[dev] add trivy in task for testing image vulnerabilities

Author: ToshY

.github/workflows/security.yml

@@ -34,3 +34,4 @@ jobs:
         env:
           TRIVY_TIMEOUT: 5m
           TRIVY_IGNORE_UNFIXED: true
+          TRIVY_DISABLE_VEX_NOTICE: true

Dockerfile

@@ -8,12 +8,6 @@ COPY --from=ghcr.io/mlocati/php-extension-installer:2.8 /usr/bin/install-php-ext
 
 ENV COMPOSER_ALLOW_SUPERUSER=1
 
-RUN <<EOT sh
-  set -ex
-  apt-get update
-  apt-get install -y libexpat1=2.5.0-1+deb12u1 libgstreamer1.0-0=1.22.0-2+deb12u1
-EOT
-
 RUN <<EOT sh
   set -ex
   install-php-extensions mysqli \

Taskfile.yml

@@ -57,13 +57,33 @@ tasks:
   bake:
     desc: Bake
     vars:
-      PHP_VERSIONS: '{{ .pv | default "8.1.33,8.2.29,8.3.24,8.4.11"}}'
+      PHP_VERSIONS: '{{ .pv | default "8.1.33,8.2.29,8.3.25,8.4.12"}}'
     cmds:
       - PHP_VERSIONS={{.PHP_VERSIONS}} docker buildx bake --set *.platform=linux/amd64
 
   bake:print:
     desc: Bake print options without building
     vars:
-      PHP_VERSIONS: '{{ .pv | default "8.1.33,8.2.29,8.3.24,8.4.11"}}'
+      PHP_VERSIONS: '{{ .pv | default "8.1.33,8.2.29,8.3.25,8.4.12"}}'
     cmds:
       - PHP_VERSIONS={{.PHP_VERSIONS}} docker buildx bake --print | $JQ
+
+  # trivy
+  trivy:
+    desc: Trivy
+    vars:
+      TRIVY_VERSION: '{{ .tv | default "latest" }}'
+      PHP_BASE: '{{ .pv | default "8.4.12-fpm-bookworm"}}'
+      TARGET: '{{ .t | default "ffmpeg" }}'
+    cmds:
+      - |
+        docker build \
+        --build-context php-base=docker-image://php:8.4.12-fpm-bookworm \
+        --target {{.TARGET}} \
+        -t toshy/trivy:{{.PHP_BASE}} .
+      - |
+        docker run \
+        -v /var/run/docker.sock:/var/run/docker.sock \
+        aquasec/trivy:{{.TRIVY_VERSION}} image \
+        --ignore-unfixed --severity CRITICAL,HIGH --exit-code 1 \
+        toshy/trivy:{{.PHP_BASE}}