removing sast - updated dockerfile for best practies

2026-05-10 22:32:46 -05:00
parent 76ddfcca2f
commit bd9165311f
2 changed files with 18 additions and 16 deletions
@@ -8,27 +8,27 @@ on:
 jobs:
  build:
    runs-on: ubuntu-latest
-    permissions:  
-      contents: read          # Required to checkout and read repo files
-      security-events: write  # Required to upload SARIF files to Security tab
+    # permissions:  
+    #   contents: read          # Required to checkout and read repo files
+    #   security-events: write  # Required to upload SARIF files to Security tab

    steps:
      - name: Checkout
        uses: actions/checkout@v4

-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@v0.36.0
-        with:
-          scan-type: 'fs'
-          ignore-unfixed: true
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          severity: 'CRITICAL,HIGH'
+      # - name: Run Trivy vulnerability scanner in repo mode
+      #   uses: aquasecurity/trivy-action@v0.36.0
+      #   with:
+      #     scan-type: 'fs'
+      #     ignore-unfixed: true
+      #     format: 'sarif'
+      #     output: 'trivy-results.sarif'
+      #     severity: 'CRITICAL,HIGH'

-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v4
-        with:
-          sarif_file: 'trivy-results.sarif'
+      # - name: Upload Trivy scan results to GitHub Security tab
+      #   uses: github/codeql-action/upload-sarif@v4
+      #   with:
+      #     sarif_file: 'trivy-results.sarif'

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
@@ -1,11 +1,13 @@
 FROM mcr.microsoft.com/powershell

+USER 1000:1000
+
 ENV SCHEDULE=60 
 ENV GLUETUNFORWARDEDPORTFILE="/tmp/forwarded_port"

 VOLUME /tmp

 WORKDIR /data
-ADD ["Start-QBTGluetunPortMgr.ps1", "/data/"]
+COPY ["Start-QBTGluetunPortMgr.ps1", "/data/"]

 ENTRYPOINT ["pwsh", "-Command", "/data/Start-QBTGluetunPortMgr.ps1"]