Merge pull request #5 from jski/feature/security-updates

jski · web-flow · commit 3aa2aad14caf · 2025-12-25T13:16:39.000-05:00
Updated to add trivy scan weekly, and dependabot updates nightly
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,21 @@
+version: 2
+updates:
+  # Monitor Dockerfile for base image updates
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 3
+    labels:
+      - "dependencies"
+      - "docker"
+
+  # Monitor GitHub Actions for security updates
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "github-actions"
diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml
@@ -59,4 +59,34 @@ jobs:
             ghcr.io/${{ github.repository_owner }}/python-container-builder:${{ matrix.python_version }}
             ${{ matrix.python_version == '3.14' && format('ghcr.io/{0}/python-container-builder:latest', github.repository_owner) || '' }}
           provenance: false
-          outputs: type=image,name=python-container-builder,annotation-index.org.opencontainers.image.description=build your Python distroless containers with this
+          outputs: type=image,name=python-container-builder,annotation-index.org.opencontainers.image.description=build your Python distroless containers with this
+
+  security-scan:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    needs: nightly
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ github.repository_owner }}/python-container-builder:latest
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Print Trivy results summary
+        uses: aquasecurity/trivy-action@master
+        if: always()
+        with:
+          image-ref: ghcr.io/${{ github.repository_owner }}/python-container-builder:latest
+          format: 'table'
+          severity: 'CRITICAL,HIGH'
