Merge pull request #532 from sir-gon/security

Security

Author: sir-gon

.github/workflows/docker-image.yml

@@ -157,7 +157,7 @@ jobs:
         with:
           sarif_file: 'snyk.sarif'
   scan:
-    name: "Trivy"
+    name: "Trivy (sarif)"
     runs-on: ubuntu-latest
     needs: build
     permissions:
@@ -187,3 +187,25 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'trivy-results.sarif'
+
+  report:
+    name: "Trivy (report)"
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.ARTIFACT_NAME }}_prod
+          path: /tmp/
+
+      - name: Load image
+        run: |
+          docker load --input /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
+          docker image ls -a
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          format: 'table'

requirements.txt

@@ -19,9 +19,9 @@ pylint==3.2.5
 pyright==1.1.372
 pytest==8.2.2
 pytest-cov==5.0.0
+setuptools==71.0.4 # not directly required, pinned by Snyk to avoid a vulnerability
 tomli==2.0.1
 tomlkit==0.13.0
 typing_extensions==4.12.2
 wrapt==1.16.0
-setuptools>=70.0.0 # not directly required, pinned by Snyk to avoid a vulnerability
 zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability