Fix/vuln (#1214)

* use alpine latest and tighten the snyk threshold * test commit to trigger scan * testing if snyk thresholding working * revert test commits --------- Co-authored-by: vk <[email protected]> Co-authored-by: nikvin15 <[email protected]> Co-authored-by: Karan Batavia <[email protected]>
Privado-Inc · Jul 8, 2024 · 2f62ebc · 2f62ebc
1 parent bd4be1d
commit 2f62ebc
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 4 deletions.
diff --git a/.github/workflows/vulnerability-scanner.yml b/.github/workflows/vulnerability-scanner.yml
@@ -14,4 +14,4 @@ jobs:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
           image: privado-core-oss
-          args: --severity-threshold=high
+          args: --severity-threshold=low --policy-path=.snyk
diff --git a/.snyk b/.snyk
@@ -0,0 +1,10 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  SNYK-ALPINE320-OPENSSL-7413532:
+    - '*':
+        reason: None Given
+        expires: 2025-05-31T06:24:20.956Z
+        created: 2024-05-01T06:24:20.963Z
+patch: {}
diff --git a/Dockerfile b/Dockerfile
@@ -153,9 +153,8 @@ ENV PATH $GOPATH/bin:$PATH
 
 RUN export BUILD_VERSION=$JAR_VERSION && sbt universal:packageBin
 
-FROM alpine:3.16
+FROM alpine:latest
 RUN apk add --no-cache bash
-RUN apk update && apk add busybox --upgrade
 #The SHELL instruction allows the default shell used for the shell form of commands to be overridden
 SHELL [ "/bin/bash", "-c" ]
 WORKDIR /home
@@ -164,5 +163,4 @@ COPY --from=build /home/privado-core/target/universal/privado-core*.zip /home/pr
 COPY --from=build /home/privado-core/target/universal/stage/bin /home/privado-core-build/
 COPY --from=build /home/privado-core/log4j2.xml /home/privado-core-build/
 RUN echo $VERSION >> /home/privado-core-build/version.txt
-RUN apk del bash