Merge pull request #67 from swisscom/develop

update dependencies

.github/workflows/periodic-scanning.yml

@@ -0,0 +1,79 @@
+name: periodic scanning
+
+on:
+  schedule:
+  - cron: '0 9 * * 1'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  snyk-periodic-container:
+    permissions:
+      contents: read
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        ref: master
+    - name: run snyk to check docker image for vulnerabilities
+      continue-on-error: true
+      uses: snyk/actions/docker@dc22abdbe8ec00e2a925256fef96f319ca5510ce
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        image: docker.io/jamesclonk/backman:latest
+        sarif: true
+        args: --policy-path=. --file=Dockerfile --severity-threshold=medium
+    - name: upload results to github code scanning
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: snyk.sarif
+
+  snyk-periodic-golang:
+    permissions:
+      contents: read
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        ref: master
+    - name: run snyk to for golang vulnerabilities
+      continue-on-error: true
+      uses: snyk/actions/golang@dc22abdbe8ec00e2a925256fef96f319ca5510ce
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        args: --policy-path=. --file=go.mod --sarif-file-output=snyk.sarif --fail-on=all
+    - name: upload results to github code scanning
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: snyk.sarif
+
+  trivy-periodic-container:
+    permissions:
+      contents: read
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        ref: master
+    - name: run trivy to check docker image for vulnerabilities
+      continue-on-error: true
+      uses: aquasecurity/trivy-action@4b9b6fb4ef28b31450391a93ade098bb00de584e
+      with:
+        image-ref: docker.io/jamesclonk/backman:latest
+        format: 'sarif'
+        output: 'trivy.sarif'
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH,MEDIUM'
+        ignore-unfixed: true
+        skip-dirs: /root/.npm/_cacache,/etc/ssh
+    - name: upload results to github code scanning
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: trivy.sarif

.github/workflows/snyk-golang.yml

@@ -23,7 +23,7 @@ jobs:
       env:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
-        args: --policy-path=. --file=go.mod --sarif-file-output=snyk.sarif
+        args: --policy-path=. --file=go.mod --sarif-file-output=snyk.sarif --fail-on=all
     - name: upload results to github code scanning
       uses: github/codeql-action/upload-sarif@v2
       with:

.gitignore

@@ -44,3 +44,4 @@ backman
 _fixtures/*
 /.idea/
 snyk.sarif
+trivy.sarif

.snyk

@@ -250,4 +250,8 @@ ignore:
     - '*':
         reason: Not applicable
         expires: 2099-09-09T00:00:00.000Z
+  SNYK-UBUNTU2004-VIM-2858401:
+    - '*':
+        reason: Not applicable
+        expires: 2099-09-09T00:00:00.000Z
 patch: {}

manifest.yml

@@ -24,13 +24,6 @@ applications:
   # ### push either as docker image
   docker:
     image: jamesclonk/backman:latest # choose version from https://github.com/swisscom/backman/releases or https://hub.docker.com/r/jamesclonk/backman/tags, or stay on 'latest' if you're feeling adventurous
-  # ### or as buildpack/src
-  # buildpacks:
-  # - https://github.com/cloudfoundry/apt-buildpack
-  # - nodejs_buildpack
-  # - go_buildpack
-  # command: backman
-  # path: .
 
   env:
     TZ: Europe/Zurich