diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d826cdc..6a12519 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -183,11 +183,11 @@ jobs: promote: name: Promote to Production runs-on: ubuntu-latest - needs: [build, test, security-scan] + needs: [build, test] # Promote on: # 1. Normal merge to main (not force push) # 2. Manual workflow dispatch with promote flag enabled - # CRITICAL: Only runs if build, test, AND security-scan all succeed + # CRITICAL: Only runs if build AND test all succeed if: | (github.event_name == 'push' && github.ref == 'refs/heads/main' && !github.event.forced) || (github.event_name == 'workflow_dispatch' && inputs.promote == true) @@ -241,36 +241,6 @@ jobs: echo "✅ Successfully promoted latest tag" - security-scan: - name: Security Scan - runs-on: ubuntu-latest - needs: build - permissions: - contents: read - security-events: write - steps: - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: ghcr.io/${{ github.repository_owner }}/python-container-builder:3.14-${{ github.sha }} - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - - - name: Upload Trivy results to GitHub Security - uses: github/codeql-action/upload-sarif@v4 - if: always() - with: - sarif_file: 'trivy-results.sarif' - - - name: Print Trivy results summary - uses: aquasecurity/trivy-action@master - if: always() - with: - image-ref: ghcr.io/${{ github.repository_owner }}/python-container-builder:3.14-${{ github.sha }} - format: 'table' - severity: 'CRITICAL,HIGH' - test: name: Test Images runs-on: ubuntu-latest diff --git a/README.md b/README.md index 096fe54..7221bdf 100644 --- a/README.md +++ b/README.md @@ -60,11 +60,11 @@ This approach gives you the reliability of official Python builds while maintain ### Security -This project includes automated security measures: -- 🔒 **Nightly Vulnerability Scanning**: All images scanned with [Trivy](https://github.com/aquasecurity/trivy) for CRITICAL and HIGH severity vulnerabilities -- 🔄 **Automated Dependency Updates**: [Dependabot](https://github.com/dependabot) monitors base images and GitHub Actions for security updates -- 📊 **Transparent Results**: Scan results available in the [Security tab](https://github.com/jski/python-container-builder/security/code-scanning) +This project prioritizes security through: - 🏗️ **Official Base Images**: Built from official Python and Debian Docker images, ensuring timely security patches +- 🔄 **Automated Dependency Updates**: [Dependabot](https://github.com/dependabot) monitors base images and GitHub Actions for security updates +- 🔒 **Distroless Runtime**: The recommended pattern copies only the Python virtualenv to a distroless runtime, minimizing attack surface +- 📦 **Isolated Dependencies**: Virtual environment isolation ensures clean dependency management ## Goals This project seeks to: