feat: Security hardening (#16)

* Create trivy.yml

* remove old

* fix

* update docker image

* add pagopa-user

.github/workflows/pr-title.yml

@@ -10,11 +10,12 @@ on:
 jobs:
   main:
     name: Validate PR title
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # Please look up the latest version from
       # https://github.com/amannn/action-semantic-pull-request/releases
-      - uses: amannn/[email protected]
+      # from https://github.com/amannn/action-semantic-pull-request/commits/main
+      - uses: amannn/action-semantic-pull-request@01d5fd8a8ebb9aafe902c40c53f0f4744f7381eb
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -52,4 +53,4 @@ jobs:
           validateSingleCommit: false
           # Related to `validateSingleCommit` you can opt-in to validate that the PR
           # title matches a single commit to avoid confusion.
-          validateSingleCommitMatchesPrTitle: false
+          validateSingleCommitMatchesPrTitle: false

.github/workflows/release.yml

@@ -15,19 +15,21 @@ on:
 jobs:
   release:
     name: Release
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
 
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v2
+        # from https://github.com/actions/checkout/commits/main
+        uses: actions/checkout@1f9a0c22da41e6ebfa534300ef656657ea2c6707
         with:
           persist-credentials: false
           fetch-depth: 0
 
       - name: Release
         id: release
-        uses: cycjimmy/semantic-release-action@v2
+        # from https://github.com/cycjimmy/semantic-release-action/commits/main
+        uses: cycjimmy/semantic-release-action@bdd914ff2423e2792c73475f11e8da603182f32d
         with:
           semantic_version: 18.0.0
           extra_plugins: |
@@ -39,7 +41,8 @@ jobs:
       - name: Log in to the Container registry
         id: docker_login
         if: steps.release.outputs.new_release_published == 'true'
-        uses: docker/login-action@v2
+        # from https://github.com/docker/login-action/commits/master
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -48,7 +51,8 @@ jobs:
       - name: Build and push Docker image
         id: docker_build_push
         if: steps.release.outputs.new_release_published == 'true'
-        uses: docker/build-push-action@v3
+        # from https://github.com/docker/build-push-action/commits/master
+        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5
         with:
           context: .
           push: true
@@ -57,4 +61,4 @@ jobs:
             ghcr.io/${{ github.repository }}:v${{ steps.release.outputs.new_release_version }}
           labels: |
             maintainer=https://pagopa.it
-            org.opencontainers.image.source=https://github.com/${{ github.repository }}
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}

.github/workflows/trivy.yml

@@ -0,0 +1,52 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Docker security scan
+
+on:
+  push:
+    branches: [ "main", "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main", "master" ]
+  schedule:
+    - cron: '00 07 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    name: Build
+    runs-on: "ubuntu-22.04"
+    steps:
+      - name: Checkout code
+        # from https://github.com/actions/checkout/commits/main
+        uses: actions/checkout@1f9a0c22da41e6ebfa534300ef656657ea2c6707
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
+
+      - name: Run Trivy vulnerability scanner
+        # from https://github.com/aquasecurity/trivy-action/commits/master
+        uses: aquasecurity/trivy-action@d63413b0a4a4482237085319f7f4a1ce99a8f2ac
+        with:
+          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          timeout: '10m0s'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        # from https://github.com/github/codeql-action/commits/main
+        uses: github/codeql-action/upload-sarif@f0a12816612c7306b485a22cb164feb43c6df818
+        with:
+          sarif_file: 'trivy-results.sarif'

Dockerfile

@@ -1,5 +1,5 @@
 # https://mcr.microsoft.com/v2/dotnet/sdk/tags/list
-FROM mcr.microsoft.com/dotnet/sdk:6.0-alpine AS installer-env
+FROM mcr.microsoft.com/dotnet/sdk:6.0.402-alpine3.16@sha256:cfaf6935ad6ec66ae0be7af332523d21cc810d74120b21d95376ae9581090a09 AS installer-env
 
 COPY . /src/dotnet-function-app
 
@@ -8,11 +8,19 @@ RUN cd /src/dotnet-function-app && \
     dotnet publish *.csproj --output /home/site/wwwroot
 
 # https://mcr.microsoft.com/v2/azure-functions/dotnet/tags/list
-FROM mcr.microsoft.com/azure-functions/dotnet:4.9.1-slim@sha256:1642d5fa1472e012dfdf09150f7c0ac68c559751242c9c1e7096b635cc9b8021
+FROM mcr.microsoft.com/azure-functions/dotnet:4.11.3-slim@sha256:a3f3888209af3c9f21e87527aee35d1b938a72db4f47d0e2defa1e791f58ffb4
 
 RUN rm -rf /FuncExtensionBundles
 
 ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
     AzureFunctionsJobHost__Logging__Console__IsEnabled=true
 
 COPY --from=installer-env ["/home/site/wwwroot", "/home/site/wwwroot"]
+
+RUN useradd pagopa-user && \
+    mkdir -p /home/pagopa-user && \
+    chown -R pagopa-user:pagopa-user /home/pagopa-user
+
+USER pagopa-user
+
+RUN whoami