Compare commits
19 Commits
89d3a39679
...
0.2.3
| Author | SHA1 | Date | |
|---|---|---|---|
| 21a8023bf1 | |||
| 328f69ea5e | |||
| c0077e3dd8 | |||
| af6ea11079 | |||
| 5a7f32541f | |||
| dd3f18bb06 | |||
| f4b18b6cf1 | |||
| a220e5de99 | |||
| a5ffafaf9e | |||
| d17752b611 | |||
| fe05c40426 | |||
| 5a0478f47d | |||
| 1cea82f5d9 | |||
| 418034f639 | |||
| 489dde812f | |||
| c2e4e614e0 | |||
| 344071193c | |||
| 03118e59d7 | |||
| 15fea78505 |
158
.github/workflows/container-cve-scan-development.yml
vendored
Normal file
158
.github/workflows/container-cve-scan-development.yml
vendored
Normal file
@@ -0,0 +1,158 @@
|
|||||||
|
name: Container CVE Scan (development)
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches: ["development"]
|
||||||
|
workflow_dispatch:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
cve-scan:
|
||||||
|
name: Scan backend/frontend images for CVEs
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Set up Docker Buildx
|
||||||
|
uses: docker/setup-buildx-action@v3
|
||||||
|
|
||||||
|
- name: Docker Hub login (for Scout)
|
||||||
|
if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
|
||||||
|
uses: docker/login-action@v3
|
||||||
|
with:
|
||||||
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
||||||
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
||||||
|
|
||||||
|
- name: Prepare Docker auth config for Scout container
|
||||||
|
if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
|
||||||
|
run: |
|
||||||
|
mkdir -p "$RUNNER_TEMP/scout-docker-config"
|
||||||
|
cp "$HOME/.docker/config.json" "$RUNNER_TEMP/scout-docker-config/config.json"
|
||||||
|
chmod 600 "$RUNNER_TEMP/scout-docker-config/config.json"
|
||||||
|
|
||||||
|
- name: Build backend image (local)
|
||||||
|
uses: docker/build-push-action@v6
|
||||||
|
with:
|
||||||
|
context: ./backend
|
||||||
|
file: ./backend/Dockerfile
|
||||||
|
push: false
|
||||||
|
load: true
|
||||||
|
tags: nexapg-backend:dev-scan
|
||||||
|
provenance: false
|
||||||
|
sbom: false
|
||||||
|
|
||||||
|
- name: Build frontend image (local)
|
||||||
|
uses: docker/build-push-action@v6
|
||||||
|
with:
|
||||||
|
context: ./frontend
|
||||||
|
file: ./frontend/Dockerfile
|
||||||
|
push: false
|
||||||
|
load: true
|
||||||
|
tags: nexapg-frontend:dev-scan
|
||||||
|
build-args: |
|
||||||
|
VITE_API_URL=/api/v1
|
||||||
|
provenance: false
|
||||||
|
sbom: false
|
||||||
|
|
||||||
|
- name: Trivy scan (backend)
|
||||||
|
uses: aquasecurity/trivy-action@0.24.0
|
||||||
|
with:
|
||||||
|
image-ref: nexapg-backend:dev-scan
|
||||||
|
format: json
|
||||||
|
output: trivy-backend.json
|
||||||
|
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
|
||||||
|
ignore-unfixed: false
|
||||||
|
exit-code: 0
|
||||||
|
|
||||||
|
- name: Trivy scan (frontend)
|
||||||
|
uses: aquasecurity/trivy-action@0.24.0
|
||||||
|
with:
|
||||||
|
image-ref: nexapg-frontend:dev-scan
|
||||||
|
format: json
|
||||||
|
output: trivy-frontend.json
|
||||||
|
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
|
||||||
|
ignore-unfixed: false
