marko/cnpg-postgres-containers
1
0
Fork 0
forked from repo-mirrors/cnpg-postgres-containers
Code Pull Requests Actions Activity

Compare commits

base: marko:dev/security-scan-action
Branches Tags
marko:main marko:renovate/barman-3.x marko:dev/340 marko:dev/security-scan-action marko:dev/209 marko:dev/290 marko:dev/upload marko:dev/improve-readme
..
compare: marko:dev/209
Branches Tags
marko:renovate/barman-3.x marko:main marko:dev/340 marko:dev/security-scan-action marko:dev/209 marko:dev/290 marko:dev/upload marko:dev/improve-readme

1 Commits
dev/securi ... dev/209

Author SHA1 Message Date
Gabriele Bartolini
1af4edac02 docs: add basic security section 
closes #209

Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
 2025-09-25 18:41:36 +02:00
9 changed files with 66 additions and 172 deletions
Expand all files Collapse all files

2
.github/actions/generate-catalogs/action.yml vendored
View File

@@ -26,7 +26,7 @@ runs:
- name: Set up Python - name: Set up Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6 uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
with: with:
python-version: 3.14 python-version: 3.13
- name: Install Python dependencies - name: Install Python dependencies
shell: bash shell: bash

71
.github/actions/security-scans/README.md vendored
View File

@@ -1,71 +0,0 @@
# Security Scans Action
This composite GitHub Action wraps all the security scanners used to
analyze CloudNativePG container images.
---
## Requirements
This composite action relies on the calling workflows `GITHUB_TOKEN`.
Make sure your calling workflow includes:
```
permissions:
contents: read
packages: read
security-events: write # required for SARIF upload
```
---
## Security scanners
- [Dockle](https://github.com/goodwithtech/dockle):
- Best-practice and configuration checks.
- [Snyk](https://github.com/snyk/actions):
- Detects vulnerabilities in OS packages, libraries, and dependencies.
- Generates a `snyk.sarif` that gets uploaded to GitHub Code Scanning
---
## Inputs
| Name | Description | Required | Default |
| ---------------- | -------------------------------------------------- | --------- | -------------- |
| `image` | The image to scan (e.g. `ghcr.io/org/image:tag`) | ✅ Yes | — |
| `registry_user` | The user used to pull the image | ✅ Yes | — |
| `registry_token` | The token used to pull the image | ✅ Yes | — |
| `snyk_token` | The Snyk authentication token | ❌ No | — |
| `dockerfile` | Path to the images Dockerfile (for Snyk scanning) | ❌ No | `./Dockerfile` |
Note:
- If a `snyk_token` is not provided, Snyk scans won't be performed.
- The `dockerfile` path is currently only required by Snyk.
---
## Usage
Example workflow:
```
jobs:
security-scan:
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
security-events: write
steps:
- uses: actions/checkout@v5
- name: Security checks
uses: cloudnative-pg/postgres-containers/.github/actions/security-scans@main
with:
image: ghcr.io/org/image:tag
registry_user: ${{ github.actor }}
registry_token: ${{ secrets.GITHUB_TOKEN }}
snyk_token: ${{ secrets.SNYK_TOKEN }}
dockerfile: "./Dockerfile"
```

