Skip to content

DRAFT: Address CVE in Dockerfile #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
davidjeddy wants to merge 2 commits into from
Closed

DRAFT: Address CVE in Dockerfile #62

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
79c1eea
ADD .dockerignore, UPDATE .gitignore, Dockerfile, README.md
davidjeddy Mar 10, 2026
b2cee1d
UPDATED pipeline workflow to include trivy scanning in PRs of this pr…
davidjeddy Mar 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .dockerignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
.git*
*.md
*test*.*
Dockerfile
LICENSE
106 changes: 106 additions & 0 deletions .github/workflows/pr-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
name: PR Security Scan

on:
pull_request_target:
types: [opened, synchronize, reopened]

jobs:
scan:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: Check out code
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
submodules: 'recursive'

- name: Build the Docker image
Comment on lines +14 to +21

Check failure

Code scanning / CodeQL

Checkout of untrusted code in trusted context High

Potential execution of untrusted code on a privileged workflow (
pull_request_target
Loading
)
uses: docker/build-push-action@v5
with:
context: .
push: false
load: true
tags: pr_image:${{ github.sha }}
Comment on lines +3 to +27
Copy link

@coderabbitai coderabbitai bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cd /tmp && find . -name "pr-scan.yml" 2>/dev/null || echo "Not in /tmp, checking repo"

Repository: appwrite/docker-base

Length of output: 46

🏁 Script executed:

find . -name "pr-scan.yml" -type f 2>/dev/null

Repository: appwrite/docker-base

Length of output: 95

🏁 Script executed:

cat -n .github/workflows/pr-scan.yml 2>/dev/null || echo "File not found, listing directory"

Repository: appwrite/docker-base

Length of output: 4676

🏁 Script executed:

ls -la .github/workflows/ 2>/dev/null || echo "No workflows directory"

Repository: appwrite/docker-base

Length of output: 363

Do not run untrusted PR code under pull_request_target.

This workflow checks out github.event.pull_request.head.sha and then builds the PR's Dockerfile while holding a token that can write PR comments. On forked PRs, that gives attacker-controlled build steps a privileged execution path. The safer pattern is an unprivileged pull_request scan workflow plus a separate privileged workflow that only posts the already-generated results.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr-scan.yml around lines 3 - 27, The workflow is
dangerously using pull_request_target and checking out
github.event.pull_request.head.sha to build untrusted PR code with write
permissions; change the trigger from pull_request_target to pull_request (or
another unprivileged trigger) for the scan job, remove/limit write permissions
(set permissions.contents: read only), and keep the Docker build step (the step
using docker/build-push-action@v5 and tag pr_image:${{ github.sha }}) inside
that unprivileged scan job; if you still need to post results, create a separate
privileged workflow/job that runs on pull_request_target which only consumes an
artifact produced by the unprivileged scan job and posts comments (do not re-run
or build PR code in the privileged context).


- name: Run Trivy vulnerability scanner on image
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: 'pr_image:${{ github.sha }}'
format: 'json'
output: 'trivy-image-results.json'
severity: 'CRITICAL,HIGH'

- name: Run Trivy vulnerability scanner on source code
uses: aquasecurity/trivy-action@0.20.0
with:
scan-type: 'fs'
scan-ref: '.'
format: 'json'
output: 'trivy-fs-results.json'
severity: 'CRITICAL,HIGH'

- name: Process Trivy scan results
id: process-results
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
let commentBody = '## Security Scan Results for PR\n\n';

function processResults(results, title) {
let sectionBody = `### ${title}\n\n`;
if (results.Results && results.Results.some(result => result.Vulnerabilities && result.Vulnerabilities.length > 0)) {
sectionBody += '| Package | Version | Vulnerability | Severity |\n';
sectionBody += '|---------|---------|----------------|----------|\n';

const uniqueVulns = new Set();
results.Results.forEach(result => {
if (result.Vulnerabilities) {
result.Vulnerabilities.forEach(vuln => {
const vulnKey = `${vuln.PkgName}-${vuln.InstalledVersion}-${vuln.VulnerabilityID}`;
if (!uniqueVulns.has(vulnKey)) {
uniqueVulns.add(vulnKey);
sectionBody += `| ${vuln.PkgName} | ${vuln.InstalledVersion} | [${vuln.VulnerabilityID}](https://nvd.nist.gov/vuln/detail/${vuln.VulnerabilityID}) | ${vuln.Severity} |\n`;
}
});
}
});
} else {
sectionBody += '🎉 No vulnerabilities found!\n';
}
return sectionBody;
}

try {
const imageResults = JSON.parse(fs.readFileSync('trivy-image-results.json', 'utf8'));
const fsResults = JSON.parse(fs.readFileSync('trivy-fs-results.json', 'utf8'));

commentBody += processResults(imageResults, "Docker Image Scan Results");
commentBody += '\n';
commentBody += processResults(fsResults, "Source Code Scan Results");

} catch (error) {
commentBody += `There was an error while running the security scan: ${error.message}\n`;
commentBody += 'Please contact the core team for assistance.';
}

core.setOutput('comment-body', commentBody);
- name: Find Comment
uses: peter-evans/find-comment@v3
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: Security Scan Results for PR

