paspo/docker-sshtunnel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: paspo:9daa4e4fd4257e3d5ee3a8190b49cbd3df8b2681
Branches Tags
paspo:master
..
compare: paspo:master
Branches Tags
paspo:master

4 Commits
9daa4e4fd4 ... master

Author SHA1 Message Date
paspo
2bca4c083b added apk upgrade
All checks were successful
Container Publish / on-success-skip (push) Has been skipped
Details
Container Publish / build-image (amd64) (push) Successful in 26s
Details
Container Publish / build-image (arm64) (push) Successful in 19s
Details
Container Publish / update docker manifest (push) Successful in 10s
Details
Vulnerability Scan / Daily Vulnerability Scan (amd64) (push) Successful in 23s
Details
Vulnerability Scan / Daily Vulnerability Scan (arm64) (push) Successful in 7s
Details
2025-10-03 07:30:32 +02:00
paspo
7cebe6506b fixing campaign
All checks were successful
Container Publish / on-success-skip (push) Has been skipped
Details
Container Publish / build-image (arm64) (push) Successful in 22s
Details
Container Publish / build-image (amd64) (push) Successful in 23s
Details
Container Publish / update docker manifest (push) Successful in 9s
Details
2025-10-03 07:27:23 +02:00
paspo
d49dfa411c switched from drone to gitea actions 2025-06-13 08:06:02 +02:00
paspo
1bfcf8fe2c shellcheck fix 2025-06-13 08:04:41 +02:00
5 changed files with 148 additions and 39 deletions
Expand all files Collapse all files

35
.drone.yml
View File

@@ -1,35 +0,0 @@
kind: pipeline
type: docker
name: default
steps:
- name: build
image: plugins/docker:linux-amd64
pull: always
settings:
dockerfile: Dockerfile
daemon_off: false
dry_run: true
repo: docker.asperti.com/paspo/sshtunnel
when:
event:
exclude:
- tag
- name: build_and_publish
image: plugins/docker:linux-amd64
pull: always
settings:
dockerfile: Dockerfile
tags:
- latest
force_tag: true
password:
from_secret: docker_password
registry: docker.asperti.com
repo: docker.asperti.com/paspo/sshtunnel
username:
from_secret: docker_username
when:
event:
- tag

73
.gitea/workflows/build_and_publish.yaml Normal file
View File

@@ -0,0 +1,73 @@
---
name: Container Publish
env:
REGISTRY: docker.asperti.com
REPOSITORY: paspo/sshtunnel
on:
push:
schedule:
- cron: "0 12 * * 3"
workflow_dispatch:
workflow_call:
workflow_run:
workflows: [vulnscan.yaml]
types: [completed]
jobs:
on-success-skip:
runs-on:
labels: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' }}
steps:
- run: exit_with_success
build-image:
runs-on:
labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
container:
image: catthehacker/ubuntu:act-latest
strategy:
matrix:
arch: [amd64, arm64]
steps:
- uses: actions/checkout@v4
- name: Login to registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and publish
run: |
docker build \
--tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} \
--platform linux/${{ matrix.arch }} --no-cache -f Dockerfile .
docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }}
manifest:
name: update docker manifest
needs: build-image
runs-on: ubuntu-latest
container:
image: catthehacker/ubuntu:act-latest
steps:
- name: Login to registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: latest
run: |
docker manifest create \
${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest \
--amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-amd64 \
--amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-arm64
docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest

64
.gitea/workflows/vulnscan.yaml Normal file
View File

@@ -0,0 +1,64 @@
---
name: Vulnerability Scan
env:
REGISTRY: docker.asperti.com
REPOSITORY: paspo/sshtunnel
on:
schedule:
- cron: "0 14 * * *"
workflow_dispatch:
workflow_call:
workflow_run:
workflows: [build_and_publish.yaml]
types: [completed]
jobs:
scan:
name: Daily Vulnerability Scan
runs-on:
labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
container:
image: catthehacker/ubuntu:act-latest
strategy:
matrix:
arch: [amd64, arm64]
steps:
- name: Pull docker image
run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest
- name: Setup trivy
run: |
echo "Installing Trivy for arch: $(uname -m)"
case $(uname -m) in
x86_64)
wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;;
aarch64)
wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;;
*) exit 1 ;;
esac
dpkg -i /tmp/trivy.deb
- name: Run Trivy vulnerability scanner
id: scan
run: |
trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest > trivy-results.json
# if some vulnerability is found, we fail
- name: check output
id: vulncount
run: |
echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT}
if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi
- name: send telegram notification
if: failure()
uses: appleboy/telegram-action@master
with:
to: ${{ secrets.TELEGRAM_TO }}
token: ${{ secrets.TELEGRAM_TOKEN }}
format: markdown
message: |
Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest`

3
Dockerfile
View File

@@ -10,7 +10,8 @@ ARG REMOTE_PORT
ARG LOCAL_PORT ARG LOCAL_PORT
RUN \ RUN \
apk -U add openssh-client apk --no-cache upgrade && \
apk --no-cache add openssh-client
COPY entrypoint.sh / COPY entrypoint.sh /

12
entrypoint.sh
View File

@@ -2,26 +2,32 @@
ERROR=0 ERROR=0
# shellcheck disable=2154 # 2154 irrelevant because the ENV variable should come from container invokation
if [ "${SSH_USER}" = "" ] ; then if [ "${SSH_USER}" = "" ] ; then
echo You must set the SSH_USER environment variable echo You must set the SSH_USER environment variable
ERROR=1 ERROR=1
fi fi
# shellcheck disable=2154 # 2154 irrelevant because the ENV variable should come from container invokation
# shellcheck disable=2153 # 2153 irrelevant because SSH_HOST is the correct ENV variable
if [ "${SSH_HOST}" = "" ] ; then if [ "${SSH_HOST}" = "" ] ; then
echo You must set the SSH_HOST environment variable echo You must set the SSH_HOST environment variable
ERROR=1 ERROR=1
fi fi
# shellcheck disable=2154 # 2154 irrelevant because the ENV variable should come from container invokation
if [ "${REMOTE_HOST}" = "" ] ; then if [ "${REMOTE_HOST}" = "" ] ; then
echo You must set the REMOTE_HOST environment variable echo You must set the REMOTE_HOST environment variable
ERROR=1 ERROR=1
fi fi
# shellcheck disable=2154 # 2154 irrelevant because the ENV variable should come from container invokation
if [ "${REMOTE_PORT}" = "" ] ; then if [ "${REMOTE_PORT}" = "" ] ; then
echo You must set the REMOTE_PORT environment variable echo You must set the REMOTE_PORT environment variable
ERROR=1 ERROR=1
fi fi
# shellcheck disable=2154 # 2154 irrelevant because the ENV variable should come from container invokation
if [ "${LOCAL_PORT}" = "" ] ; then if [ "${LOCAL_PORT}" = "" ] ; then
echo You must set the LOCAL_PORT environment variable echo You must set the LOCAL_PORT environment variable
ERROR=1 ERROR=1
@@ -42,10 +48,10 @@ fi
while true ; do while true ; do
ssh \ ssh \
-p ${SSH_PORT} -i ${SSH_IDENTITY_PATH} \ -p "${SSH_PORT}" -i "${SSH_IDENTITY_PATH}" \
-o StrictHostKeyChecking=no -N \ -o StrictHostKeyChecking=no -N \
-L 0.0.0.0:${LOCAL_PORT}:${REMOTE_HOST}:${REMOTE_PORT} \ -L "0.0.0.0:${LOCAL_PORT}:${REMOTE_HOST}:${REMOTE_PORT}" \
${SSH_USER}@${SSH_HOST} "${SSH_USER}@${SSH_HOST}"
echo "Connection closed. Waiting 5 seconds before retry." echo "Connection closed. Waiting 5 seconds before retry."
sleep 5s sleep 5s
done done