added security checks with snyk

Author: fabiocicerchia

.github/workflows/main.yml

@@ -24,6 +24,12 @@ jobs:
       - name: Test images
         run: ./test/test.sh alpine
 
+      - name: Security Check
+        run: |
+            npm install -g snyk
+            snyk auth $SNYK_AUTH_TOKEN
+            ./test/security.sh alpine
+
       - name: Log into registry
         run: echo "${{ secrets.DOCKER_HUB_TOKEN }}" | docker login  -u ${{ github.actor }} --password-stdin
         if: github.ref == 'refs/heads/master'
@@ -43,6 +49,12 @@ jobs:
       - name: Test images
         run: ./test/test.sh amazonlinux
 
+      - name: Security Check
+        run: |
+            npm install -g snyk
+            snyk auth $SNYK_AUTH_TOKEN
+            ./test/security.sh amazonlinux
+
       - name: Log into registry
         run: echo "${{ secrets.DOCKER_HUB_TOKEN }}" | docker login  -u ${{ github.actor }} --password-stdin
         if: github.ref == 'refs/heads/master'
@@ -62,6 +74,12 @@ jobs:
       - name: Test images
         run: ./test/test.sh centos
 
+      - name: Security Check
+        run: |
+            npm install -g snyk
+            snyk auth $SNYK_AUTH_TOKEN
+            ./test/security.sh centos
+
       - name: Log into registry
         run: echo "${{ secrets.DOCKER_HUB_TOKEN }}" | docker login  -u ${{ github.actor }} --password-stdin
         if: github.ref == 'refs/heads/master'
@@ -81,6 +99,12 @@ jobs:
       - name: Test images
         run: ./test/test.sh debian
 
+      - name: Security Check
+        run: |
+            npm install -g snyk
+            snyk auth $SNYK_AUTH_TOKEN
+            ./test/security.sh debian
+
       - name: Log into registry
         run: echo "${{ secrets.DOCKER_HUB_TOKEN }}" | docker login  -u ${{ github.actor }} --password-stdin
         if: github.ref == 'refs/heads/master'
@@ -100,6 +124,12 @@ jobs:
       - name: Test images
         run: ./test/test.sh fedora
 
+      - name: Security Check
+        run: |
+            npm install -g snyk
+            snyk auth $SNYK_AUTH_TOKEN
+            ./test/security.sh fedora
+
       - name: Log into registry
         run: echo "${{ secrets.DOCKER_HUB_TOKEN }}" | docker login  -u ${{ github.actor }} --password-stdin
         if: github.ref == 'refs/heads/master'
@@ -119,6 +149,12 @@ jobs:
       - name: Test images
         run: ./test/test.sh ubuntu
 
+      - name: Security Check
+        run: |
+            npm install -g snyk
+            snyk auth $SNYK_AUTH_TOKEN
+            ./test/security.sh ubuntu
+
       - name: Log into registry
         run: echo "${{ secrets.DOCKER_HUB_TOKEN }}" | docker login  -u ${{ github.actor }} --password-stdin
         if: github.ref == 'refs/heads/master'

