Resolved vulnerabilities (run was under root account; old image had CVEs)

.gitattributes

@@ -0,0 +1 @@
+*.sh text eol=lf

.github/workflows/trivy-analysis.yaml

@@ -0,0 +1,49 @@
+name: Trivy Analysis
+
+permissions:
+  contents: read
+  actions: read
+  security-events: write
+
+on:
+  pull_request:
+  workflow_dispatch:
+  push:
+
+env:
+  SARIF_FILE: 'trivy-results.sarif'
+
+jobs:
+  build:
+    name: Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/[email protected]
+
+      - name: Run Trivy vulnerability scanner on the cloned repository files
+        uses: aquasecurity/[email protected]
+        with:
+          version: 'v0.61.1'
+          scan-type: 'fs'
+          scanners: 'vuln,misconfig,secret,license'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: ${{ env.SARIF_FILE }}
+          severity: 'CRITICAL'
+
+      - name: Check Trivy scan results existence
+        run: |
+          if [ ! -f "${{ env.SARIF_FILE }}" ]; then
+            echo "Error: ${{ env.SARIF_FILE }} does not exist."
+            exit 1
+          fi
+          ls -lash ${{ env.SARIF_FILE }}
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/[email protected]
+        with:
+          sarif_file: ${{ env.SARIF_FILE }}
+
+
+

Dockerfile

@@ -1,13 +1,25 @@
-FROM n0madic/alpine-gcc:9.2.0
-RUN apk add --quiet --no-cache libressl-dev 
+FROM frolvlad/alpine-gcc:latest
+RUN apk add --quiet --no-cache libressl-dev make
+
+# Create non-root user and group
+RUN addgroup -S appgroup && adduser -S appuser -G appgroup
+
 COPY ./*.h /opt/src/
 COPY ./*.c /opt/src/
 COPY Makefile /opt/src/
 COPY entrypoint.sh /
-#RUN apt-get install libssl-dev
+
 WORKDIR /opt/src
 RUN make
 RUN make OPENSSL=/usr/local/opt/openssl/include OPENSSL_LIB=-L/usr/local/opt/openssl/lib
 RUN ["chmod", "+x", "/entrypoint.sh"]
 RUN ["chmod", "+x", "/opt/src/jwtcrack"]
+
+# Change ownership to non-root user
+RUN chown -R appuser:appgroup /opt/src /entrypoint.sh
+
+USER appuser
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 CMD ["/opt/src/jwtcrack", "--version"] || exit 1
+
 ENTRYPOINT ["/entrypoint.sh"]

Makefile

@@ -3,7 +3,7 @@ CC	= gcc
 OPENSSL = /usr/include/openssl
 OPENSSL_LIB = -lssl
 
-CFLAGS	+= -I $(OPENSSL) -g -std=gnu99 -O3
+CFLAGS	+= -I $(OPENSSL) -g -std=gnu99 -O3 -march=native -mtune=native
 LDFLAGS	+= $(OPENSSL_LIB) -lcrypto -lpthread
 
 NAME	= jwtcrack

entrypoint.sh

@@ -1,2 +1,2 @@
-#!/bin/bash
+#!/bin/sh
 /opt/src/jwtcrack $@

main.c

@@ -169,6 +169,11 @@ void usage(const char *cmd, const char *alphabet, const size_t max_len, const ch
 
 int main(int argc, char **argv) {
 
+	if (argc > 1 && strcmp(argv[1], "--version") == 0) {
+		printf("jwtcrack version 1.0.0\n");
+		return 0;
+	}
+
 	const EVP_MD *evp_md;
 	size_t max_len = 6;