64
.github/actions/security-scans/action.yml vendored
View File

@@ -1,64 +0,0 @@
name: Security Scans
description: Security Scans
inputs:
image:
description: "The image to scan"
required: true
registry_user:
description: "The user used to pull the image"
required: true
registry_token:
description: "The token used to pull the image"
required: true
snyk_token:
description: "The snyk authentication token"
required: false
dockerfile:
description: "The image's Dockerfile"
required: false
default: './Dockerfile'
runs:
using: composite
steps:
- name: Log in to the GitHub Container registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
with:
registry: ghcr.io
username: ${{ inputs.registry_user }}
password: ${{ inputs.registry_token }}
- name: Dockle
uses: erzz/dockle-action@69369bc745ee29813f730231a821bcd4f71cd290 # v1
with:
image: "${{ inputs.image }}"
exit-code: '1'
failure-threshold: WARN
accept-keywords: key
accept-filenames: usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,etc/ssl/private/ssl-cert-snakeoil.key,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.11/dist-packages/azure/core/settings.py,usr/local/lib/python3.13/dist-packages/azure/core/settings.py
- name: Snyk
uses: snyk/actions/docker@master
id: snyk
if: ${{ inputs.snyk_token != '' }}
# Snyk can be used to break the build when it detects vulnerabilities.
# In this case we want to upload the issues to GitHub Code Scanning.
continue-on-error: true
env:
SNYK_TOKEN: ${{ inputs.snyk_token }}
with:
image: "${{ inputs.image }}"
args: --severity-threshold=high --file=${{ inputs.dockerfile }}
- name: Replace sarif security-severity invalid values
if: ${{ steps.snyk.conclusion == 'success' }}
shell: bash
run: |
sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4
if: ${{ steps.snyk.conclusion == 'success' }}
with:
sarif_file: snyk.sarif

4
.github/workflows/bake.yml vendored
View File

@@ -51,8 +51,6 @@ jobs:
with: with:
environment: ${{ github.event.inputs.environment }} environment: ${{ github.event.inputs.environment }}
postgresql_version: ${{ matrix.version }} postgresql_version: ${{ matrix.version }}
secrets:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
Catalogs: Catalogs:
name: Update Catalogs name: Update Catalogs
@@ -65,6 +63,6 @@ jobs:
( github.event.inputs.environment == 'production' || github.event_name == 'schedule' ) ( github.event.inputs.environment == 'production' || github.event_name == 'schedule' )
steps: steps:
- name: Repository Dispatch - name: Repository Dispatch
uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4 uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3
with: with:
event-type: update-catalogs event-type: update-catalogs

41
.github/workflows/bake_targets.yml vendored
View File

@@ -29,9 +29,6 @@ on:
`source` directory. `source` directory.
required: false required: false
type: string type: string
secrets:
SNYK_TOKEN:
required: false
permissions: {} permissions: {}
@@ -77,7 +74,7 @@ jobs:
echo "filtered_targets=$target" >> "$GITHUB_OUTPUT" echo "filtered_targets=$target" >> "$GITHUB_OUTPUT"
- name: Log in to the GitHub Container registry - name: Log in to the GitHub Container registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.actor }} username: ${{ github.actor }}
@@ -143,14 +140,36 @@ jobs:
- name: Checkout Code - name: Checkout Code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
- name: Security checks - name: Log in to the GitHub Container registry
uses: ./.github/actions/security-scans uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Dockle
uses: erzz/dockle-action@69369bc745ee29813f730231a821bcd4f71cd290 # v1
with:
image: ${{ matrix.image }}
exit-code: '1'
failure-threshold: WARN
accept-keywords: key
accept-filenames: usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,etc/ssl/private/ssl-cert-snakeoil.key,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.11/dist-packages/azure/core/settings.py,usr/local/lib/python3.13/dist-packages/azure/core/settings.py
- name: Snyk
uses: snyk/actions/docker@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with: with:
image: "${{ matrix.image }}" image: "${{ matrix.image }}"
registry_user: ${{ github.actor }} args: --severity-threshold=high --file=Dockerfile
registry_token: ${{ secrets.GITHUB_TOKEN }}
snyk_token: ${{ secrets.SNYK_TOKEN }} - name: Upload result to GitHub Code Scanning
dockerfile: "./Dockerfile" uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3
continue-on-error: true
with:
sarif_file: snyk.sarif
# Use the metadata generated in the `testbuild` step to find all the images # Use the metadata generated in the `testbuild` step to find all the images
# that have been built. We copy them one by one to the production registry # that have been built. We copy them one by one to the production registry
@@ -172,7 +191,7 @@ jobs:
id-token: write id-token: write
steps: steps:
- name: Log in to the GitHub Container registry - name: Log in to the GitHub Container registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.actor }} username: ${{ github.actor }}

