removed vulnscan

.drone.star

@@ -1,114 +0,0 @@
-def main(ctx):
-    archs = ["amd64" ]
-    flavours = [ "sqlite3", "mysql" ]
-    upstream_versions = [ "6.0", "7.0" ]
-    out = []
-    for flavour in flavours:
-        for ver in upstream_versions:
-            for arch in archs:
-                out += pipeline(flavour, arch, ver)
-            out += manifest(flavour, ver, archs)
-    return out
-
-def pipeline(flavour, arch, ver):
-    out = [{
-        "kind": "pipeline",
-        "type": "docker",
-        "name": "zabbix-proxy-%s-%s-%s" % (flavour, ver, arch),
-        "platform": {
-            "arch": arch,
-            "os": "linux",
-        },
-        "steps": [{
-            "name": "build_on_push",
-            "image": "plugins/docker:linux-%s" % (arch),
-            "settings": {
-                "context": "src",
-                "dockerfile": "src/Dockerfile-%s" % (ver),
-                "build_args": [
-                    "UPSTREAM_FLAVOUR=" + flavour,
-                    "UPSTREAM_VERSION=" + ver
-                ],
-                "username": {
-                    "from_secret": "docker_username",
-                },
-                "password": {
-                    "from_secret": "docker_password",
-                },
-                "registry": "docker.asperti.com",
-                "repo": "docker.asperti.com/paspo/zabbix-proxy-%s-mssql" % (flavour),
-                "tags": [ 
-                    "%s-%s" % (ver, arch)
-                ],
-                "auto_tag": False,
-                "force_tag": True,
-                "daemon_off": False,            
-            },
-        }],
-        "trigger": {
-            "ref": [
-                "refs/heads/master",
-                "refs/tags/**",
-            ],
-        }
-    }]
-    return out
-
-def manifest(flavour, ver, archs):
-    commands = [
-        'echo "image: docker.asperti.com/paspo/zabbix-proxy-%s-mssql:%s" >> manifest-%s.tmpl' % (flavour, ver, flavour),
-        'echo "manifests:" >> manifest-%s.tmpl' % (flavour),
-        'echo "- image: docker.asperti.com/paspo/zabbix-proxy-%s-mssql:%s-amd64" >> manifest-%s.tmpl' % (flavour, ver, flavour),
-        'echo "  platform:" >> manifest-%s.tmpl' % (flavour),
-        'echo "    architecture: amd64" >> manifest-%s.tmpl' % (flavour),
-        'echo "    os: linux" >> manifest-%s.tmpl' % (flavour),
-        'echo "- image: docker.asperti.com/paspo/zabbix-proxy-%s-mssql:%s-arm64" >> manifest-%s.tmpl' % (flavour, ver, flavour),
-        'echo "  platform:" >> manifest-%s.tmpl' % (flavour),
-        'echo "    architecture: arm64" >> manifest-%s.tmpl' % (flavour),
-        'echo "    variant: v8" >> manifest-%s.tmpl' % (flavour),
-        'echo "    os: linux" >> manifest-%s.tmpl' % (flavour),
-        'echo "- image: docker.asperti.com/paspo/zabbix-proxy-%s-mssql:%s-arm" >> manifest-%s.tmpl' % (flavour, ver, flavour),
-        'echo "  platform:" >> manifest-%s.tmpl' % (flavour),
-        'echo "    architecture: arm" >> manifest-%s.tmpl' % (flavour),
-        'echo "    variant: v7" >> manifest-%s.tmpl' % (flavour),
-        'echo "    os: linux" >> manifest-%s.tmpl' % (flavour),
-    ]
-
-    return [{
-        "kind": "pipeline",
-        "type": "docker",
-        "name": "manifest-%s-%s" % (flavour, ver),
-        "platform": {
-            "arch": archs[0],
-            "os": "linux",
-        },
-        "steps": [{
-            "name": "generate",
-            "image": "alpine",
-            "commands": commands,
-        },{
-            "name": "manifest",
-            "image": "plugins/manifest",
-            "settings": {
-                "spec": "manifest-%s.tmpl" % (flavour),
-                "username": {
-                    "from_secret": "docker_username",
-                },
-                "password": {
-                    "from_secret": "docker_password",
-                }, 
-                "tags": [ 
-                    ver
-                ],
-                "ignore_missing": True,
-                "force_tag": True,
-            },
-        }],
-        "trigger": {
-            "ref": [
-                "refs/heads/master",
-                "refs/tags/**",
-            ],
-        },
-        "depends_on": ["zabbix-proxy-%s-%s-%s" % (flavour, ver, arch) for arch in archs]
-    }]