nginx/1.17.10/alpine/3.10.5/Dockerfile

@@ -49,45 +49,45 @@ RUN set -x \
    && apk add --no-cache \
       geoip-dev \
       openssl-dev \
-      pcre-dev \
+      pcre3-dev \
       zlib-dev \
    && apk add --no-cache --virtual .build-deps \
+      curl \
       g++ \
       gzip \
       make \
       tar \
-      wget \
 # OpenResty LUAJIT2
 # ##############################################################################
-   && wget https://github.com/openresty/luajit2/archive/v${VER_LUAJIT}.tar.gz -O /luajit.tar.gz \
+   && curl -Lo /luajit.tar.gz https://github.com/openresty/luajit2/archive/v${VER_LUAJIT}.tar.gz \
       && tar xvzf /luajit.tar.gz && rm /luajit.tar.gz \
       && cd /luajit2-${VER_LUAJIT} \
       && make -j $(nproc) \
       && make install \
       && cd / \
 # LUA Resty Core
 # ##############################################################################
-   && wget https://github.com/openresty/lua-resty-core/archive/v${VER_LUA_RESTY_CORE}.tar.gz -O /lua-resty-core.tar.gz \
+   && curl -Lo /lua-resty-core.tar.gz https://github.com/openresty/lua-resty-core/archive/v${VER_LUA_RESTY_CORE}.tar.gz \
       && tar xvzf /lua-resty-core.tar.gz && rm /lua-resty-core.tar.gz \
       && cd /lua-resty-core-${VER_LUA_RESTY_CORE} \
       && make -j $(nproc) \
       && make install \
       && cd / \
 # LUA Resty LRUCache
 # ##############################################################################
-   && wget https://github.com/openresty/lua-resty-lrucache/archive/v${VER_LUA_RESTY_LRUCACHE}.tar.gz -O /lua-resty-lrucache.tar.gz \
+   && curl -Lo /lua-resty-lrucache.tar.gz https://github.com/openresty/lua-resty-lrucache/archive/v${VER_LUA_RESTY_LRUCACHE}.tar.gz \
       && tar xvzf /lua-resty-lrucache.tar.gz && rm /lua-resty-lrucache.tar.gz \
       && cd /lua-resty-lrucache-${VER_LUA_RESTY_LRUCACHE} \
       && make -j $(nproc) \
       && make install \
       && cd / \
 # NGX Devel Kit
 # ##############################################################################
-   && wget https://github.com/vision5/ngx_devel_kit/archive/v${VER_NGX_DEVEL_KIT}.tar.gz -O /ngx_devel_kit.tar.gz \
+   && curl -Lo /ngx_devel_kit.tar.gz https://github.com/vision5/ngx_devel_kit/archive/v${VER_NGX_DEVEL_KIT}.tar.gz \
       && tar xvzf /ngx_devel_kit.tar.gz && rm /ngx_devel_kit.tar.gz \
 # Lua Nginx Module
 # ##############################################################################
-   && wget https://github.com/openresty/lua-nginx-module/archive/v${VER_LUA_NGINX_MODULE}.tar.gz -O /lua-nginx.tar.gz \
+   && curl -Lo /lua-nginx.tar.gz https://github.com/openresty/lua-nginx-module/archive/v${VER_LUA_NGINX_MODULE}.tar.gz \
       && tar xvzf /lua-nginx.tar.gz && rm /lua-nginx.tar.gz \
 # NGINX
 # ##############################################################################
@@ -110,10 +110,10 @@ RUN set -x \
             make \
             mercurial \
             openssl-dev \
-            pcre-dev \
+            pcre3-dev \
             perl-dev \
             zlib-dev \
-      && wget https://nginx.org/download/nginx-${VER_NGINX}.tar.gz -O /nginx.tar.gz \
+      && curl -Lo /nginx.tar.gz https://nginx.org/download/nginx-${VER_NGINX}.tar.gz \
       && tar xvzf /nginx.tar.gz && rm /nginx.tar.gz \
       && cd /nginx-${VER_NGINX} \
       && mkdir -p /var/cache/nginx/client_temp \

