Skip to content

feat: multi-arch builds, Trivy scanning, update base image to 24.04#22

Open
apham0001 wants to merge 1 commit intoContainerSSH:mainfrom
apham0001:feat/multi-arch-security
Open

feat: multi-arch builds, Trivy scanning, update base image to 24.04#22
apham0001 wants to merge 1 commit intoContainerSSH:mainfrom
apham0001:feat/multi-arch-security

Conversation

@apham0001
Copy link
Copy Markdown

@apham0001 apham0001 commented Mar 25, 2026
edited
Loading

Summary

The guest-image CI has several issues:

Problems found

  • Multi-arch builds are brokendocker/setup-qemu-action and docker/setup-buildx-action are set up in push.yml but the platforms: parameter is missing from docker/build-push-action, so only amd64 images are published
  • No security scanning — no Trivy, no CodeQL, no SARIF uploads
  • Base image approaching EOL — ubuntu:22.04 standard support ends April 2027
  • No proper image tagging — only latest tag, no SHA-based tags for pinning
  • Actions are outdated — checkout@v3, qemu@v2, buildx@v2, login@v2, build-push@v4
  • No GHCR publishing — images only go to Docker Hub and Quay.io
  • No SHA pinning — actions referenced by mutable tags, vulnerable to supply chain attacks

Changes

push.yml:

  • Add platforms: linux/amd64,linux/arm64 to actually enable multi-arch
  • Add docker/metadata-action for proper tagging (latest + sha-<short> + git tags)
  • Add GHCR as third registry
  • Add GHA build cache for faster builds
  • Update all actions to latest versions with SHA pinning
  • Add tag trigger for release builds

build.yml:

  • Add multi-arch validation (build both platforms on PRs)
  • Add Trivy container scanning with SARIF upload to GitHub Security tab
  • Update actions to latest versions with SHA pinning

Dockerfile:

  • Update base image from ubuntu:22.04 to ubuntu:24.04

Security: SHA-pinned actions

All actions pinned to exact commit SHAs to prevent supply chain attacks via tag manipulation.

Test plan

  • Multi-arch build succeeds (amd64 + arm64)
  • Trivy scan runs and uploads results to Security tab
  • Images are properly tagged (latest + sha)
  • containerssh-agent binary works on both architectures

@apham0001 apham0001 force-pushed the feat/multi-arch-security branch 2 times, most recently from b04364b to 1420352 Compare March 25, 2026 21:54
@apham0001
feat: multi-arch Docker builds, Trivy scanning, update base image
60fe70e 
- Enable multi-arch builds (linux/amd64 + linux/arm64) by adding
  platforms parameter to docker/build-push-action
- Add Trivy container vulnerability scanning on PRs
- Update base image from ubuntu:22.04 to ubuntu:24.04
- Add GHCR as additional registry
- Use docker/metadata-action for proper tagging (latest + sha + tags)
- Update all GitHub Actions to latest versions
- Add GHA build cache for faster builds

Signed-off-by: Anthony <pham.anthony1@gmail.com>
@apham0001 apham0001 force-pushed the feat/multi-arch-security branch from 1420352 to 60fe70e Compare March 25, 2026 21:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@apham0001