From 36538fc703cd159700bd061eca92f6878fc31e42 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Dec 2023 10:22:59 +0100 Subject: [PATCH 01/10] chore(deps): bump anchore/sbom-action from 0.15.0 to 0.15.1 (#235) Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.15.0 to 0.15.1. - [Release notes](https://github.com/anchore/sbom-action/releases) - [Commits](https://github.com/anchore/sbom-action/compare/fd74a6fb98a204a1ad35bbfae0122c1a302ff88b...5ecf649a417b8ae17dc8383dc32d46c03f2312df) --- updated-dependencies: - dependency-name: anchore/sbom-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml index e95ed846..465d9055 100644 --- a/.github/workflows/build-push.yml +++ b/.github/workflows/build-push.yml @@ -68,7 +68,7 @@ jobs: provenance: true cache-from: type=gha cache-to: type=gha,mode=max - - uses: anchore/sbom-action@fd74a6fb98a204a1ad35bbfae0122c1a302ff88b # v0.15.0 + - uses: anchore/sbom-action@5ecf649a417b8ae17dc8383dc32d46c03f2312df # v0.15.1 if: ${{ steps.build-and-push.outputs.digest != '' && github.event_name != 'merge_group' }} with: image: ${{ env.REGISTRY }}/${{ github.repository }}@${{ steps.build-and-push.outputs.digest }} From a0460ef25dc2a2f46531f1842db9aad22f96e8ae Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Dec 2023 09:23:39 +0000 Subject: [PATCH 02/10] chore(deps): bump docker/metadata-action from 5.2.0 to 5.3.0 (#234) Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 5.2.0 to 5.3.0. - [Release notes](https://github.com/docker/metadata-action/releases) - [Commits](https://github.com/docker/metadata-action/compare/e6428a5c4e294a61438ed7f43155db912025b6b3...31cebacef4805868f9ce9a0cb03ee36c32df2ac4) --- updated-dependencies: - dependency-name: docker/metadata-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml index 465d9055..5b70696f 100644 --- a/.github/workflows/build-push.yml +++ b/.github/workflows/build-push.yml @@ -31,7 +31,7 @@ jobs: steps: - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 if: ${{ github.event_name != 'merge_group' }} - - uses: docker/metadata-action@e6428a5c4e294a61438ed7f43155db912025b6b3 # v5.2.0 + - uses: docker/metadata-action@31cebacef4805868f9ce9a0cb03ee36c32df2ac4 # v5.3.0 id: meta env: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index From 0e3d247871adebb81eaa0a93840da843edfa57a5 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Tue, 5 Dec 2023 11:29:34 +0100 Subject: [PATCH 03/10] ci: dependency updates end up in CHANGELOG.md (#229) Additionally remove the "scope" option, see: https://github.com/dependabot/dependabot-core/issues/8443 --- .github/dependabot.yml | 6 ++---- .github/workflows/update-dependencies.yml | 4 ++-- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4f631df9..97393f75 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,12 +11,10 @@ updates: schedule: interval: daily commit-message: - prefix: "deps(docker)" - include: "scope" + prefix: "feat(deps)" - package-ecosystem: pip directory: .devcontainer schedule: interval: daily commit-message: - prefix: "deps" - include: "scope" + prefix: "feat(deps)" diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index 2646432d..0703c9b8 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -25,8 +25,8 @@ jobs: run: ./update-dependencies.sh apt-requirements-base.json apt-requirements-clang.json - uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2 with: - commit-message: "deps(apt): update dependencies" + commit-message: "feat(deps): update dependencies" branch: feature/update-apt-dependencies - title: "deps(apt): update dependencies" + title: "feat(deps): update dependencies" labels: dependencies token: ${{ secrets.AMP_RELEASER_TOKEN }} From 41f711d56d3a8b8d4a32bd70b9257a1b2596593d Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Tue, 5 Dec 2023 11:29:44 +0100 Subject: [PATCH 04/10] ci: release-please remove deprecated "command" (#230) --- .github/workflows/release-please.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index b33cdb50..a959d553 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -18,5 +18,4 @@ jobs: steps: - uses: google-github-actions/release-please-action@a6d1fd9854c8c40688a72f7e4b072a1e965860a0 # v4.0.0 with: - command: manifest token: ${{ secrets.AMP_RELEASER_TOKEN }} From 427cbc0a89ddab71218059fb51ca6d6d582f3eff Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Tue, 5 Dec 2023 11:29:58 +0100 Subject: [PATCH 05/10] ci: recursively sign digest i.s.o. tags (#231) ci: recursively sign from digest i.s.o. tags --- .github/workflows/build-push.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml index 5b70696f..9e0e2eff 100644 --- a/.github/workflows/build-push.yml +++ b/.github/workflows/build-push.yml @@ -84,5 +84,4 @@ jobs: # against the sigstore community Fulcio instance. env: DIGEST: ${{ steps.build-and-push.outputs.digest }} - TAGS: ${{ steps.meta.outputs.tags }} - run: echo "${TAGS}" | xargs -I {} cosign sign --yes "{}@${DIGEST}" + run: cosign sign --yes --recursive "${{ env.REGISTRY }}/${{ github.repository }}@${DIGEST}" From cabdbbf2d907d0479df40bea3a73a9da90ecddf7 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Tue, 5 Dec 2023 11:41:08 +0100 Subject: [PATCH 06/10] docs: add issue templates (#233) * docs: add issue templates * Apply linter findings Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * docs: add tool request template --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .github/ISSUE_TEMPLATE/bug_report.md | 32 +++++++++++++++++++++++ .github/ISSUE_TEMPLATE/feature_request.md | 20 ++++++++++++++ .github/ISSUE_TEMPLATE/tool_request.md | 20 ++++++++++++++ 3 files changed, 72 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md create mode 100644 .github/ISSUE_TEMPLATE/tool_request.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 00000000..8655e992 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,32 @@ +--- +name: Bug report +about: Create a report to help us improve +title: '' +labels: bug +assignees: '' + +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behavior: +1. Clone repository '...' in container volume +2. Select build preset '....' +3. Open file '....' +4. See error + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Environment (please complete the following information):** +- OS: [e.g. Windows, Linux, OSX] +- Architecture [e.g. x86_64, Apple M2] +- Docker Version [e.g. Docker Desktop 4.25.2] + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 00000000..11fc491e --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,20 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '' +labels: enhancement +assignees: '' + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/.github/ISSUE_TEMPLATE/tool_request.md b/.github/ISSUE_TEMPLATE/tool_request.md new file mode 100644 index 00000000..a3180b12 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/tool_request.md @@ -0,0 +1,20 @@ +--- +name: Tool request +about: Request to include an additional tool +title: 'Request to include ' +labels: enhancement +assignees: '' + +--- + +**What tool would you like to include** +A clear and concise description of the tool you would want to include. Ex. I want to add tool x that does [...] + +**What is the use-case for the inclusion** +Describe why the proposed tool should be added. Please note that project specific tools +should be added to a derived container instead of adding them to amp-devcontainer. + +**What is the estimated size impact** +Describe what the estimated (or absolute) size impact of the inclusion would be on the final +image [size](https://en.wikipedia.org/wiki/Byte#Multiple-byte_units). +Ex. The container image size will increase with 5 MiB. From 560290a0ad092afc9861da23efb78f109ebded76 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Tue, 5 Dec 2023 11:49:49 +0100 Subject: [PATCH 07/10] ci: add ossf-scorecard.yml (#236) * ci: add ossf-scorecard.yml * docs: add scorecard badge * chore: disable markdownlint for badges --- .github/workflows/ossf-scorecard.yml | 34 ++++++++++++++++++++++++++++ README.md | 4 +++- 2 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/ossf-scorecard.yml diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml new file mode 100644 index 00000000..50d88adb --- /dev/null +++ b/.github/workflows/ossf-scorecard.yml @@ -0,0 +1,34 @@ +--- +name: Supply-chain security + +on: + workflow_dispatch: + branch_protection_rule: + schedule: + - cron: "16 19 * * 6" + push: + branches: [main] + +permissions: read-all + +jobs: + analysis: + name: OSSF Scorecard + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + repo_token: ${{ secrets.SCORECARD_TOKEN }} + publish_results: true + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.22.7 + with: + sarif_file: results.sarif diff --git a/README.md b/README.md index 60a36e19..f80a566d 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,8 @@ # amp-devcontainer -[![Linting & Formatting](https://github.com/philips-software/amp-devcontainer/actions/workflows/linting-formatting.yml/badge.svg)](https://github.com/philips-software/amp-devcontainer/actions/workflows/linting-formatting.yml) [![Build & Push](https://github.com/philips-software/amp-devcontainer/actions/workflows/build-push.yml/badge.svg)](https://github.com/philips-software/amp-devcontainer/actions/workflows/build-push.yml) + +[![Linting & Formatting](https://github.com/philips-software/amp-devcontainer/actions/workflows/linting-formatting.yml/badge.svg)](https://github.com/philips-software/amp-devcontainer/actions/workflows/linting-formatting.yml) [![Build & Push](https://github.com/philips-software/amp-devcontainer/actions/workflows/build-push.yml/badge.svg)](https://github.com/philips-software/amp-devcontainer/actions/workflows/build-push.yml) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/philips-software/amp-devcontainer/badge)](https://securityscorecards.dev/viewer/?uri=github.com/philips-software/amp-devcontainer) + ## Overview From 42fe93f7191bff121f5f10db6da406f849b08ff9 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Tue, 5 Dec 2023 12:03:11 +0100 Subject: [PATCH 08/10] docs: add SECURITY.md (#232) * docs: add SECURITY.md * chore: fix linter findings * ci: fix more linter findings --- README.md | 7 ++++++- SECURITY.md | 15 +++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 SECURITY.md diff --git a/README.md b/README.md index f80a566d..cbd8948a 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ This repository contains a [devcontainer](https://docs.github.com/en/codespaces/ ## State -This repository is under active development; see [pulse](https://github.com/philips-software/amp-devcontainer/pulse) for more details; +This repository is under active development; see [pulse](https://github.com/philips-software/amp-devcontainer/pulse) for more details. ## Description @@ -62,6 +62,11 @@ See [CHANGELOG](./CHANGELOG.md) for more info on what's been changed. See [CONTRIBUTING](./CONTRIBUTING.md) +## Reporting vulnerabilities + +If you find a vulnerability, please report it to us! +See [SECURITY.md](./SECURITY.md) for more information. + ## Licenses See [LICENSE](./LICENSE) diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..89c4676c --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,15 @@ +# Security Policy + +## Supported Versions + +The [latest](https://github.com/philips-software/amp-devcontainer/releases/latest) version of +amp-devcontainer is supported with security updates. + +## Reporting a Vulnerability + +If you find a significant vulnerability, or evidence of one, please report it privately. + +Vulnerabilities should be reported using [GitHub's mechanism for privately reporting a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). Under the +[main repository's security tab](https://github.com/philips-software/amp-devcontainer/security), click "Report a vulnerability" to open the advisory form. + +A member of the amp-devcontainer team will triage the reported vulnerability and if the vulnerability is accepted a security advisory will be published and all further communication will be done via that security advisory. From 8b79e2a9b6baccff19d9fd0a31fec7c93e7cc7b6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Dec 2023 12:21:33 +0100 Subject: [PATCH 09/10] chore(deps): bump github/codeql-action from 2.22.7 to 2.22.8 (#239) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.7 to 2.22.8. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v2.22.7...407ffafae6a767df3e0230c3df91b6443ae8df75) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ossf-scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index 50d88adb..28691e22 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -29,6 +29,6 @@ jobs: repo_token: ${{ secrets.SCORECARD_TOKEN }} publish_results: true - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.22.7 + uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 with: sarif_file: results.sarif From 952f743b691e30be94c1d8373e61341e77e7f390 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Thu, 7 Dec 2023 15:29:09 +0100 Subject: [PATCH 10/10] chore: add no-op healthcheck (#238) --- .devcontainer/Dockerfile | 2 ++ .trivyignore | 4 ---- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 47f3b914..032a840e 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -10,6 +10,8 @@ ARG XWIN_VERSION=0.5.0 ARG DEBIAN_FRONTEND=noninteractive +HEALTHCHECK NONE + SHELL ["/bin/bash", "-o", "pipefail", "-c"] # Install the base system with all tool dependencies diff --git a/.trivyignore b/.trivyignore index 565467de..4d0c37f7 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,7 +1,3 @@ # See: https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0002/ # We allow root access in our container that we use for development purposes DS002 - -# See: https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0026/ -# We don't require a HEALTHCHECK for our devcontainer -DS026