nginx/1.17.10/alpine/3.11.6/Dockerfile

@@ -49,45 +49,45 @@ RUN set -x \
    && apk add --no-cache \
       geoip-dev \
       openssl-dev \
-      pcre-dev \
+      pcre3-dev \
       zlib-dev \
    && apk add --no-cache --virtual .build-deps \
+      curl \
       g++ \
       gzip \
       make \
       tar \
-      wget \
 # OpenResty LUAJIT2
 # ##############################################################################
-   && wget https://github.com/openresty/luajit2/archive/v${VER_LUAJIT}.tar.gz -O /luajit.tar.gz \
+   && curl -Lo /luajit.tar.gz https://github.com/openresty/luajit2/archive/v${VER_LUAJIT}.tar.gz \
       && tar xvzf /luajit.tar.gz && rm /luajit.tar.gz \
       && cd /luajit2-${VER_LUAJIT} \
       && make -j $(nproc) \
       && make install \
       && cd / \
 # LUA Resty Core
 # ##############################################################################
-   && wget https://github.com/openresty/lua-resty-core/archive/v${VER_LUA_RESTY_CORE}.tar.gz -O /lua-resty-core.tar.gz \
+   && curl -Lo /lua-resty-core.tar.gz https://github.com/openresty/lua-resty-core/archive/v${VER_LUA_RESTY_CORE}.tar.gz \
       && tar xvzf /lua-resty-core.tar.gz && rm /lua-resty-core.tar.gz \
       && cd /lua-resty-core-${VER_LUA_RESTY_CORE} \
       && make -j $(nproc) \
       && make install \
       && cd / \
 # LUA Resty LRUCache
 # ##############################################################################
-   && wget https://github.com/openresty/lua-resty-lrucache/archive/v${VER_LUA_RESTY_LRUCACHE}.tar.gz -O /lua-resty-lrucache.tar.gz \
+   && curl -Lo /lua-resty-lrucache.tar.gz https://github.com/openresty/lua-resty-lrucache/archive/v${VER_LUA_RESTY_LRUCACHE}.tar.gz \
       && tar xvzf /lua-resty-lrucache.tar.gz && rm /lua-resty-lrucache.tar.gz \
       && cd /lua-resty-lrucache-${VER_LUA_RESTY_LRUCACHE} \
       && make -j $(nproc) \
       && make install \
       && cd / \
 # NGX Devel Kit
 # ##############################################################################
-   && wget https://github.com/vision5/ngx_devel_kit/archive/v${VER_NGX_DEVEL_KIT}.tar.gz -O /ngx_devel_kit.tar.gz \
+   && curl -Lo /ngx_devel_kit.tar.gz https://github.com/vision5/ngx_devel_kit/archive/v${VER_NGX_DEVEL_KIT}.tar.gz \
       && tar xvzf /ngx_devel_kit.tar.gz && rm /ngx_devel_kit.tar.gz \
 # Lua Nginx Module
 # ##############################################################################
-   && wget https://github.com/openresty/lua-nginx-module/archive/v${VER_LUA_NGINX_MODULE}.tar.gz -O /lua-nginx.tar.gz \
+   && curl -Lo /lua-nginx.tar.gz https://github.com/openresty/lua-nginx-module/archive/v${VER_LUA_NGINX_MODULE}.tar.gz \
       && tar xvzf /lua-nginx.tar.gz && rm /lua-nginx.tar.gz \
 # NGINX
 # ##############################################################################
@@ -110,10 +110,10 @@ RUN set -x \
             make \
             mercurial \
             openssl-dev \
-            pcre-dev \
+            pcre3-dev \
             perl-dev \
             zlib-dev \
-      && wget https://nginx.org/download/nginx-${VER_NGINX}.tar.gz -O /nginx.tar.gz \
+      && curl -Lo /nginx.tar.gz https://nginx.org/download/nginx-${VER_NGINX}.tar.gz \
       && tar xvzf /nginx.tar.gz && rm /nginx.tar.gz \
       && cd /nginx-${VER_NGINX} \
       && mkdir -p /var/cache/nginx/client_temp \

