diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 202a9ef..8c2252a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -166,6 +166,8 @@ jobs: - name: Scan frontend image for vulnerabilities uses: anchore/scan-action@v5 id: scan + env: + GRYPE_CONFIG: .grype.yaml with: image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}" fail-build: true @@ -263,6 +265,8 @@ jobs: - name: Scan auth image for vulnerabilities uses: anchore/scan-action@v5 id: scan + env: + GRYPE_CONFIG: .grype.yaml with: image: "${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}:sha-${{ github.sha }}" fail-build: true @@ -343,12 +347,16 @@ jobs: load: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + build-args: | + APT_CACHE_BUST=${{ github.run_id }} cache-from: type=gha cache-to: type=gha,mode=max - name: Scan receiptwitness image for vulnerabilities uses: anchore/scan-action@v5 id: scan + env: + GRYPE_CONFIG: .grype.yaml with: image: "${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}:sha-${{ github.sha }}" fail-build: true @@ -371,6 +379,8 @@ jobs: push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + build-args: | + APT_CACHE_BUST=${{ github.run_id }} cache-from: type=gha build-and-push-api: @@ -429,12 +439,16 @@ jobs: load: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + build-args: | + APT_CACHE_BUST=${{ github.run_id }} cache-from: type=gha cache-to: type=gha,mode=max - name: Scan api image for vulnerabilities uses: anchore/scan-action@v5 id: scan + env: + GRYPE_CONFIG: .grype.yaml with: image: "${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:sha-${{ github.sha }}" fail-build: true @@ -457,6 +471,8 @@ jobs: push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + build-args: | + APT_CACHE_BUST=${{ github.run_id }} cache-from: type=gha deploy-dev: diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 0000000..001d21a --- /dev/null +++ b/.grype.yaml @@ -0,0 +1,4 @@ +ignore: + # Python 3.12 CVEs — only fixed in 3.13+, cannot upgrade major version safely + - vulnerability: CVE-2025-13836 + - vulnerability: CVE-2026-4519 \ No newline at end of file diff --git a/api/Dockerfile b/api/Dockerfile index 771d5ec..7e5f04e 100644 --- a/api/Dockerfile +++ b/api/Dockerfile @@ -1,5 +1,6 @@ FROM python:3.12-slim AS build +ARG APT_CACHE_BUST=0 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \ libpq-dev \ build-essential \ @@ -12,6 +13,7 @@ RUN pip install --no-cache-dir --prefix=/install . FROM python:3.12-slim AS prod +ARG APT_CACHE_BUST=0 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends libpq5 && rm -rf /var/lib/apt/lists/* WORKDIR /app diff --git a/receiptwitness/Dockerfile b/receiptwitness/Dockerfile index 79e53a3..efd756c 100644 --- a/receiptwitness/Dockerfile +++ b/receiptwitness/Dockerfile @@ -5,6 +5,7 @@ WORKDIR /app # build-essential and libpq-dev are needed to compile any C-extension wheels # (e.g. psycopg2 fallback). No git needed — common/ is copied from the repo root. +ARG APT_CACHE_BUST=0 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \ libpq-dev \ build-essential \ @@ -25,6 +26,7 @@ FROM python:3.12-slim AS prod WORKDIR /app # Install Playwright system dependencies for Chromium +ARG APT_CACHE_BUST=0 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \ libnss3 \ libatk1.0-0 \