|
||||||
|
exit-code: 0
|
||||||
|
|
||||||
|
- name: Summarize Trivy severities
|
||||||
|
run: |
|
||||||
|
python - <<'PY'
|
||||||
|
import json
|
||||||
|
from collections import Counter
|
||||||
|
|
||||||
|
def summarize(path):
|
||||||
|
c = Counter()
|
||||||
|
with open(path, "r", encoding="utf-8") as f:
|
||||||
|
data = json.load(f)
|
||||||
|
for result in data.get("Results", []):
|
||||||
|
for v in result.get("Vulnerabilities", []) or []:
|
||||||
|
c[v.get("Severity", "UNKNOWN")] += 1
|
||||||
|
for sev in ["CRITICAL", "HIGH", "MEDIUM", "LOW", "UNKNOWN"]:
|
||||||
|
c.setdefault(sev, 0)
|
||||||
|
return c
|
||||||
|
|
||||||
|
for label, path in [("backend", "trivy-backend.json"), ("frontend", "trivy-frontend.json")]:
|
||||||
|
s = summarize(path)
|
||||||
|
print(f"===== Trivy {label} =====")
|
||||||
|
print(f"CRITICAL={s['CRITICAL']} HIGH={s['HIGH']} MEDIUM={s['MEDIUM']} LOW={s['LOW']} UNKNOWN={s['UNKNOWN']}")
|
||||||
|
print()
|
||||||
|
PY
|
||||||
|
|
||||||
|
- name: Docker Scout scan (backend)
|
||||||
|
continue-on-error: true
|
||||||
|
run: |
|
||||||
|
if [ -z "${{ secrets.DOCKERHUB_USERNAME }}" ] || [ -z "${{ secrets.DOCKERHUB_TOKEN }}" ]; then
|
||||||
|
echo "Docker Hub Scout scan skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." > scout-backend.txt
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
docker run --rm \
|
||||||
|
-u root \
|
||||||
|
-v /var/run/docker.sock:/var/run/docker.sock \
|
||||||
|
-v "$RUNNER_TEMP/scout-docker-config:/root/.docker" \
|
||||||
|
-e DOCKER_CONFIG=/root/.docker \
|
||||||
|
-e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \
|
||||||
|
-e DOCKER_SCOUT_HUB_PASSWORD="${{ secrets.DOCKERHUB_TOKEN }}" \
|
||||||
|
docker/scout-cli:latest cves nexapg-backend:dev-scan \
|
||||||
|
--only-severity critical,high,medium,low > scout-backend.txt 2>&1 || {
|
||||||
|
echo "" >> scout-backend.txt
|
||||||
|
echo "Docker Scout backend scan failed (non-blocking)." >> scout-backend.txt
|
||||||
|
}
|
||||||
|
|
||||||
|
- name: Docker Scout scan (frontend)
|
||||||
|
continue-on-error: true
|
||||||
|
run: |
|
||||||
|
if [ -z "${{ secrets.DOCKERHUB_USERNAME }}" ] || [ -z "${{ secrets.DOCKERHUB_TOKEN }}" ]; then
|
||||||
|
echo "Docker Hub Scout scan skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." > scout-frontend.txt
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
docker run --rm \
|
||||||
|
-u root \
|
||||||
|
-v /var/run/docker.sock:/var/run/docker.sock \
|
||||||
|
-v "$RUNNER_TEMP/scout-docker-config:/root/.docker" \
|
||||||
|
-e DOCKER_CONFIG=/root/.docker \
|
||||||
|
-e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \
|
||||||
|
-e DOCKER_SCOUT_HUB_PASSWORD="${{ secrets.DOCKERHUB_TOKEN }}" \
|
||||||
|
docker/scout-cli:latest cves nexapg-frontend:dev-scan \
|
||||||
|
--only-severity critical,high,medium,low > scout-frontend.txt 2>&1 || {
|
||||||
|
echo "" >> scout-frontend.txt
|
||||||
|
echo "Docker Scout frontend scan failed (non-blocking)." >> scout-frontend.txt
|
||||||
|
}
|
||||||
|
|
||||||
|
- name: Print scan summary