nginx/1.17.10/alpine/3.12.0/Dockerfile

@@ -49,45 +49,45 @@ RUN set -x \
    && apk add --no-cache \
       geoip-dev \
       openssl-dev \
-      pcre-dev \
+      pcre3-dev \
       zlib-dev \
    && apk add --no-cache --virtual .build-deps \
+      curl \
       g++ \
       gzip \
       make \
       tar \
-      wget \
 # OpenResty LUAJIT2
 # ##############################################################################
-   && wget https://github.com/openresty/luajit2/archive/v${VER_LUAJIT}.tar.gz -O /luajit.tar.gz \
+   && curl -Lo /luajit.tar.gz https://github.com/openresty/luajit2/archive/v${VER_LUAJIT}.tar.gz \
       && tar xvzf /luajit.tar.gz && rm /luajit.tar.gz \
       && cd /luajit2-${VER_LUAJIT} \
       && make -j $(nproc) \
       && make install \
       && cd / \
 # LUA Resty Core
 # ##############################################################################
-   && wget https://github.com/openresty/lua-resty-core/archive/v${VER_LUA_RESTY_CORE}.tar.gz -O /lua-resty-core.tar.gz \
+   && curl -Lo /lua-resty-core.tar.gz https://github.com/openresty/lua-resty-core/archive/v${VER_LUA_RESTY_CORE}.tar.gz \
       && tar xvzf /lua-resty-core.tar.gz && rm /lua-resty-core.tar.gz \
       && cd /lua-resty-core-${VER_LUA_RESTY_CORE} \
       && make -j $(nproc) \
       && make install \
       && cd / \
 # LUA Resty LRUCache
 # ##############################################################################
-   && wget https://github.com/openresty/lua-resty-lrucache/archive/v${VER_LUA_RESTY_LRUCACHE}.tar.gz -O /lua-resty-lrucache.tar.gz \
+   && curl -Lo /lua-resty-lrucache.tar.gz https://github.com/openresty/lua-resty-lrucache/archive/v${VER_LUA_RESTY_LRUCACHE}.tar.gz \
       && tar xvzf /lua-resty-lrucache.tar.gz && rm /lua-resty-lrucache.tar.gz \
       && cd /lua-resty-lrucache-${VER_LUA_RESTY_LRUCACHE} \
       && make -j $(nproc) \
       && make install \
       && cd / \
 # NGX Devel Kit
 # ##############################################################################
-   && wget https://github.com/vision5/ngx_devel_kit/archive/v${VER_NGX_DEVEL_KIT}.tar.gz -O /ngx_devel_kit.tar.gz \
+   && curl -Lo /ngx_devel_kit.tar.gz https://github.com/vision5/ngx_devel_kit/archive/v${VER_NGX_DEVEL_KIT}.tar.gz \
       && tar xvzf /ngx_devel_kit.tar.gz && rm /ngx_devel_kit.tar.gz \
 # Lua Nginx Module
 # ##############################################################################
-   && wget https://github.com/openresty/lua-nginx-module/archive/v${VER_LUA_NGINX_MODULE}.tar.gz -O /lua-nginx.tar.gz \
+   && curl -Lo /lua-nginx.tar.gz https://github.com/openresty/lua-nginx-module/archive/v${VER_LUA_NGINX_MODULE}.tar.gz \
       && tar xvzf /lua-nginx.tar.gz && rm /lua-nginx.tar.gz \
 # NGINX
 # ##############################################################################
@@ -110,10 +110,10 @@ RUN set -x \
             make \
             mercurial \
             openssl-dev \
-            pcre-dev \
+            pcre3-dev \
             perl-dev \
             zlib-dev \
-      && wget https://nginx.org/download/nginx-${VER_NGINX}.tar.gz -O /nginx.tar.gz \
+      && curl -Lo /nginx.tar.gz https://nginx.org/download/nginx-${VER_NGINX}.tar.gz \
       && tar xvzf /nginx.tar.gz && rm /nginx.tar.gz \
       && cd /nginx-${VER_NGINX} \
       && mkdir -p /var/cache/nginx/client_temp \

