||
# Optional repo variable. If unset, DOCKERHUB_USERNAME is used.
|
# Optional repo variable. If unset, DOCKERHUB_USERNAME is used.
|
||||||
@@ -70,6 +72,13 @@ jobs:
|
|||||||
context: ./backend
|
context: ./backend
|
||||||
file: ./backend/Dockerfile
|
file: ./backend/Dockerfile
|
||||||
push: true
|
push: true
|
||||||
|
provenance: mode=max
|
||||||
|
sbom: true
|
||||||
|
labels: |
|
||||||
|
org.opencontainers.image.title=NexaPG Backend
|
||||||
|
org.opencontainers.image.vendor=Nesterovic IT-Services e.U.
|
||||||
|
org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
|
||||||
|
org.opencontainers.image.version=${{ steps.ver.outputs.clean }}
|
||||||
tags: |
|
tags: |
|
||||||
${{ steps.ns.outputs.value }}/nexapg-backend:${{ steps.ver.outputs.clean }}
|
${{ steps.ns.outputs.value }}/nexapg-backend:${{ steps.ver.outputs.clean }}
|
||||||
${{ steps.ns.outputs.value }}/nexapg-backend:latest
|
${{ steps.ns.outputs.value }}/nexapg-backend:latest
|
||||||
@@ -82,8 +91,15 @@ jobs:
|
|||||||
context: ./frontend
|
context: ./frontend
|
||||||
file: ./frontend/Dockerfile
|
file: ./frontend/Dockerfile
|
||||||
push: true
|
push: true
|
||||||
|
provenance: mode=max
|
||||||
|
sbom: true
|
||||||
build-args: |
|
build-args: |
|
||||||
VITE_API_URL=/api/v1
|
VITE_API_URL=/api/v1
|
||||||
|
labels: |
|
||||||
|
org.opencontainers.image.title=NexaPG Frontend
|
||||||
|
org.opencontainers.image.vendor=Nesterovic IT-Services e.U.
|
||||||
|
org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
|
||||||
|
org.opencontainers.image.version=${{ steps.ver.outputs.clean }}
|
||||||
tags: |
|
tags: |
|
||||||
${{ steps.ns.outputs.value }}/nexapg-frontend:${{ steps.ver.outputs.clean }}
|
${{ steps.ns.outputs.value }}/nexapg-frontend:${{ steps.ver.outputs.clean }}
|
||||||
${{ steps.ns.outputs.value }}/nexapg-frontend:latest
|
${{ steps.ns.outputs.value }}/nexapg-frontend:latest
|
||||||
|
|||||||
2
.github/workflows/pg-compat-matrix.yml
vendored
2
.github/workflows/pg-compat-matrix.yml
vendored
@@ -2,7 +2,7 @@ name: PostgreSQL Compatibility Matrix
|
|||||||
|
|
||||||
on:
|
on:
|
||||||
push:
|
push:
|
||||||
branches: ["main", "master"]
|
branches: ["main", "master", "development"]
|
||||||
pull_request:
|
pull_request:
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
|
|||||||
@@ -1,4 +1,5 @@
|
|||||||
FROM python:3.13-slim AS base
|
ARG PYTHON_BASE_IMAGE=python:3.13-alpine
|
||||||
|
FROM ${PYTHON_BASE_IMAGE} AS base
|
||||||
|
|
||||||
ENV PYTHONDONTWRITEBYTECODE=1
|
ENV PYTHONDONTWRITEBYTECODE=1
|
||||||
ENV PYTHONUNBUFFERED=1
|
ENV PYTHONUNBUFFERED=1
|
||||||
@@ -6,11 +7,17 @@ ENV PIP_NO_CACHE_DIR=1
|
|||||||
|
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
||||||
RUN apt-get update \
|
RUN if command -v apt-get >/dev/null 2>&1; then \
|
||||||
&& apt-get upgrade -y \
|
apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*; \
|
||||||
&& rm -rf /var/lib/apt/lists/*
|
elif command -v apk >/dev/null 2>&1; then \
|
||||||
|
apk upgrade --no-cache; \
|
||||||
|
fi
|
||||||
|
|
||||||
RUN addgroup --system app && adduser --system --ingroup app app
|
RUN if addgroup --help 2>&1 | grep -q -- '--system'; then \
|
||||||
|
addgroup --system app && adduser --system --ingroup app app; \
|
||||||
|
else \
|
||||||
|
addgroup -S app && adduser -S -G app app; \
|
||||||
|
fi
|
||||||
|
|
||||||
COPY requirements.txt /app/requirements.txt
|
COPY requirements.txt /app/requirements.txt
|
||||||
RUN pip install --upgrade pip && pip install -r /app/requirements.txt
|
RUN pip install --upgrade pip && pip install -r /app/requirements.txt
|
||||||
|
|||||||
@@ -2,7 +2,7 @@ from functools import lru_cache
|
|||||||
from pydantic import field_validator
|
from pydantic import field_validator
|
||||||
from pydantic_settings import BaseSettings, SettingsConfigDict
|
from pydantic_settings import BaseSettings, SettingsConfigDict
|
||||||
|
|
||||||
NEXAPG_VERSION = "0.2.0"
|
NEXAPG_VERSION = "0.2.2"
|
||||||
|
|
||||||
|
|
||||||
class Settings(BaseSettings):
|
class Settings(BaseSettings):
|
||||||
|
|||||||
@@ -54,7 +54,7 @@ services:
|
|||||||
depends_on:
|
depends_on:
|
||||||
- backend
|
- backend
|
||||||
ports:
|
ports:
|
||||||
- "${FRONTEND_PORT}:80"
|
- "${FRONTEND_PORT}:8080"
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
pg_data:
|
pg_data:
|
||||||
|
|||||||
@@ -7,9 +7,12 @@ ARG VITE_API_URL=/api/v1
|
|||||||
ENV VITE_API_URL=${VITE_API_URL}
|
ENV VITE_API_URL=${VITE_API_URL}
|
||||||
RUN npm run build
|
RUN npm run build
|
||||||
|
|
||||||
FROM nginx:1.29-alpine-slim
|
FROM nginx:1-alpine-slim
|
||||||
RUN apk upgrade --no-cache
|
RUN apk upgrade --no-cache \
|
||||||
|
&& mkdir -p /var/cache/nginx /var/run /var/log/nginx /tmp/nginx \
|
||||||
|
&& chown -R nginx:nginx /var/cache/nginx /var/run /var/log/nginx /tmp/nginx
|
||||||
COPY nginx.conf /etc/nginx/conf.d/default.conf
|
COPY nginx.conf /etc/nginx/conf.d/default.conf
|
||||||
COPY --from=build /app/dist /usr/share/nginx/html
|
COPY --from=build /app/dist /usr/share/nginx/html
|
||||||
EXPOSE 80
|
USER 101
|
||||||
|
EXPOSE 8080
|
||||||
HEALTHCHECK --interval=30s --timeout=3s --retries=5 CMD nginx -t || exit 1
|
HEALTHCHECK --interval=30s --timeout=3s --retries=5 CMD nginx -t || exit 1
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
server {
|
server {
|
||||||
listen 80;
|
listen 8080;
|
||||||
server_name _;
|
server_name _;
|
||||||
|
|
||||||
root /usr/share/nginx/html;
|
root /usr/share/nginx/html;
|
||||||
|
|||||||
Reference in New Issue
Block a user