Add container scanning

.github/workflows/delivery.yml

@@ -1,11 +1,13 @@
 name: Delivery
 
-on: 
+on:
+  pull_request:
+    types: [synchronize, opened, reopened]
   push:
-    branches: [ master ]
+    branches: [master]
   release:
     # Note: a current limitation is that when a release is edited after publication, then the Docker tags are not automatically updated.
-    types: [ published ]
+    types: [published]
 
 permissions:
   contents: write
@@ -27,17 +29,37 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}.{{patch}}
             type=raw,value=edge
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}      
-      
-      - name: Build container and push to GitHub Container Registry
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build container and export to local Docker
         uses: docker/build-push-action@v5
         with:
           context: .
-          push: true
+          load: true
+          tags: local/yivitube:scan
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Scan Image
+        uses: anchore/scan-action@v3
+        id: scan
+        with:
+          image: local/yivitube:scan
+          only-fixed: true
+          fail-build: true
+          output-format: table
+
+      - name: Push image to GitHub Container Registry
+        uses: docker/build-push-action@v5
+        with:
+          push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          labels: ${{ steps.meta.outputs.labels }}

Dockerfile

@@ -1,35 +1,32 @@
-FROM node:14 AS builder
+FROM node:18 AS node
 
-RUN apt-get update && apt-get install -y \
-    php \
-    php-cli \
-    php-zip \
-    php-xml \
-    php-mbstring \
-    php-curl \
-    php-sqlite3 \
-    php-ldap \
-    unzip \
-    cron
+WORKDIR /build
 
-RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
-WORKDIR /app
+COPY www/package*.json .
 
-COPY . .
+RUN npm i
 
-RUN cd /app/www && npm install
-RUN cd /app/www && composer install
+# ---
 
-FROM php:8.0-apache
+FROM composer:latest AS composer
+FROM dunglas/frankenphp
 
-COPY --from=builder /app/www /var/www/html
-COPY --from=builder /app/data /app/data
+ENV SERVER_NAME=:8080
+ENV DEBIAN_FRONTEND=noninteractive
 
-RUN chown -R www-data:www-data /var/www/html \
-    && chmod -R 755 /var/www/html
+# Enable PHP production settings
+RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini" \
+    && apt update && apt upgrade -y \
+    && install-php-extensions zip
 
+COPY ./data /app/data
+COPY ./www /app/public
 
-RUN echo "Listen 8080" >> /etc/apache2/ports.conf
+COPY --from=composer /usr/bin/composer /usr/local/bin/composer
+COPY --from=node /build/node_modules /app/public/node_modules
+
+RUN cd /app/public \
+    && composer install --no-interaction --optimize-autoloader --no-dev
 
 EXPOSE 8080
 

www/composer.json

@@ -3,7 +3,7 @@
     "description": "IRMA demo showing issuance and verification of IRMA attributes",
     "type": "project",
     "require": {
-        "firebase/php-jwt": "6.0.0",
+        "firebase/php-jwt": "6.11.0",
         "ext-json": "*",
         "ext-ctype": "*"
     },
@@ -14,4 +14,4 @@
             "email": "[email protected]"
         }
     ]
-}
+}

www/package.json

@@ -6,8 +6,8 @@
   "license": "Apache",
   "dependencies": {
     "@privacybydesign/yivi-frontend": "^0.1.3",
-    "bootstrap": "^3.3.6",
+    "bootstrap": "^5.0.0",
     "jquery": "^3.5.0",
     "mustache": "^2.3.0"
   }
-}
+}