├── README.md
├── Dockerfile
├── LICENSE
└── .github
    └── workflows
        └── build_and_publish.yaml


/README.md:
--------------------------------------------------------------------------------
 1 | # Ubuntu based python 3.8 image
 2 | This repository contains code for Python 3.8 image based on LTS Ubuntu 22.04. Thanks to the use of latest LTS Ubuntu image this python image has regular vulnerability resolution, making more secure. 
 3 | 
 4 | The image is currently published [here](https://hub.docker.com/r/charmed/base-2204-python38)
 5 | You can use this image seamlesly as any other python Docker image by specifying it as a base with.
 6 | 
 7 | ```
 8 | FROM charmed/base-2204-python38:latest
 9 | ```
10 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:22.04
 2 | 
 3 | ENV DEBIAN_FRONTEND=noninteractive \
 4 |     DEBCONF_NONINTERACTIVE_SEEN=true \
 5 |     PYTHONUNBUFFERED=1
 6 | 
 7 | RUN apt update && \
 8 |     apt install -y gnupg && \
 9 |     gpg --list-keys && \
10 |     gpg --no-default-keyring --keyring /usr/share/keyrings/deadsnakes.gpg --keyserver keyserver.ubuntu.com --recv-keys F23C5A6CF475977595C89F51BA6932366A755776 && \
11 |     echo 'deb [signed-by=/usr/share/keyrings/deadsnakes.gpg] http://ppa.launchpadcontent.net/deadsnakes/ppa/ubuntu jammy main' | tee -a /etc/apt/sources.list.d/python.list && \
12 |     apt update && \
13 |     apt install curl python3.8 python3.8-distutils -y && \
14 |     update-alternatives --install /usr/bin/python python /usr/bin/python3.8 1 && \
15 |     curl --output get-pip.py https://bootstrap.pypa.io/get-pip.py && \
16 |     python3.8 get-pip.py && \
17 |     apt clean 
18 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2012-2022 Scott Chacon and others
 2 | 
 3 | Permission is hereby granted, free of charge, to any person obtaining
 4 | a copy of this software and associated documentation files (the
 5 | "Software"), to deal in the Software without restriction, including
 6 | without limitation the rights to use, copy, modify, merge, publish,
 7 | distribute, sublicense, and/or sell copies of the Software, and to
 8 | permit persons to whom the Software is furnished to do so, subject to
 9 | the following conditions:
10 | 
11 | The above copyright notice and this permission notice shall be
12 | included in all copies or substantial portions of the Software.
13 | 
14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
18 | LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
19 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
20 | WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
21 | 


--------------------------------------------------------------------------------
/.github/workflows/build_and_publish.yaml:
--------------------------------------------------------------------------------
 1 | name: Build and Publish
 2 | 
 3 | on:
 4 |   push:
 5 |     branches: [main]
 6 |   pull_request:
 7 |   schedule:
 8 |     - cron: "0 13 * * 1"
 9 | 
10 | jobs:
11 |   build-and-push-docker-image:
12 |     name: Build Docker image and push to repositories
13 |     permissions:
14 |       id-token: write
15 |       contents: write
16 |       security-events: write
17 |     runs-on: ubuntu-22.04
18 | 
19 |     steps:
20 |       - name: Checkout code
21 |         uses: actions/checkout@v3
22 | 
23 |       - name: Set up Docker Buildx
24 |         id: buildx
25 |         uses: docker/setup-buildx-action@v2
26 |       
27 |       - name: Build Docker image
28 |         run: |
29 |           docker build -t ${{ secrets.DOCKER_HUB_IMAGE }}:${{ github.sha }} .
30 |       
31 |       - name: Run image tests
32 |         run: |
33 |           docker run --rm -p 8000:8000 -d ${{ secrets.DOCKER_HUB_IMAGE }}:${{ github.sha }} python -m http.server 8000
34 |           sleep 5
35 |           curl -I --fail localhost:8000
36 | 
37 |       - name: Run Trivy vulnerability scanner
38 |         uses: aquasecurity/trivy-action@master
39 |         with:
40 |           image-ref: '${{ secrets.DOCKER_HUB_IMAGE }}:${{ github.sha }}'
41 |           format: 'template'
42 |           template: '@/contrib/sarif.tpl'
43 |           output: 'trivy-results.sarif'
44 |           severity: 'CRITICAL,HIGH'
45 | 
46 |       - name: Upload Trivy scan results to GitHub Security tab
47 |         uses: github/codeql-action/upload-sarif@v2
48 |         with:
49 |           sarif_file: 'trivy-results.sarif'
50 | 
51 |       - name: Login to DockerHub
52 |         uses: docker/login-action@v2
53 |         with:
54 |           username: ${{ secrets.DOCKER_HUB_USERNAME }}
55 |           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
56 |       
57 |       - name: Docker push image to DockerHub
58 |         run: |
59 |           docker tag ${{ secrets.DOCKER_HUB_IMAGE }}:${{ github.sha }} ${{ secrets.DOCKER_HUB_IMAGE }}:latest
60 |           docker push ${{ secrets.DOCKER_HUB_IMAGE }}:latest
61 | 


--------------------------------------------------------------------------------