- name: Create or update comment
uses: peter-evans/create-or-update-comment@v3
with:
issue-number: ${{ github.event.pull_request.number }}
comment-id: ${{ steps.fc.outputs.comment-id }}
body: ${{ steps.process-results.outputs.comment-body }}
edit-mode: replace
Comment on lines +100 to +106
Copy link

@coderabbitai coderabbitai bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

peter-evans/create-or-update-comment latest version GitHub Action

💡 Result:

Latest peter-evans/create-or-update-comment GitHub Action version is v5.0.0 (tag v5). [1]

Use:

  • Major tag (recommended for most workflows): peter-evans/create-or-update-comment@v5 [2]
  • Exact pin: peter-evans/create-or-update-comment@v5.0.0 [1]

Sources
[1] GitHub Releases – peter-evans/create-or-update-comment (shows latest release v5.0.0): (github.com)
[2] Repo README usage example (@v5): (github.com)

Citations:

Update action to v5: peter-evans/create-or-update-comment@v5.

The action version @v3 is outdated. Update to the latest stable version @v5.

Suggested fix 
     - name: Create or update comment
-      uses: peter-evans/create-or-update-comment@v3
+      uses: peter-evans/create-or-update-comment@v5
       with:
         issue-number: ${{ github.event.pull_request.number }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Create or update comment
uses: peter-evans/create-or-update-comment@v3
with:
issue-number: ${{ github.event.pull_request.number }}
comment-id: ${{ steps.fc.outputs.comment-id }}
body: ${{ steps.process-results.outputs.comment-body }}
edit-mode: replace
- name: Create or update comment
uses: peter-evans/create-or-update-comment@v5
with:
issue-number: ${{ github.event.pull_request.number }}
comment-id: ${{ steps.fc.outputs.comment-id }}
body: ${{ steps.process-results.outputs.comment-body }}
edit-mode: replace
🧰 Tools
🪛 actionlint (1.7.11)

[error] 92-92: the runner of "peter-evans/create-or-update-comment@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pull-request.yml around lines 91 - 97, Update the GitHub
Action usage for the Create or update comment step by changing the action
reference string in the workflow from peter-evans/create-or-update-comment@v3 to
peter-evans/create-or-update-comment@v5 (the line containing "uses:
peter-evans/create-or-update-comment@v3"); leave the rest of the step inputs
(issue-number, comment-id, body, edit-mode) unchanged and ensure the workflow
YAML remains valid after the update.

26 changes: 0 additions & 26 deletions .github/workflows/test.yml
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion .github/workflows/trivy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
# separate terms of service, privacy policy, and support
# documentation.

name: trivy
name: Scheduled Trivy Vulnerability Scanning

on:
push:
Expand Down
3 changes: 3 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,4 @@
.idea
*.logs
NOTES*.md
trivy-*-results.json
2 changes: 1 addition & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ RUN \
./configure && \
make && make install

## Maxminddb extension
## Maxminddb Extension
FROM compile AS maxmind
RUN \
git clone --depth 1 --branch $PHP_MAXMINDDB_VERSION https://github.com/maxmind/MaxMind-DB-Reader-php.git && \
Expand Down
65 changes: 40 additions & 25 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,60 +1,75 @@
# Docker Base

[![Build Status](https://img.shields.io/travis/com/appwrite/docker-base?style=flat-square)](https://travis-ci.com/appwrite/docker-base)
Copy link

@coderabbitai coderabbitai bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if there are any Travis CI configuration files in the repository
fd -t f '.travis.yml' || echo "No Travis CI config found"
# Check for GitHub Actions workflows
fd -t f -e yml -e yaml . .github/workflows/ 2>/dev/null || echo "No GitHub workflows directory"

Repository: appwrite/docker-base

Length of output: 163

🏁 Script executed:

head -n 5 README.md

Repository: appwrite/docker-base

Length of output: 479

Update CI badge to reflect current CI system.

The badge on line 3 references Travis CI (https://img.shields.io/travis/com/appwrite/docker-base), but the repository uses GitHub Actions (evidenced by workflows in .github/workflows/). Either update the badge to reference the GitHub Actions workflow or remove it entirely.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@README.md` at line 3, The README CI badge points to Travis (the markdown
image URL https://img.shields.io/travis/com/appwrite/docker-base) but the repo
uses GitHub Actions; update the badge by replacing the Travis badge URL with a
GitHub Actions status badge for the appropriate workflow (or remove the badge
entirely). Locate the badge markdown in README.md and either swap the image/link
to the GitHub Actions badge for the correct workflow name (using the actions
badge format) or delete that badge line so it no longer references Travis CI.

