Merge branch 'main' into other/scan-notification

cx-anurag-dalke · web-flow · commit db491882226d · 2026-03-06T18:21:01.000+05:30
diff --git a/.github/workflows/ci-tests.yml b/.github/workflows/ci-tests.yml
@@ -148,3 +148,41 @@ jobs:
         with:
           go-version-file: go.mod
           go-package: ./...
+
+  checkDockerImage:
+    runs-on: ubuntu-latest
+    name: scan Docker Image with Trivy
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@722adc63f1aa60a57ec37892e133b1d319cae598 #2.0.0
+
+
+      - name: Set up Docker
+        uses: docker/setup-buildx-action@cf09c5c41b299b55c366aff30022701412eb6ab0 #v1.0.0
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b #v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Build the project
+        run: go build -o ./cx ./cmd
+      - name: Build Docker image
+        run: docker build -t ast-cli:${{ github.sha }} .
+      - name: Run Trivy scanner without downloading DBs
+        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 #v0.34.2
+        with:
+          scan-type: 'image'
+          image-ref: ast-cli:${{ github.sha }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          output: './trivy-image-results.txt'
+        env:
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
+
+      - name: Inspect action report
+        if: always()
+        shell: bash
+        run: cat ./trivy-image-results.txt
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM checkmarx/bash:5.2.37-r33-812e1f54f671f5@sha256:812e1f54f671f5678f647d7762f61521a967ff1f8d376d9f38a9838e0a3659a3
+FROM checkmarx/bash:5.3-r5-98621acba7807a@sha256:98621acba7807a4e128f3e00aba3987e4f659ff352191f79cdbaa7f8a32cfb58
 USER nonroot
 
 COPY cx /app/bin/cx
diff --git a/go.mod b/go.mod
@@ -114,7 +114,7 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/deitch/magic v0.0.0-20240306090643-c67ab88f10cb // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/cli v29.0.3+incompatible // indirect
+	github.com/docker/cli v29.2.0+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker v28.5.2+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.9.3 // indirect
diff --git a/go.sum b/go.sum
@@ -299,6 +299,8 @@ github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxK
 github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/docker/cli v29.0.3+incompatible h1:8J+PZIcF2xLd6h5sHPsp5pvvJA+Sr2wGQxHkRl53a1E=
 github.com/docker/cli v29.0.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v29.2.0+incompatible h1:9oBd9+YM7rxjZLfyMGxjraKBKE4/nVyvVfN4qNl9XRM=
+github.com/docker/cli v29.2.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM=
diff --git a/internal/commands/scan.go b/internal/commands/scan.go
@@ -64,7 +64,7 @@ const (
 	containerVolumeFlag                     = "-v"
 	containerNameFlag                       = "--name"
 	containerRemove                         = "--rm"
-	containerImage                          = "checkmarx/kics:v2.1.19"
+	containerImage                          = "checkmarx/kics:v2.1.20"
 	containerScan                           = "scan"
 	containerScanPathFlag                   = "-p"
 	containerScanPath                       = "/path"
diff --git a/internal/commands/util/remediation.go b/internal/commands/util/remediation.go
@@ -27,7 +27,7 @@ const (
 	filesContainerVolume      = ":/files"
 	resultsContainerLocation  = "/kics/"
 	containerRemove           = "--rm"
-	ContainerImage            = "checkmarx/kics:v2.1.19"
+	ContainerImage            = "checkmarx/kics:v2.1.20"
 	containerNameFlag         = "--name"
 	remediateCommand          = "remediate"
 	resultsFlag               = "--results"

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM checkmarx/bash:5.2.37-r33-812e1f54f671f5@sha256:812e1f54f671f5678f647d7762f61521a967ff1f8d376d9f38a9838e0a3659a3`
	`1`	`+FROM checkmarx/bash:5.3-r5-98621acba7807a@sha256:98621acba7807a4e128f3e00aba3987e4f659ff352191f79cdbaa7f8a32cfb58`
`2`	`2`	`USER nonroot`
`3`	`3`
`4`	`4`	`COPY cx /app/bin/cx`