diff --git a/.github/workflows/build-scan-push.yml b/.github/workflows/build-scan-push.yml index 70b57bc..a5670e5 100644 --- a/.github/workflows/build-scan-push.yml +++ b/.github/workflows/build-scan-push.yml @@ -103,7 +103,7 @@ jobs: - name: Run Aqua Trivy scan id: trivy-scan if: ${{ matrix.target == 'production' }} - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 with: input: image-${{ matrix.image.nodeVersion }}.tar scan-type: image diff --git a/.github/workflows/nightly-scan.yml b/.github/workflows/nightly-scan.yml index 2294917..5f14d40 100644 --- a/.github/workflows/nightly-scan.yml +++ b/.github/workflows/nightly-scan.yml @@ -40,7 +40,7 @@ jobs: - name: Run Aqua Trivy scan id: trivy-scan - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 with: image-ref: defradigital/${{env.IMAGE_NAME}}:${{env.DEFRA_VERSION}}-node${{matrix.image.nodeVersion}} format: sarif diff --git a/.grype.yaml b/.grype.yaml index ca3173d..0402498 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -35,3 +35,9 @@ ignore: reason: "Node 24: tar patched but not yet available in Node.js base images" - vulnerability: CVE-2026-2673 reason: "Alpine libcrypto: No fix available" + - vulnerability: GHSA-c2c7-rcm5-vvqj + reason: "Node 22: picomatch patched but not yet available in Node.js base images" + - vulnerability: GHSA-f886-m6hf-6m8v + reason: "Node 20: brace-expansion patched but not yet available in Node.js base images" + - vulnerability: GHSA-3v7f-55p6-f55p + reason: "Node 22: picomatch patched but not yet available in Node.js base images" diff --git a/Dockerfile b/Dockerfile index 4c7c788..c682ec8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # Set default values for build arguments -ARG DEFRA_VERSION=3.0.4 -ARG BASE_VERSION=24.14.0-alpine3.23 +ARG DEFRA_VERSION=3.0.5 +ARG BASE_VERSION=24.14.1-alpine3.23 FROM node:$BASE_VERSION AS production diff --git a/JOB.env b/JOB.env index f297853..6d8db91 100644 --- a/JOB.env +++ b/JOB.env @@ -1,2 +1,2 @@ -DEFRA_VERSION=3.0.4 +DEFRA_VERSION=3.0.5 IMAGE_NAME=node diff --git a/README.md b/README.md index 3a569dd..8f1702e 100644 --- a/README.md +++ b/README.md @@ -14,9 +14,9 @@ The following table lists the versions of node available, and the parent Node.js | Node version | Parent image | | ------------- | ----------------- | -| 20.20.1 | 20.20.1-alpine3.23 | -| 22.22.1 | 22.22.1-alpine3.23 | -| 24.14.0 | 24.14.0-alpine3.23 | +| 20.20.2 | 20.20.2-alpine3.23 | +| 22.22.2 | 22.22.2-alpine3.23 | +| 24.14.1 | 24.14.1-alpine3.23 | Two parent images are created for each version: diff --git a/image-matrix.json b/image-matrix.json index 1617ef4..18cfbe1 100644 --- a/image-matrix.json +++ b/image-matrix.json @@ -1,5 +1,5 @@ [ - {"nodeVersion": "20.20.1", "alpineVersion": "3.23", "tags": ["latest-20"]}, - {"nodeVersion": "22.22.1", "alpineVersion": "3.23", "tags": ["latest-22"]}, - {"nodeVersion": "24.14.0", "alpineVersion": "3.23", "tags": ["latest-24", "latest"]} + {"nodeVersion": "20.20.2", "alpineVersion": "3.23", "tags": ["latest-20"]}, + {"nodeVersion": "22.22.2", "alpineVersion": "3.23", "tags": ["latest-22"]}, + {"nodeVersion": "24.14.1", "alpineVersion": "3.23", "tags": ["latest-24", "latest"]} ]