add image scan with dockle-action, add dockleignore with all kinds of warnings [skip ci]

jakoch · jakoch · commit 54789870e129 · 2025-02-09T21:06:06.000+01:00
diff --git a/.dockleignore b/.dockleignore
@@ -0,0 +1,25 @@
+#
+# Ignore rules for https://github.com/goodwithtech/dockle
+#
+# https://github.com/goodwithtech/dockle?tab=readme-ov-file#checkpoint-summary
+#
+
+CIS-DI-0001 # Create a user for the container
+# Disabled because:
+# Currently user is root.
+# This is a devcontainer image for usage inside VSCode or a CI pipeline.
+
+CIS-DI-0005 # Enable Content trust for Docker
+# Disabled because:
+# This is open-source. Not messing around with keys and trust for now.
+
+CIS-DI-0006 # Add HEALTHCHECK instruction to the container image
+# Disabled because:
+# The Docker engine itself does not automatically restart unhealthy containers
+# based on HEALTHCHECK pings to the local Docker host.
+# This is also not a server container with a running service,
+# which needs to be kept alive.
+
+CIS-DI-0008 # Confirm safety of setuid/setgid files
+# Disabled because:
+# This is a devcontainer image for usage inside VSCode or a CI pipeline.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -232,7 +232,7 @@ jobs:
             README-${{ matrix.config.debian_codename }}-base.md
             README-${{ matrix.config.debian_codename }}-with-vulkansdk.md
 
-      - name: 🛡️🔍 Scan Image for Vulnerabilities
+      - name: 🛡️🔍 Scan Image for Vulnerabilities using Trivy
         uses: aquasecurity/trivy-action@master # https://github.com/aquasecurity/trivy-action
         with:
           image-ref: '${{ env.GHCR_IMAGE }}:latest'
@@ -251,7 +251,16 @@ jobs:
       #   are not relevant for the image security. The scan is faster without them.
 
       # upload fails: https://github.com/github/codeql-action/issues/2117
-      - name: 🛡️🔼 Upload scan results to GitHub Security tab
+      - name: 🛡️🔼 Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3 # https://github.com/github/codeql-action
         with:
           sarif_file: 'trivy-results.sarif'
+
+      - name: 🛡️🔍 Scan Image for Vulnerabilities using Dockle
+        if: always()
+        uses: goodwithtech/dockle-action@v0.4.15 # https://github.com/goodwithtech/dockle-action
+        with:
+          image: '${{ env.GHCR_IMAGE }}:latest'
+          format: 'list'
+          exit-code: '0'
+          exit-level: 'warn'
