diff --git a/Dockerfile b/Dockerfile index 3d7eb4b..562cd42 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,14 +8,16 @@ # # Secrets via env: GITHUB_TOKEN, SLACK_WEBHOOK_URL or SLACK_BOT_TOKEN+SLACK_CHANNEL_ID -FROM python:3.12-slim AS base +FROM python:3.14-slim AS base # Pin scanner versions so "new vs resolved" diffs aren't polluted by upstream churn. -ARG OSV_SCANNER_VERSION=1.9.2 -ARG GITLEAKS_VERSION=8.21.2 -ARG SEMGREP_VERSION=1.97.0 -ARG TRIVY_VERSION=0.70.0 -ARG TRUFFLEHOG_VERSION=3.95.3 +# When bumping, prefer the most recent stable release: each rebuild against a newer +# Go toolchain is what closes the stdlib CVEs Docker Scout flags inside our binaries. +ARG OSV_SCANNER_VERSION=2.3.8 +ARG GITLEAKS_VERSION=8.30.1 +ARG SEMGREP_VERSION=1.164.0 +ARG TRIVY_VERSION=0.71.0 +ARG TRUFFLEHOG_VERSION=3.95.5 ARG SYFT_VERSION=1.44.0 ENV PYTHONDONTWRITEBYTECODE=1 \ @@ -62,11 +64,14 @@ RUN set -eux; \ gitleaks version # --- semgrep (pip — official channel) ------------------------------------- -# python:3.12-slim no longer ships setuptools, and semgrep's transitive +# Upgrade pip/wheel/setuptools together so Scout doesn't catch a stale wheel +# left behind from `ensurepip` bundling. +# python:3.13-slim no longer ships setuptools, and semgrep's transitive # opentelemetry-instrumentation dep imports `pkg_resources` (provided by # setuptools). Pin setuptools < 80 because newer setuptools dropped the # bundled `pkg_resources` module. -RUN pip install --no-cache-dir "setuptools>=70,<80" "semgrep==${SEMGREP_VERSION}" \ +RUN pip install --no-cache-dir --upgrade pip wheel "setuptools>=70,<80" \ + && pip install --no-cache-dir "semgrep==${SEMGREP_VERSION}" \ && semgrep --version # --- trivy (Aqua) — vuln + secret + iac + license, all in one ------------ diff --git a/SECURITY-SCAN-MANIFEST.yaml b/SECURITY-SCAN-MANIFEST.yaml index dfc448f..c16ac8e 100644 --- a/SECURITY-SCAN-MANIFEST.yaml +++ b/SECURITY-SCAN-MANIFEST.yaml @@ -27,13 +27,14 @@ # Adding to this file in a new release is non-breaking. Removing fields is # breaking — skills must tolerate older manifests missing keys. -version: "0.2.1" +version: "0.2.2" config_schema_version: 2 docker_image: "leverj/security-scan" released: "2026-06-02" # One-liners for the upgrade prompt the skill shows users. changelog: + - "0.2.2: CVE cleanup — bumped scanner pins (osv-scanner 2.3.8, gitleaks 8.30.1, trivy 0.71.0, trufflehog 3.95.5, semgrep 1.164.0) so each embeds a current Go stdlib; base bumped python:3.13-slim → python:3.14-slim; pip/wheel/setuptools upgraded together. Residual high-impact CVE (CVE-2025-68121 in Go 1.24.11) is inside gitleaks 8.30.1 — fix is upstream." - "0.2.1: hardened image — base bumped to python:3.12-slim with apt-get upgrade for current security patches; container now runs as non-root user 'scanner' (uid 1000); SBOM + SLSA provenance attestations now attached on publish." - "BREAKING (0.2.0): config moved from a single file to a directory (config/config.yaml). Bind-mount config/ at /config:ro." - "BREAKING (0.2.0): replaced parent_issue (int) with project.{owner,number} — findings file into a GitHub Projects v2 board, not as sub-issues." diff --git a/pyproject.toml b/pyproject.toml index 644e465..e84af6d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta" [project] name = "security-scan" -version = "0.2.1" +version = "0.2.2" description = "Stateless single-repo security scanner; files findings into a GitHub Projects v2 board" requires-python = ">=3.11" dependencies = [ diff --git a/security_scan/__init__.py b/security_scan/__init__.py index bc8bf6d..1a4d0f1 100644 --- a/security_scan/__init__.py +++ b/security_scan/__init__.py @@ -1,3 +1,3 @@ """security_scan — stateless single-repo security scanner; files findings into a GitHub Projects v2 board.""" -__version__ = "0.2.1" +__version__ = "0.2.2"