.gitea/workflows/build_and_publish.yaml

@@ -0,0 +1,82 @@
+---
+name: Container Publish
+
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/zabbix-proxy
+
+on:
+  push:
+  schedule:
+    - cron: "0 12 * * 3"
+  workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [vulnscan.yaml]
+    types: [completed]
+
+jobs:
+  on-success-skip:
+    runs-on:
+      labels: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - run: exit_with_success
+
+  build-image:
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64]
+        flavour: [sqlite3, mysql]
+        ver: ["7.0"]
+
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Build and publish
+        run: |
+          docker build \
+            --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}-${{ matrix.flavour }}-mssql:${{ matrix.ver }}-${{ matrix.arch }} \
+            --build-arg UPSTREAM_FLAVOUR=${{ matrix.flavour }} \
+            --build-arg UPSTREAM_VERSION=${{ matrix.ver }} \
+            --platform linux/${{ matrix.arch }} -f src/Dockerfile-${{ matrix.ver }} .
+          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}-${{ matrix.flavour }}-mssql:${{ matrix.ver }}-${{ matrix.arch }}
+
+  manifest:
+    name: update docker manifest
+    needs: build-image
+    runs-on: ubuntu-latest
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64]
+        flavour: [sqlite3, mysql]
+        ver: ["7.0"]
+
+    steps:
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: latest
+        run: |
+          docker manifest create \
+            ${{ env.REGISTRY }}/${{ env.REPOSITORY }}-${{ matrix.flavour }}-mssql:${{ matrix.ver }} \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}-${{ matrix.flavour }}-mssql:${{ matrix.ver }}-amd64
+          docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}-${{ matrix.flavour }}-mssql:${{ matrix.ver }}

.gitea/workflows/vulnscan.yaml

@@ -0,0 +1,64 @@
+---
+name: Vulnerability Scan
+
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/zabbix-proxy
+
+on:
+  workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [build_and_publish.yaml]
+    types: [completed]
+
+jobs:
+  scan:
+    name: Daily Vulnerability Scan
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64]
+        flavour: [sqlite3, mysql]
+        ver: ["7.0"]
+
+    steps:
+      - name: Pull docker image
+        run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}-${{ matrix.flavour }}-mssql:${{ matrix.ver }}
+
+      - name: Setup trivy
+        run: |
+          echo "Installing Trivy for arch: $(uname -m)"
+          case $(uname -m) in
+            x86_64)
+              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;;
+            aarch64)
+              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;;
+            *) exit 1 ;;
+          esac
+          dpkg -i /tmp/trivy.deb
+
+      - name: Run Trivy vulnerability scanner
+        id: scan
+        run: |
+          trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}-${{ matrix.flavour }}-mssql:${{ matrix.ver }} > trivy-results.json
+
+      # if some vulnerability is found, we fail
+      - name: check output
+        id: vulncount
+        run: |
+          echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT}
+          if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi
+
+      - name: send telegram notification
+        if: failure()
+        uses: appleboy/telegram-action@master
+        with:
+          to: ${{ secrets.TELEGRAM_TO }}
+          token: ${{ secrets.TELEGRAM_TOKEN }}
+          format: markdown
+          message: |
+            Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ env.REGISTRY }}/${{ env.REPOSITORY }}-${{ matrix.flavour }}-mssql:${{ matrix.ver }}`

README.md

@@ -18,7 +18,6 @@ These are the supported upstream versions:
 | version |
 |---------|
 | 7.0     |
-| 6.0     |
 
 You can use the desired version as image tag (e.g. `docker.asperti.com/paspo/zabbix-proxy-sqlite3-mssql:7.0`), the correct arch will be used.
 If you prefer, you can also pin to a specific architecture: `docker.asperti.com/paspo/zabbix-proxy-sqlite3-mssql:7.0-amd64`.

src/Dockerfile-6.0

@@ -11,7 +11,8 @@ RUN \
   DEBIAN_FRONTEND=noninteractive apt install -y /tmp/a.deb && \
   rm /tmp/a.deb && \
   DEBIAN_FRONTEND=noninteractive apt update && \
-  DEBIAN_FRONTEND=noninteractive ACCEPT_EULA=Y  apt install -y msodbcsql18 mssql-tools18 && \
+  DEBIAN_FRONTEND=noninteractive apt upgrade -y && \
+  DEBIAN_FRONTEND=noninteractive ACCEPT_EULA=Y apt install -y msodbcsql18 mssql-tools18 && \
   DEBIAN_FRONTEND=noninteractive apt-get clean
 
 USER zabbix

src/Dockerfile-7.0

@@ -11,7 +11,8 @@ RUN \
   DEBIAN_FRONTEND=noninteractive apt install -y /tmp/a.deb && \
   rm /tmp/a.deb && \
   DEBIAN_FRONTEND=noninteractive apt update && \
-  DEBIAN_FRONTEND=noninteractive ACCEPT_EULA=Y  apt install -y msodbcsql18 mssql-tools18 && \
+  DEBIAN_FRONTEND=noninteractive apt upgrade -y -o Dpkg::Options::="--force-confnew" && \
+  DEBIAN_FRONTEND=noninteractive ACCEPT_EULA=Y apt install -y msodbcsql18 mssql-tools18 && \
   DEBIAN_FRONTEND=noninteractive apt-get clean
 
 USER zabbix