|
||||||
|
run: |
|
||||||
|
echo "===== Docker Scout backend ====="
|
||||||
|
test -f scout-backend.txt && cat scout-backend.txt || echo "scout-backend.txt not available"
|
||||||
|
echo
|
||||||
|
echo "===== Docker Scout frontend ====="
|
||||||
|
test -f scout-frontend.txt && cat scout-frontend.txt || echo "scout-frontend.txt not available"
|
||||||
|
|
||||||
|
- name: Upload scan reports
|
||||||
|
uses: actions/upload-artifact@v3
|
||||||
|
with:
|
||||||
|
name: container-cve-scan-reports
|
||||||
|
path: |
|
||||||
|
trivy-backend.json
|
||||||
|
trivy-frontend.json
|
||||||
|
scout-backend.txt
|
||||||
|
scout-frontend.txt
|
||||||
65
.github/workflows/pg-compat-matrix.yml
vendored
65
.github/workflows/pg-compat-matrix.yml
vendored
@@ -11,6 +11,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
strategy:
|
strategy:
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
|
max-parallel: 3
|
||||||
matrix:
|
matrix:
|
||||||
pg_version: ["14", "15", "16", "17", "18"]
|
pg_version: ["14", "15", "16", "17", "18"]
|
||||||
|
|
||||||
@@ -32,6 +33,8 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
fetch-depth: 1
|
||||||
|
|
||||||
- name: Set up Python
|
- name: Set up Python
|
||||||
uses: actions/setup-python@v5
|
uses: actions/setup-python@v5
|
||||||
@@ -67,65 +70,3 @@ jobs:
|
|||||||
env:
|
env:
|
||||||
PG_DSN_CANDIDATES: postgresql://postgres:postgres@postgres:5432/compatdb?sslmode=disable,postgresql://postgres:postgres@127.0.0.1:5432/compatdb?sslmode=disable
|
PG_DSN_CANDIDATES: postgresql://postgres:postgres@postgres:5432/compatdb?sslmode=disable,postgresql://postgres:postgres@127.0.0.1:5432/compatdb?sslmode=disable
|
||||||
run: python backend/scripts/pg_compat_smoke.py
|
run: python backend/scripts/pg_compat_smoke.py
|
||||||
|
|
||||||
backend-alpine-smoke:
|
|
||||||
name: Backend Alpine smoke (PG16)
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
services:
|
|
||||||
postgres:
|
|
||||||
image: postgres:16
|
|
||||||
env:
|
|
||||||
POSTGRES_DB: compatdb
|
|
||||||
POSTGRES_USER: postgres
|
|
||||||
POSTGRES_PASSWORD: postgres
|
|
||||||
ports:
|
|
||||||
- 5432:5432
|
|
||||||
options: >-
|
|
||||||
--health-cmd "pg_isready -U postgres -d compatdb"
|
|
||||||
--health-interval 5s
|
|
||||||
--health-timeout 5s
|
|
||||||
--health-retries 20
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
|
|
||||||
- name: Enable pg_stat_statements in service container
|
|
||||||
run: |
|
|
||||||
PG_CID="$(docker ps --filter "ancestor=postgres:16" --format "{{.ID}}" | head -n1)"
|
|
||||||
if [ -z "$PG_CID" ]; then
|
|
||||||
echo "Could not find postgres service container for version 16"
|
|
||||||
docker ps -a
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Using postgres container: $PG_CID"
|
|
||||||
docker exec "$PG_CID" psql -U postgres -d compatdb -c "ALTER SYSTEM SET shared_preload_libraries = 'pg_stat_statements';"
|
|
||||||
docker restart "$PG_CID"
|
|
||||||
|
|
||||||
for i in $(seq 1 40); do
|
|
||||||
if docker exec "$PG_CID" pg_isready -U postgres -d compatdb; then
|
|
||||||