14
Debian/ClusterImageCatalog-bookworm.yaml
View File

@@ -6,19 +6,17 @@ metadata:
images.cnpg.io/family: postgresql images.cnpg.io/family: postgresql
images.cnpg.io/type: system images.cnpg.io/type: system
images.cnpg.io/os: bookworm images.cnpg.io/os: bookworm
images.cnpg.io/date: '20251013' images.cnpg.io/date: '20250923'
images.cnpg.io/publisher: cnpg.io images.cnpg.io/publisher: cnpg.io
spec: spec:
images: images:
- major: 13 - major: 13
image: ghcr.io/cloudnative-pg/postgresql:13.22-202510130807-system-bookworm@sha256:8960f067c4e5c633e5deff50f781957ca4579d72d275739c586befe9d05d444c image: ghcr.io/cloudnative-pg/postgresql:13.22-202509220807-system-bookworm@sha256:b4a1e2d577546d32e82d44168e6977b3d4b0a4765bb4a7482e353f99ec49216a
- major: 14 - major: 14
image: ghcr.io/cloudnative-pg/postgresql:14.19-202510130807-system-bookworm@sha256:b020285c14e795e262760e5e2c8111769788a7da45e8ee9d1af10ed7a5b66cab image: ghcr.io/cloudnative-pg/postgresql:14.19-202509220807-system-bookworm@sha256:fb3a27a77364017ec604a24f19def5124b945e6e45cb4613455f0aee3e15cc47
- major: 15 - major: 15
image: ghcr.io/cloudnative-pg/postgresql:15.14-202510130807-system-bookworm@sha256:06096a05e7216ada6eafe2e72e7cae1a9d2e57561541caecfcdfcecb4bd03df3 image: ghcr.io/cloudnative-pg/postgresql:15.14-202509220807-system-bookworm@sha256:fbdf4141d38d6c70e6ab10a2d6ab6b7a5853b62fa1bba78b4353032e0b345740
- major: 16 - major: 16
image: ghcr.io/cloudnative-pg/postgresql:16.10-202510130807-system-bookworm@sha256:830b0a2d5b616b06cbb4f594453dc20bafadeb3f1c48441668e9c7e088b0c7d1 image: ghcr.io/cloudnative-pg/postgresql:16.10-202509220807-system-bookworm@sha256:41561360238d5fb7a85e2b1d75f1e5d626be37b94a01306432ad7f94cf542dc4
- major: 17 - major: 17
image: ghcr.io/cloudnative-pg/postgresql:17.6-202510130807-system-bookworm@sha256:71f14116070ce91762198fac8504daee954e75d5d0685363f7844309555130e6 image: ghcr.io/cloudnative-pg/postgresql:17.6-202509220807-system-bookworm@sha256:b931f2c7d6e259c1448a88486912da2a3e4039e13c9099e3c09a54cbb25a36cf
- major: 18
image: ghcr.io/cloudnative-pg/postgresql:18.0-202510130807-system-bookworm@sha256:12707396990ac3ad9767404180f36ea4998761483365938db1f3a8050b50effb

