From 6551ea719c58a5954213c3017fa6f1a491953aaa Mon Sep 17 00:00:00 2001
From: Arunavo Ray <rayanup3@gmail.com>
Date: Sun, 15 Jun 2025 13:48:58 +0530
Subject: [PATCH] fix: update Bun base image and enhance security scanning

- Update Bun from 1.2.14 to 1.2.18 to address CVE-2025-22874
- Pin Trivy action to stable version (0.28.0)
- Add SARIF output for GitHub Security tab integration
- Set ignore-unfixed to false for comprehensive vulnerability detection
- Add security-events permission for uploading scan results
- Include fallback table output on scan failures
---
 .github/workflows/docker-scan.yml | 25 ++++++++++++++++++++++---
 Dockerfile                        |  2 +-
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/docker-scan.yml b/.github/workflows/docker-scan.yml
index 6aa713c..0e22b62 100644
--- a/.github/workflows/docker-scan.yml
+++ b/.github/workflows/docker-scan.yml
@@ -21,6 +21,7 @@ on:
 permissions:
   contents: read
   actions: read
+  security-events: write
 
 jobs:
   scan:
@@ -47,11 +48,29 @@ jobs:
           no-cache: true
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: gitea-mirror:scan
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: '1'
+          ignore-unfixed: false
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Run Trivy vulnerability scanner (table output)
+        uses: aquasecurity/trivy-action@0.28.0
+        if: failure()
         with:
           image-ref: gitea-mirror:scan
           format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
+          exit-code: '0'
+          ignore-unfixed: false
           vuln-type: 'os,library'
           severity: 'CRITICAL,HIGH'
diff --git a/Dockerfile b/Dockerfile
index bc62327..a58fc43 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1.4
 
-FROM oven/bun:1.2.14-alpine AS base
+FROM oven/bun:1.2.18-alpine AS base
 WORKDIR /app
 RUN apk add --no-cache libc6-compat python3 make g++ gcc wget sqlite openssl