Skip to content

Bugfix/remove security scan step #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jski merged 2 commits into from
Dec 26, 2025
Merged

Bugfix/remove security scan step #15

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fe9e04a
Updated security section to explain good posture for final result run…
jski Dec 26, 2025
1c269d1
Removed security Trivy step from build workflow
jski Dec 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 2 additions & 32 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,11 +183,11 @@ jobs:
promote:
name: Promote to Production
runs-on: ubuntu-latest
needs: [build, test, security-scan]
needs: [build, test]
# Promote on:
# 1. Normal merge to main (not force push)
# 2. Manual workflow dispatch with promote flag enabled
# CRITICAL: Only runs if build, test, AND security-scan all succeed
# CRITICAL: Only runs if build AND test all succeed
if: |
(github.event_name == 'push' && github.ref == 'refs/heads/main' && !github.event.forced) ||
(github.event_name == 'workflow_dispatch' && inputs.promote == true)
Expand Down Expand Up @@ -241,36 +241,6 @@ jobs:

echo "✅ Successfully promoted latest tag"

security-scan:
name: Security Scan
runs-on: ubuntu-latest
needs: build
permissions:
contents: read
security-events: write
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/${{ github.repository_owner }}/python-container-builder:3.14-${{ github.sha }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'

- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: 'trivy-results.sarif'

- name: Print Trivy results summary
uses: aquasecurity/trivy-action@master
if: always()
with:
image-ref: ghcr.io/${{ github.repository_owner }}/python-container-builder:3.14-${{ github.sha }}
format: 'table'
severity: 'CRITICAL,HIGH'

test:
name: Test Images
runs-on: ubuntu-latest
Expand Down
8 changes: 4 additions & 4 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,11 +60,11 @@ This approach gives you the reliability of official Python builds while maintain

### Security

This project includes automated security measures:
- 🔒 **Nightly Vulnerability Scanning**: All images scanned with [Trivy](https://github.com/aquasecurity/trivy) for CRITICAL and HIGH severity vulnerabilities
- 🔄 **Automated Dependency Updates**: [Dependabot](https://github.com/dependabot) monitors base images and GitHub Actions for security updates
- 📊 **Transparent Results**: Scan results available in the [Security tab](https://github.com/jski/python-container-builder/security/code-scanning)
This project prioritizes security through:
- 🏗️ **Official Base Images**: Built from official Python and Debian Docker images, ensuring timely security patches
- 🔄 **Automated Dependency Updates**: [Dependabot](https://github.com/dependabot) monitors base images and GitHub Actions for security updates
- 🔒 **Distroless Runtime**: The recommended pattern copies only the Python virtualenv to a distroless runtime, minimizing attack surface
- 📦 **Isolated Dependencies**: Virtual environment isolation ensures clean dependency management

## Goals
This project seeks to:
Expand Down