Resolved vunlerabilities (run was under root account; old image had CVEs)

maximmasiutin · maximmasiutin · commit 15442abffade · 2025-04-28T09:57:42.000+03:00
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1 @@
+*.sh text eol=lf
diff --git a/.github/workflows/trivy-analysis.yaml b/.github/workflows/trivy-analysis.yaml
@@ -0,0 +1,35 @@
+name: Trivy
+
+permissions:
+  contents: read
+  actions: read
+  security-events: write
+
+on:
+  pull_request:
+  workflow_dispatch:
+  push:
+    branches:
+      - master
+jobs:
+  build:
+    name: Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4.2.2
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@0.30.0
+        with:
+          scan-type: 'fs'
+          scanners: 'vuln,misconfig,secret'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3.28.16
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/Dockerfile b/Dockerfile
@@ -1,13 +1,25 @@
-FROM n0madic/alpine-gcc:9.2.0
-RUN apk add --quiet --no-cache libressl-dev 
+FROM frolvlad/alpine-gcc:latest
+RUN apk add --quiet --no-cache libressl-dev make
+
+# Create non-root user and group
+RUN addgroup -S appgroup && adduser -S appuser -G appgroup
+
 COPY ./*.h /opt/src/
 COPY ./*.c /opt/src/
 COPY Makefile /opt/src/
 COPY entrypoint.sh /
-#RUN apt-get install libssl-dev
+
 WORKDIR /opt/src
 RUN make
 RUN make OPENSSL=/usr/local/opt/openssl/include OPENSSL_LIB=-L/usr/local/opt/openssl/lib
 RUN ["chmod", "+x", "/entrypoint.sh"]
 RUN ["chmod", "+x", "/opt/src/jwtcrack"]
+
+# Change ownership to non-root user
+RUN chown -R appuser:appgroup /opt/src /entrypoint.sh
+
+USER appuser
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 CMD ["/opt/src/jwtcrack", "--version"] || exit 1
+
 ENTRYPOINT ["/entrypoint.sh"]
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -1,2 +1,2 @@
-#!/bin/bash
+#!/bin/sh
 /opt/src/jwtcrack $@
diff --git a/main.c b/main.c
@@ -169,6 +169,11 @@ void usage(const char *cmd, const char *alphabet, const size_t max_len, const ch
 
 int main(int argc, char **argv) {
 
+	if (argc > 1 && strcmp(argv[1], "--version") == 0) {
+		printf("jwtcrack version 1.0.0\n");
+		return 0;
+	}
+
 	const EVP_MD *evp_md;
 	size_t max_len = 6;
 	

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-#!/bin/bash`
	`1`	`+#!/bin/sh`
`2`	`2`	`/opt/src/jwtcrack $@`