14
Debian/ClusterImageCatalog-bullseye.yaml
View File

@@ -6,19 +6,17 @@ metadata:
images.cnpg.io/family: postgresql images.cnpg.io/family: postgresql
images.cnpg.io/type: system images.cnpg.io/type: system
images.cnpg.io/os: bullseye images.cnpg.io/os: bullseye
images.cnpg.io/date: '20251013' images.cnpg.io/date: '20250923'
images.cnpg.io/publisher: cnpg.io images.cnpg.io/publisher: cnpg.io
spec: spec:
images: images:
- major: 13 - major: 13
image: ghcr.io/cloudnative-pg/postgresql:13.22-202510130807-system-bullseye@sha256:da485ff71aaa4ff044071af2eb91b18eff65a3befacb988af73b8096ffdc5837 image: ghcr.io/cloudnative-pg/postgresql:13.22-202509220807-system-bullseye@sha256:16323ff5e13f568c943720756ebc59d162adff4a4f9349038ae1796f757448c8
- major: 14 - major: 14
image: ghcr.io/cloudnative-pg/postgresql:14.19-202510130807-system-bullseye@sha256:bdc36b98eb96d0f613fb4570460c57ee27114d2bbfe126d9f29b51766b9ca37e image: ghcr.io/cloudnative-pg/postgresql:14.19-202509220807-system-bullseye@sha256:f74e898ab8ef56d2b9cd259871eef9415b8b3dbdc5c916315073cd2144e89d28
- major: 15 - major: 15
image: ghcr.io/cloudnative-pg/postgresql:15.14-202510130807-system-bullseye@sha256:15661a17359d2ff46961e03a2a6593d58c779624ba5e684780111c09291b49c8 image: ghcr.io/cloudnative-pg/postgresql:15.14-202509220807-system-bullseye@sha256:041340459b4d3ebdaffd55fd2296ca01992fb467301b505bb19b8689434b42a8
- major: 16 - major: 16
image: ghcr.io/cloudnative-pg/postgresql:16.10-202510130807-system-bullseye@sha256:697e6d8e15ace744fe3b0035d4ea633d3a2b2e59138e8a0481014e924dd1b4d4 image: ghcr.io/cloudnative-pg/postgresql:16.10-202509220807-system-bullseye@sha256:9746b62a5f1981533dd475ebc1bd8c7740b8dc8c60fa06db0407c6c6c1254fed
- major: 17 - major: 17
image: ghcr.io/cloudnative-pg/postgresql:17.6-202510130807-system-bullseye@sha256:b7f2855c5a419249e30d64616da38cbb7ed3397a21cb115a581a02da8cb21ee0 image: ghcr.io/cloudnative-pg/postgresql:17.6-202509220807-system-bullseye@sha256:b9763f1137de625622dab2a4b94a456c5a6587d0444885b282d9c222370b3955
- major: 18
image: ghcr.io/cloudnative-pg/postgresql:18.0-202510130807-system-bullseye@sha256:5f67a8c8ae429c8af5692024ad58408a3f70223bf5d1cb9f9dbc36dcead88919