[![Discord](https://img.shields.io/discord/564160730845151244?label=discord&style=flat-square)](https://appwrite.io/discord)
[![Docker Pulls](https://img.shields.io/docker/pulls/appwrite/base?color=f02e65&style=flat-square)](https://hub.docker.com/r/appwrite/base)
[![Build Status](https://img.shields.io/travis/com/appwrite/docker-base?style=flat-square)](https://travis-ci.com/appwrite/docker-base)
[![Twitter Account](https://img.shields.io/twitter/follow/appwrite?color=00acee&label=twitter&style=flat-square)](https://twitter.com/appwrite)
[![Follow Appwrite on StackShare](https://img.shields.io/badge/follow%20on-stackshare-blue?style=flat-square)](https://stackshare.io/appwrite)
[![Twitter Account](https://img.shields.io/twitter/follow/appwrite?color=00acee&label=twitter&style=flat-square)](https://twitter.com/appwrite)

[Appwrite](https://appwrite.io) base docker image with applications and extensions built and installed.

## Getting Started

These instructions will cover usage information to help your run Appwrite's base docker container.
Copy link

@coderabbitai coderabbitai bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix grammar typo: "help your run" → "help you run".

Suggested fix 
-These instructions will cover usage information to help your run Appwrite's base docker container.
+These instructions will cover usage information to help you run Appwrite's base docker container.
🧰 Tools
🪛 LanguageTool

[grammar] ~13-~13: Ensure spelling is correct
Context: ...ns will cover usage information to help your run Appwrite's base docker container. ...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@README.md` at line 13, The sentence "These instructions will cover usage
information to help your run Appwrite's base docker container." contains a
grammar typo; update the phrase "help your run" to "help you run" in the README
line so it reads "These instructions will cover usage information to help you
run Appwrite's base docker container." Reference the exact sentence in README.md
to locate and correct the typo.


### Prerequisites
### NOTE

In order to run this container you'll need docker installed.
* For example usage `latest` is stated in the commands. The Appwrite team recommends using pinned version releases outside of development.
* We use `Docker` but you may use any compatible container runtime in its place.

## Prerequisites

In order to run this container you'll need the Docker runtime installed.

**Docker**

* [Windows](https://docs.docker.com/windows/started)
* [OS X](https://docs.docker.com/mac/started/)
* [Linux](https://docs.docker.com/linux/started/)
* [OS X](https://docs.docker.com/mac/started/)
* [Windows](https://docs.docker.com/windows/started)

### Usage
* [Docker buildx](https://github.com/docker/buildx)

```shell
docker run appwrite/base
```
**Optional**

### Testing
* [GoogleContainerTools/container-structure-test](https://github.com/GoogleContainerTools/container-structure-test) for testing
* [Trivy](https://trivy.dev/) for CVE scanning

We use [Container Structure Test](https://github.com/GoogleContainerTools/container-structure-test) to run test for the docker image. In order to run test first install Container strucutre test using the following command.
## Build

```bash
curl -LO https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64 && chmod +x container-structure-test-linux-amd64 && sudo mv container-structure-test-linux-amd64 /usr/local/bin/container-structure-test
Typical building.

```shell
docker buildx build --tag appwrite/base:latest .
```
Comment on lines +37 to 43
Copy link

@coderabbitai coderabbitai bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

The build command does not reliably produce the local image used below.

The later Scan/Test/Run/Push sections all assume appwrite/base:latest exists locally, but docker buildx build only guarantees that when the builder/output is configured accordingly. Adding --load here, or documenting the required builder driver, would make the instructions consistent.

Suggested doc fix 
-docker buildx build --tag appwrite/base:latest .
+docker buildx build --load --tag appwrite/base:latest .
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## Build
```bash
curl -LO https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64 && chmod +x container-structure-test-linux-amd64 && sudo mv container-structure-test-linux-amd64 /usr/local/bin/container-structure-test
Typical building.
```shell
docker buildx build --tag appwrite/base:latest .
```
## Build
Typical building.
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 37 - 43, The "Build" section's command uses "docker
buildx build --tag appwrite/base:latest ." which does not guarantee the image is
loaded into the local Docker daemon; update the README's Build section to either
use "docker buildx build --load --tag appwrite/base:latest ." or replace with
"docker build --tag appwrite/base:latest ." and/or add a short note about
required builder driver configuration so subsequent Scan/Test/Run/Push steps
that reference the image "appwrite/base:latest" will find it locally.


### Run Test
Multi-arch building.

First build and tag the docker image and then run the test using the configuration file.
```shell
docker buildx build --platform linux/amd64,linux/arm64/v8,linux/ppc64le --push --tag appwrite/base:latest .
```

```bash
docker build -t appwrite-base-test .
container-structure-test test --config tests.yaml --image appwrite-base-test
## Scan

```shell
trivy image --format json --pkg-types os,library --severity CRITICAL,HIGH --output trivy-image-results.json appwrite/base:latest
```

### Build
## Test

```bash
docker build --tag appwrite/base:1.0.0 .

docker push appwrite/base:1.0.0
container-structure-test test --config tests.yaml --image appwrite/base:latest
```

Multi-arch build (using [buildx](https://github.com/docker/buildx)):
## Run

```shell
docker run appwrite/base:latest
```
docker buildx build --platform linux/amd64,linux/arm64/v8,linux/ppc64le --tag appwrite/base:1.0.0 --push .

## Push

```bash
docker push appwrite/base:latest
```

## Find Us
Expand Down
Loading