[StepSecurity] Apply security best practices (#96)

cisco-open · Jan 10, 2025 · fd61050 · fd61050
1 parent e9080ad
commit fd61050
Show file tree

Hide file tree

Showing 7 changed files with 57 additions and 7 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -10,3 +10,53 @@ updates:
           - "github/*"
     schedule:
       interval: "weekly"
+
+  - package-ecosystem: docker
+    directory: /scripts/generators/docker-compose
+    schedule:
+      interval: daily
+
+  - package-ecosystem: pip
+    directory: /scripts/generators/docker-compose
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /scripts/generators/k8s
+    schedule:
+      interval: daily
+
+  - package-ecosystem: pip
+    directory: /scripts/generators/k8s
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /src/databases/mysql
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /src/loaders/curl
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /src/services/java
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /src/services/nodejs
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /src/services/nodejs
+    schedule:
+      interval: daily
+
+  - package-ecosystem: maven
+    directory: /src/services/java
+    schedule:
+      interval: daily
diff --git a/scripts/generators/docker-compose/Dockerfile b/scripts/generators/docker-compose/Dockerfile
@@ -1,5 +1,5 @@
 #checkov:skip=CKV_DOCKER_2:This is a run once container
-FROM python:3.13-alpine
+FROM python:3.13-alpine@sha256:b6f01a01e34091438a29b6dda4664199e34731fb2581ebb6fe255a2ebf441099
 
 WORKDIR /app
 

diff --git a/scripts/generators/k8s/Dockerfile b/scripts/generators/k8s/Dockerfile
@@ -1,5 +1,5 @@
 #checkov:skip=CKV_DOCKER_2:This is a run once container
-FROM python:3.13-alpine
+FROM python:3.13-alpine@sha256:b6f01a01e34091438a29b6dda4664199e34731fb2581ebb6fe255a2ebf441099
 
 WORKDIR /app
 

diff --git a/src/databases/mysql/Dockerfile b/src/databases/mysql/Dockerfile
@@ -1,6 +1,6 @@
 # There is no arm64 version of mysql:5.7, so we use the amd64 version, until we migrate to mariadb.
 # hadolint ignore=DL3029
-FROM --platform=linux/amd64 mysql:5.7
+FROM --platform=linux/amd64 mysql:5.7@sha256:4bc6bc963e6d8443453676cae56536f4b8156d78bae03c0145cbe47c2aad73bb
 
 LABEL org.opencontainers.image.source=https://github.com/cisco-open/app-simulator
 LABEL org.opencontainers.image.description="mysql database for app-simulator"

diff --git a/src/loaders/curl/Dockerfile b/src/loaders/curl/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.20.3
+FROM alpine:3.20.3@sha256:1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a
 
 LABEL org.opencontainers.image.source=https://github.com/cisco-open/app-simulator
 LABEL org.opencontainers.image.description="curl loader for app-simulator"

diff --git a/src/services/java/Dockerfile b/src/services/java/Dockerfile
@@ -1,10 +1,10 @@
-FROM maven:3-jdk-11 AS build
+FROM maven:3-jdk-11@sha256:805f366910aea2a91ed263654d23df58bd239f218b2f9562ff51305be81fa215 AS build
 WORKDIR /home/app
 COPY src /home/app/src
 COPY pom.xml /home/app
 RUN mvn -f /home/app/pom.xml clean package
 
-FROM openjdk:11-jre
+FROM openjdk:11-jre@sha256:356949c3125c4fa8104745e7ea92bd995da4567634e6599b470d2f972d13e0e2
 
 LABEL org.opencontainers.image.source=https://github.com/cisco-open/app-simulator
 LABEL org.opencontainers.image.description="java service for app-simulator"

diff --git a/src/services/nodejs/Dockerfile b/src/services/nodejs/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:18
+FROM node:18@sha256:7f31a1eb14c61719b8bb0eaa029310cc33851f71d3578cc422b390f8096977c5
 
 LABEL org.opencontainers.image.source=https://github.com/cisco-open/app-simulator
 LABEL org.opencontainers.image.description="nodejs service for app-simulator"