21
README.md
View File

@@ -18,13 +18,14 @@ This repository provides maintenance scripts for generating
| Version | Release Date | EOL | | Version | Release Date | EOL |
|:-------:|:------------:|:----------:| |:-------:|:------------:|:----------:|
| 18 | 2025-09-25 | 2030-11-14 |
| 17 | 2024-09-26 | 2029-11-08 | | 17 | 2024-09-26 | 2029-11-08 |
| 16 | 2023-09-14 | 2028-11-09 | | 16 | 2023-09-14 | 2028-11-09 |
| 15 | 2022-10-13 | 2027-11-11 | | 15 | 2022-10-13 | 2027-11-11 |
| 14 | 2021-09-30 | 2026-11-12 | | 14 | 2021-09-30 | 2026-11-12 |
| 13 | 2020-09-24 | 2025-11-13 | | 13 | 2020-09-24 | 2025-11-13 |
In addition, PostgreSQL 18 RC1 is provided for testing purposes only.
These images are designed to serve as operands of the These images are designed to serve as operands of the
[CloudNativePG (CNPG) operator](https://cloudnative-pg.io) in Kubernetes [CloudNativePG (CNPG) operator](https://cloudnative-pg.io) in Kubernetes
environments, and are not intended for standalone use. environments, and are not intended for standalone use.
@@ -191,7 +192,9 @@ and [`ClusterImageCatalog-bookworm.yaml`](Debian/ClusterImageCatalog-bookworm.ya
manifests, please migrate to the new catalogs as soon as possible. These legacy manifests, please migrate to the new catalogs as soon as possible. These legacy
manifests are deprecated and will be removed along with the `system` image. manifests are deprecated and will be removed along with the `system` image.
## Build Attestations ## Security
### Build Attestations
CNPG PostgreSQL Container Images are built with the following attestations to CNPG PostgreSQL Container Images are built with the following attestations to
ensure transparency and traceability: ensure transparency and traceability:
@@ -215,7 +218,7 @@ docker buildx imagetools inspect <IMAGE> --format "{{ json .SBOM.SPDX }}"
This command outputs the SBOM in JSON format, providing a detailed view of the This command outputs the SBOM in JSON format, providing a detailed view of the
software components and build dependencies. software components and build dependencies.
## Image Signatures ### Image Signatures
The [`minimal`](#minimal-images) and [`standard`](#standard-images) CloudNativePG container images are securely signed using The [`minimal`](#minimal-images) and [`standard`](#standard-images) CloudNativePG container images are securely signed using
[cosign](https://github.com/sigstore/cosign), a tool within the [cosign](https://github.com/sigstore/cosign), a tool within the
@@ -238,6 +241,18 @@ cosign verify IMAGE \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
``` ```
## Image Scanning in CI/CD
To further strengthen the security of our container images, we perform
automated image scanning as part of our CI/CD workflows. These scans help
ensure that our images adhere to best practices and remain free of known
vulnerabilities before they are published or deployed:
- **Dockle**: Verifies configuration best practices for container images. Runs
during the build stage; critical failures can block the build.
- **Snyk**: Detects vulnerabilities in OS packages, libraries, and dependencies
within the container. Runs after image build.
## Building Images ## Building Images
For detailed instructions on building PostgreSQL container images, refer to the For detailed instructions on building PostgreSQL container images, refer to the

7
docker-bake.hcl
View File

@@ -34,6 +34,7 @@ postgreSQLVersions = [
// Preview versions are automatically filtered out if present in the stable list // Preview versions are automatically filtered out if present in the stable list
// MANUALLY EDIT THE CONTENT - AND UPDATE THE README.md FILE TOO // MANUALLY EDIT THE CONTENT - AND UPDATE THE README.md FILE TOO
postgreSQLPreviewVersions = [ postgreSQLPreviewVersions = [
"18~rc1",
] ]
// Barman version to build // Barman version to build
@@ -58,11 +59,11 @@ target "default" {
pgVersion = getPgVersions(postgreSQLVersions, postgreSQLPreviewVersions) pgVersion = getPgVersions(postgreSQLVersions, postgreSQLPreviewVersions)
base = [ base = [
// renovate: datasource=docker versioning=loose // renovate: datasource=docker versioning=loose
"debian:trixie-slim@sha256:1caf1c703c8f7e15dcf2e7769b35000c764e6f50e4d7401c355fb0248f3ddfdb", "debian:trixie-slim@sha256:c2880112cc5c61e1200c26f106e4123627b49726375eb5846313da9cca117337",
// renovate: datasource=docker versioning=loose // renovate: datasource=docker versioning=loose
"debian:bookworm-slim@sha256:7e490910eea2861b9664577a96b54ce68ea3e02ce7f51d89cb0103a6f9c386e0", "debian:bookworm-slim@sha256:df52e55e3361a81ac1bead266f3373ee55d29aa50cf0975d440c2be3483d8ed3",
// renovate: datasource=docker versioning=loose // renovate: datasource=docker versioning=loose
"debian:bullseye-slim@sha256:f807f4b16002c623115b0247dca6a55711c6b1ae821dc64fb8a2339e4ce2115d" "debian:bullseye-slim@sha256:6d3c63184632046054ae709964befc943ecffa140adc697ca955a10002a79c08"
] ]
} }
platforms = [ platforms = [