Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/container-validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: Full checkup for SimpleRisk Docker images
on:
workflow_dispatch:
pull_request:
branches: [ master ]
branches: [ master, testing ]

jobs:
simplerisk-jammy:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/shellcheck.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: Shell script checkup with ShellCheck

on:
pull_request:
branches: [ master ]
branches: [ master, testing ]

jobs:
shellcheck:
Expand Down
22 changes: 22 additions & 0 deletions .grype.yaml
Original file line number Diff line number Diff line change
@@ -1,2 +1,24 @@
ignore:
- vulnerability: CVE-2025-27558 # Not able to fix it at the moment
# False positive: Grype's binary classifier reads the PHP interpreter's own version
# string (PHP 8.3.32 — embedded in /usr/local/bin/php, libphp.so, and the bundled
# extensions) as a "curl" binary at 8.3.32, then flags these curl CVEs (all fixed in
# curl 8.21.0). The REAL curl is the Debian package, patched (8.14.1-2+deb13u4) and
# correctly not flagged. Scoped per-CVE to binary-classified curl so a genuine future
# curl finding still surfaces instead of being blanket-ignored.
- vulnerability: CVE-2026-11856
package:
name: curl
type: binary
- vulnerability: CVE-2026-10536
package:
name: curl
type: binary
- vulnerability: CVE-2026-8927
package:
name: curl
type: binary
- vulnerability: CVE-2026-8924
package:
name: curl
type: binary
4 changes: 4 additions & 0 deletions simplerisk-minimal/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,11 @@ ARG TARGETARCH
# NOTE: The MySQL key was taken from https://dev.mysql.com/doc/refman/8.4/en/checking-gpg-signature.html
# amd64: mysql-community-client from MySQL's Debian repo
# arm64: default-mysql-client from Debian (MySQL's apt repo has no arm64 packages)
# apt-get upgrade patches base-image packages (apache2, curl, ...) with Debian
# security updates — the pinned php:${php_version}-apache base ships them at its
# own build-time versions, so without this they accumulate fixed CVEs (Grype gate).
RUN apt-get update && \
apt-get -y upgrade && \
apt-get install -y --no-install-recommends \
libldap2-dev \
libicu-dev \
Expand Down
4 changes: 4 additions & 0 deletions simplerisk-minimal/generate_dockerfile.sh
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,11 @@ ARG TARGETARCH
# NOTE: The MySQL key was taken from https://dev.mysql.com/doc/refman/8.4/en/checking-gpg-signature.html
# amd64: mysql-community-client from MySQL's Debian repo
# arm64: default-mysql-client from Debian (MySQL's apt repo has no arm64 packages)
# apt-get upgrade patches base-image packages (apache2, curl, ...) with Debian
# security updates — the pinned php:\${php_version}-apache base ships them at its
# own build-time versions, so without this they accumulate fixed CVEs (Grype gate).
RUN apt-get update && \\
apt-get -y upgrade && \\
apt-get install -y --no-install-recommends \\
libldap2-dev \\
libicu-dev \\
Expand Down