nginx/1.17.10/amazonlinux/2.0.20200406.0/Dockerfile

@@ -50,56 +50,55 @@ RUN set -x \
       GeoIP-devel \
       ca-certificates \
       openssl-devel \
-      pcre-devel \
+      pcre3-devel \
       zlib-devel \
       shadow-utils \
    && yum install -y \
       gcc-c++ \
       gzip \
       make \
       tar \
-      wget \
 # OpenResty LUAJIT2
 # ##############################################################################
-   && wget https://github.com/openresty/luajit2/archive/v${VER_LUAJIT}.tar.gz -O /luajit.tar.gz \
+   && curl -Lo /luajit.tar.gz https://github.com/openresty/luajit2/archive/v${VER_LUAJIT}.tar.gz \
       && tar xvzf /luajit.tar.gz && rm /luajit.tar.gz \
       && cd /luajit2-${VER_LUAJIT} \
       && make -j $(nproc) \
       && make install \
       && cd / \
 # LUA Resty Core
 # ##############################################################################
-   && wget https://github.com/openresty/lua-resty-core/archive/v${VER_LUA_RESTY_CORE}.tar.gz -O /lua-resty-core.tar.gz \
+   && curl -Lo /lua-resty-core.tar.gz https://github.com/openresty/lua-resty-core/archive/v${VER_LUA_RESTY_CORE}.tar.gz \
       && tar xvzf /lua-resty-core.tar.gz && rm /lua-resty-core.tar.gz \
       && cd /lua-resty-core-${VER_LUA_RESTY_CORE} \
       && make -j $(nproc) \
       && make install \
       && cd / \
 # LUA Resty LRUCache
 # ##############################################################################
-   && wget https://github.com/openresty/lua-resty-lrucache/archive/v${VER_LUA_RESTY_LRUCACHE}.tar.gz -O /lua-resty-lrucache.tar.gz \
+   && curl -Lo /lua-resty-lrucache.tar.gz https://github.com/openresty/lua-resty-lrucache/archive/v${VER_LUA_RESTY_LRUCACHE}.tar.gz \
       && tar xvzf /lua-resty-lrucache.tar.gz && rm /lua-resty-lrucache.tar.gz \
       && cd /lua-resty-lrucache-${VER_LUA_RESTY_LRUCACHE} \
       && make -j $(nproc) \
       && make install \
       && cd / \
 # NGX Devel Kit
 # ##############################################################################
-   && wget https://github.com/vision5/ngx_devel_kit/archive/v${VER_NGX_DEVEL_KIT}.tar.gz -O /ngx_devel_kit.tar.gz \
+   && curl -Lo /ngx_devel_kit.tar.gz https://github.com/vision5/ngx_devel_kit/archive/v${VER_NGX_DEVEL_KIT}.tar.gz \
       && tar xvzf /ngx_devel_kit.tar.gz && rm /ngx_devel_kit.tar.gz \
 # Lua Nginx Module
 # ##############################################################################
-   && wget https://github.com/openresty/lua-nginx-module/archive/v${VER_LUA_NGINX_MODULE}.tar.gz -O /lua-nginx.tar.gz \
+   && curl -Lo /lua-nginx.tar.gz https://github.com/openresty/lua-nginx-module/archive/v${VER_LUA_NGINX_MODULE}.tar.gz \
       && tar xvzf /lua-nginx.tar.gz && rm /lua-nginx.tar.gz \
 # NGINX
 # ##############################################################################
 # create nginx user/group first, to be consistent throughout docker variants
-   && addgroup -g 1001 -S nginx \
+   && groupadd -g 1001 -S nginx \
    && adduser -S -D -H -u 1001 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \
    && yum makecache \
 # we're on an architecture upstream doesn't officially build for
 # let's build binaries from the published packaging sources
-      && wget https://nginx.org/download/nginx-${VER_NGINX}.tar.gz -O /nginx.tar.gz \
+      && curl -Lo /nginx.tar.gz https://nginx.org/download/nginx-${VER_NGINX}.tar.gz \
       && tar xvzf /nginx.tar.gz && rm /nginx.tar.gz \
       && cd /nginx-${VER_NGINX} \
       && mkdir -p /var/cache/nginx/client_temp \
@@ -177,13 +176,11 @@ RUN set -x \
       gzip \
       make \
       tar \
-      wget \
    || rpm -e --nodeps \
       gcc-c++ \
       gzip \
       make \
-      tar \
-      wget
+      tar
 
 HEALTHCHECK --interval=30s --timeout=3s CMD curl --fail http://localhost/ || exit 1