From 8d89b9549f885f60da826f718983813d7dfe2946 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 28 Aug 2025 18:50:48 +0000 Subject: [PATCH 1/3] Initial plan From de8df686eff786c035f0826a04e01af63ace4bd6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 28 Aug 2025 18:56:09 +0000 Subject: [PATCH 2/3] Replace microscanner with Trivy in multi-stage-scanning example Co-authored-by: BretFisher <792287+BretFisher@users.noreply.github.com> --- multi-stage-scanning/Dockerfile | 28 +++++++++++++------ multi-stage-scanning/README.md | 49 +++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+), 8 deletions(-) create mode 100644 multi-stage-scanning/README.md diff --git a/multi-stage-scanning/Dockerfile b/multi-stage-scanning/Dockerfile index c2e3bc0f..57938592 100644 --- a/multi-stage-scanning/Dockerfile +++ b/multi-stage-scanning/Dockerfile @@ -74,14 +74,26 @@ FROM test as audit RUN npm audit -# aqua microscanner, which needs a token for API access -# note this isn't super secret, so we'll use an ARG here -# https://github.com/aquasecurity/microscanner -ARG MICROSCANNER_TOKEN -ADD https://get.aquasec.com/microscanner / -RUN chmod +x /microscanner -RUN apk add --no-cache ca-certificates && update-ca-certificates -RUN /microscanner $MICROSCANNER_TOKEN --continue-on-failure +# Trivy security scanner (replaces deprecated microscanner) +# https://github.com/aquasecurity/trivy +ENV TRIVY_VERSION=0.35.0 +# Use BuildKit to help translate architecture names +ARG TARGETPLATFORM +RUN case ${TARGETPLATFORM} in \ + "linux/amd64") ARCH=amd64 ;; \ + "linux/arm64") ARCH=arm64 ;; \ + "linux/arm64/v8") ARCH=arm64 ;; \ + "linux/arm/v7") ARCH=arm ;; \ + *) ARCH=amd64 ;; \ + esac \ + && apk add --no-cache wget ca-certificates \ + && update-ca-certificates \ + && wget --progress=dot:giga https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-${ARCH}.tar.gz \ + && tar zxf trivy_${TRIVY_VERSION}_Linux-${ARCH}.tar.gz \ + && mv trivy /usr/local/bin/ \ + && rm trivy_${TRIVY_VERSION}_Linux-${ARCH}.tar.gz +COPY . . +RUN trivy fs --severity "HIGH,CRITICAL" --no-progress --security-checks vuln . ## Stage 6 (default, production) diff --git a/multi-stage-scanning/README.md b/multi-stage-scanning/README.md new file mode 100644 index 00000000..0171fe67 --- /dev/null +++ b/multi-stage-scanning/README.md @@ -0,0 +1,49 @@ +# Multi-Stage Scanning Example + +This example demonstrates a multi-stage Docker build with integrated security scanning. + +## Security Scanning: Microscanner → Trivy Migration + +**⚠️ Important Update:** This example has been updated to use Trivy instead of the deprecated Aqua Microscanner. + +### Why the Change? + +- **Aqua Microscanner** has been deprecated for several years +- **Trivy** is the modern replacement and actively maintained successor +- Trivy provides better vulnerability detection and performance + +### What Changed + +The security scanning stage (Stage 5) now uses: +- ✅ **Trivy**: Modern, fast, and comprehensive vulnerability scanner +- ❌ ~~Microscanner~~: Deprecated and no longer maintained + +### Using This Example + +1. **Build the image:** + ```bash + docker build -t scanning-example . + ``` + +2. **Build specific stages:** + ```bash + # Build and run security scan + docker build --target audit -t scanning-example:audit . + + # Build production image + docker build --target prod -t scanning-example:prod . + ``` + +3. **Run in development:** + ```bash + docker-compose up + ``` + +### Note + +This example uses Node.js 10 which may have compatibility issues with newer package-lock.json formats. Consider updating to a more recent Node.js version for production use. + +### Learn More + +- [Trivy Documentation](https://aquasecurity.github.io/trivy/) +- [Docker Multi-Stage Builds](https://docs.docker.com/develop/dev-best-practices/dockerfile_best-practices/#use-multi-stage-builds) \ No newline at end of file From aa901bcc1a81dff996a58d45190d2113fab907fd Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 28 Aug 2025 18:58:44 +0000 Subject: [PATCH 3/3] Update ultimate-node-dockerfile README to emphasize Trivy Co-authored-by: BretFisher <792287+BretFisher@users.noreply.github.com> --- ultimate-node-dockerfile/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ultimate-node-dockerfile/README.md b/ultimate-node-dockerfile/README.md index 514064de..b6863739 100644 --- a/ultimate-node-dockerfile/README.md +++ b/ultimate-node-dockerfile/README.md @@ -23,7 +23,7 @@ Goal: take the Dockerfile in this directory and make it the ULTIMATE for a combi ## BONUS -* Add a security scanner to test stage and test it. Trivy (replaced microscanner) [trivy](https://github.com/aquasecurity/trivy) +* Add a security scanner to test stage and test it. Use **Trivy** (the modern replacement for deprecated microscanner). See [Trivy documentation](https://github.com/aquasecurity/trivy). * Add Best Practices from an earlier section, including: * Enable BuildKit and try a build. * Add tini to images so containers will receive shutdown signals.