break
|
|
||||||
fi
|
|
||||||
sleep 2
|
|
||||||
done
|
|
||||||
|
|
||||||
docker exec "$PG_CID" psql -U postgres -d compatdb -c "CREATE EXTENSION IF NOT EXISTS pg_stat_statements;"
|
|
||||||
|
|
||||||
- name: Build backend image with Alpine base
|
|
||||||
run: |
|
|
||||||
docker build \
|
|
||||||
-f backend/Dockerfile \
|
|
||||||
--build-arg PYTHON_BASE_IMAGE=python:3.13-alpine \
|
|
||||||
-t nexapg-backend-alpine-smoke:ci \
|
|
||||||
./backend
|
|
||||||
|
|
||||||
- name: Run smoke checks in backend Alpine image
|
|
||||||
env:
|
|
||||||
PG_DSN_CANDIDATES: postgresql://postgres:postgres@127.0.0.1:5432/compatdb?sslmode=disable
|
|
||||||
run: |
|
|
||||||
docker run --rm --network host \
|
|
||||||
-e PG_DSN_CANDIDATES="${PG_DSN_CANDIDATES}" \
|
|
||||||
nexapg-backend-alpine-smoke:ci \
|
|
||||||
python /app/scripts/pg_compat_smoke.py
|
|
||||||
|
|||||||
@@ -1,4 +1,4 @@
|
|||||||
ARG PYTHON_BASE_IMAGE=python:3.13-slim
|
ARG PYTHON_BASE_IMAGE=python:3.13-alpine
|
||||||
FROM ${PYTHON_BASE_IMAGE} AS base
|
FROM ${PYTHON_BASE_IMAGE} AS base
|
||||||
|
|
||||||
ENV PYTHONDONTWRITEBYTECODE=1
|
ENV PYTHONDONTWRITEBYTECODE=1
|
||||||
|
|||||||
@@ -2,7 +2,7 @@ from functools import lru_cache
|
|||||||
from pydantic import field_validator
|
from pydantic import field_validator
|
||||||
from pydantic_settings import BaseSettings, SettingsConfigDict
|
from pydantic_settings import BaseSettings, SettingsConfigDict
|
||||||
|
|
||||||
NEXAPG_VERSION = "0.2.0"
|
NEXAPG_VERSION = "0.2.2"
|
||||||
|
|
||||||
|
|
||||||
class Settings(BaseSettings):
|
class Settings(BaseSettings):
|
||||||
|
|||||||
@@ -54,7 +54,7 @@ services:
|
|||||||
depends_on:
|
depends_on:
|
||||||
- backend
|
- backend
|
||||||
ports:
|
ports:
|
||||||
- "${FRONTEND_PORT}:80"
|
- "${FRONTEND_PORT}:8080"
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
pg_data:
|
pg_data:
|
||||||
|
|||||||
@@ -7,9 +7,12 @@ ARG VITE_API_URL=/api/v1
|
|||||||
ENV VITE_API_URL=${VITE_API_URL}
|
ENV VITE_API_URL=${VITE_API_URL}
|
||||||
RUN npm run build
|
RUN npm run build
|
||||||
|
|
||||||
FROM nginx:1.29-alpine-slim
|
FROM nginx:1-alpine-slim
|
||||||
RUN apk upgrade --no-cache
|
RUN apk upgrade --no-cache \
|
||||||
|
&& mkdir -p /var/cache/nginx /var/run /var/log/nginx /tmp/nginx \
|
||||||
|
&& chown -R nginx:nginx /var/cache/nginx /var/run /var/log/nginx /tmp/nginx
|
||||||
COPY nginx.conf /etc/nginx/conf.d/default.conf
|
COPY nginx.conf /etc/nginx/conf.d/default.conf
|
||||||
COPY --from=build /app/dist /usr/share/nginx/html
|
COPY --from=build /app/dist /usr/share/nginx/html
|
||||||
EXPOSE 80
|
USER 101
|
||||||
|
EXPOSE 8080
|
||||||
HEALTHCHECK --interval=30s --timeout=3s --retries=5 CMD nginx -t || exit 1
|
HEALTHCHECK --interval=30s --timeout=3s --retries=5 CMD nginx -t || exit 1
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
server {
|
server {
|
||||||
listen 80;
|
listen 8080;
|
||||||
server_name _;
|
server_name _;
|
||||||
|
|
||||||
root /usr/share/nginx/html;
|
root /usr/share/nginx/html;
|
||||||
|
|||||||
Reference in New Issue
Block a user