FinnPL · FinnPL · Feb 18, 2025 · Feb 18, 2025 · Feb 18, 2025 · Feb 18, 2025
diff --git a/.github/workflows/docker-compose-scan.yml b/.github/workflows/docker-compose-scan.yml
diff --git a/.github/workflows/docker-scan.yml b/.github/workflows/docker-scan.yml
@@ -0,0 +1,70 @@
+name: Docker Scout Scan
+
+on:
+  pull_request:
+
+jobs:
+  find-images:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Install jq and yq
+        run: |
+          sudo apt-get update && sudo apt-get install -y jq
+          # Install yq if not already installed
+          if ! command -v yq &>/dev/null; then
+            wget https://github.com/mikefarah/yq/releases/download/v4.25.1/yq_linux_amd64 -O /usr/local/bin/yq
+            chmod +x /usr/local/bin/yq
+          fi
+
+      - name: Find images in Docker Compose files and set matrix
+        id: set-matrix
+        run: |
+          echo "Searching for docker-compose*.yml files..."
+          files=$(find . -type f -name "docker-compose*.yml")
+          echo "Found files:"
+          echo "$files"
+          images=()
+          for file in $files; do
+            echo "Processing $file"
+            # Extract image fields from each service
+            while IFS= read -r image; do
+              if [[ -n "$image" ]]; then
+                images+=("$image")
+              fi
+            done < <(yq e '.services[].image // empty' "$file")
+          done
+          # If no images found, set matrix to an empty JSON array.
+          if [ ${#images[@]} -eq 0 ]; then
+            echo "No images found, setting matrix to []"
+            matrix="[]"
+          else
+            # Remove duplicates and convert to a JSON array.
+            unique_images=($(printf "%s\n" "${images[@]}" | sort -u))
+            matrix=$(printf '%s\n' "${unique_images[@]}" | jq -R . | jq -s .)
+          fi
+          echo "Matrix JSON: $matrix"
+          # Set the output using the new $GITHUB_OUTPUT method.
+          echo "matrix=$matrix" >> $GITHUB_OUTPUT
+
+  scan-images:
+    needs: find-images
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image: ${{ fromJson(needs.find-images.outputs.matrix) }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Scan image with Docker Scout
+        id: scout
+        uses: docker/scout-action@v1
+        with:
+          command: cves
+          image: ${{ matrix.image }}
+
diff --git a/src/Pi4/docker-compose.yml b/src/Pi4/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
   traefik:
-    image: traefik:latest
+    image: traefik:v2.5.0  # Known CVEs: CVE-2021-32786, CVE-2021-32787
     container_name: traefik
     restart: always
     ports:
@@ -18,7 +18,7 @@ services:
       - traefik_certs:/certs
 
   portainer:
-    image: portainer/portainer-ce:latest
+    image: portainer/portainer-ce:2.0.0  # Known CVEs: CVE-2021-21334
     container_name: portainer
     restart: always
     command: --admin-password ${PORTAINER_PASSWORD}
@@ -33,7 +33,7 @@ services:
       - "traefik.http.services.portainer.loadbalancer.server.port=9000"
 
   gatus:
-    image: twinproduction/gatus:latest
+    image: twinproduction/gatus:v2.1.0  # No known CVEs for this specific version
     container_name: gatus
     restart: always
     environment:
@@ -50,7 +50,7 @@ services:
       - "traefik.http.services.gatus.loadbalancer.server.port=8080"
 
   homepage:
-    image: ghcr.io/gethomepage/homepage:latest
+    image: ghcr.io/gethomepage/homepage:v0.9.0  # No known CVEs for this specific version
     container_name: homepage
     restart: always
     environment:
@@ -75,4 +75,4 @@ services:
 volumes:
   traefik_certs:
   portainer_data:
-  gatus_data:
+  gatus_data: