From 371fbe995e84ee6aaf1e54d434519358af4e82c9 Mon Sep 17 00:00:00 2001 From: Vladimir Remenar Date: Sun, 3 Mar 2024 20:02:10 +0100 Subject: [PATCH 1/4] Add GitHub action build --- .github/workflows/docker-image.yml | 49 ++++++++++++++++++++++++++++++ Dockerfile | 9 +++--- samba.sh | 4 +-- 3 files changed, 56 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/docker-image.yml diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml new file mode 100644 index 0000000..8878533 --- /dev/null +++ b/.github/workflows/docker-image.yml @@ -0,0 +1,49 @@ +name: Docker Image CI + +env: + GHCR: ghcr.io + DOCKER: docker.io + IMAGENAME: samba + +on: + push: + branches: [ "master" ] + schedule: + - cron: '0 22 1 * *' + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Log in to the Github container registry + uses: docker/login-action@v3 + with: + registry: ${{ env.GHCR }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + registry: ${{ env.DOCKER }} + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Get current date + id: date + run: echo "::set-output name=date::$(date +'%Y-%m-%d')" + - name: Build and push + uses: docker/build-push-action@v5 + with: + context: . + platforms: linux/amd64,linux/arm64 + push: true + tags: | + ${{ env.GHCR }}/vremenar/${{ env.IMAGENAME }}:latest + ${{ env.GHCR }}/vremenar/${{ env.IMAGENAME }}:${{ steps.date.outputs.date }} + ${{ env.DOCKER }}/vremenar/${{ env.IMAGENAME }}:latest + ${{ env.DOCKER }}/vremenar/${{ env.IMAGENAME }}:${{ steps.date.outputs.date }} \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index d0e1311..b064a3a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,10 @@ -FROM alpine +FROM alpine:latest MAINTAINER David Personette # Install samba -RUN apk --no-cache --no-progress upgrade && \ - apk --no-cache --no-progress add bash samba shadow tini tzdata && \ +RUN apk update && \ + apk upgrade && \ + apk add bash samba shadow tini tzdata && \ addgroup -S smb && \ adduser -S -D -H -h /tmp -s /sbin/nologin -G smb -g 'Samba User' smbuser &&\ file="/etc/samba/smb.conf" && \ @@ -55,7 +56,7 @@ RUN apk --no-cache --no-progress upgrade && \ echo '' >>$file && \ rm -rf /tmp/* -COPY samba.sh /usr/bin/ +ADD samba.sh /usr/bin/samba.sh EXPOSE 137/udp 138/udp 139 445 diff --git a/samba.sh b/samba.sh index ebb4e20..4df8049 100755 --- a/samba.sh +++ b/samba.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env bash +#!/bin/bash #=============================================================================== # FILE: samba.sh # @@ -293,5 +293,5 @@ elif ps -ef | egrep -v grep | grep -q smbd; then echo "Service already running, please restart container to apply changes" else [[ ${NMBD:-""} ]] && ionice -c 3 nmbd -D - exec ionice -c 3 smbd -FS --no-process-group Date: Sun, 3 Mar 2024 20:05:08 +0100 Subject: [PATCH 2/4] Add arm/v7 support --- .github/workflows/docker-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 8878533..f8e3175 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -40,7 +40,7 @@ jobs: uses: docker/build-push-action@v5 with: context: . - platforms: linux/amd64,linux/arm64 + platforms: linux/amd64,linux/arm64,linux/arm/v7 push: true tags: | ${{ env.GHCR }}/vremenar/${{ env.IMAGENAME }}:latest From ccf285209e59af4a34a44a62774b8a71d2f5d9ce Mon Sep 17 00:00:00 2001 From: Vladimir Remenar Date: Sun, 3 Mar 2024 21:40:40 +0100 Subject: [PATCH 3/4] Add vulnerability scanning --- .github/workflows/docker-image.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index f8e3175..9e58d1c 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -36,6 +36,8 @@ jobs: - name: Get current date id: date run: echo "::set-output name=date::$(date +'%Y-%m-%d')" + - name: Perform Scan + uses: ShiftLeftSecurity/scan-action@master - name: Build and push uses: docker/build-push-action@v5 with: @@ -46,4 +48,13 @@ jobs: ${{ env.GHCR }}/vremenar/${{ env.IMAGENAME }}:latest ${{ env.GHCR }}/vremenar/${{ env.IMAGENAME }}:${{ steps.date.outputs.date }} ${{ env.DOCKER }}/vremenar/${{ env.IMAGENAME }}:latest - ${{ env.DOCKER }}/vremenar/${{ env.IMAGENAME }}:${{ steps.date.outputs.date }} \ No newline at end of file + ${{ env.DOCKER }}/vremenar/${{ env.IMAGENAME }}:${{ steps.date.outputs.date }} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: '${{ env.GHCR }}/vremenar/${{ env.IMAGENAME }}:latest' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' \ No newline at end of file From b6522a1d56c19e370ba595a1cf3e66d00937c290 Mon Sep 17 00:00:00 2001 From: Vladimir Remenar Date: Fri, 8 Mar 2024 23:06:06 +0100 Subject: [PATCH 4/4] Drop arm/v7 support, split vuln scan to stages --- .github/workflows/docker-image.yml | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 9e58d1c..662bd4d 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -12,8 +12,17 @@ on: - cron: '0 22 1 * *' jobs: - build: + vulerability-scan: runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Perform Scan + uses: ShiftLeftSecurity/scan-action@master + build-and-push: + runs-on: ubuntu-latest + needs: + - vulerability-scan steps: - name: Checkout uses: actions/checkout@v4 @@ -36,19 +45,22 @@ jobs: - name: Get current date id: date run: echo "::set-output name=date::$(date +'%Y-%m-%d')" - - name: Perform Scan - uses: ShiftLeftSecurity/scan-action@master - name: Build and push uses: docker/build-push-action@v5 with: context: . - platforms: linux/amd64,linux/arm64,linux/arm/v7 + platforms: linux/amd64,linux/arm64 push: true tags: | ${{ env.GHCR }}/vremenar/${{ env.IMAGENAME }}:latest ${{ env.GHCR }}/vremenar/${{ env.IMAGENAME }}:${{ steps.date.outputs.date }} ${{ env.DOCKER }}/vremenar/${{ env.IMAGENAME }}:latest ${{ env.DOCKER }}/vremenar/${{ env.IMAGENAME }}:${{ steps.date.outputs.date }} + image-vulnerability-scan: + runs-on: ubuntu-latest + needs: + - build-and-push + steps: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: @@ -57,4 +69,5 @@ jobs: exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' \ No newline at end of file + severity: 'CRITICAL,HIGH' + \ No newline at end of file