DNXLabs
diff --git a/‎.github/workflows/security.yml‎
Lines changed: 14 additions & 7 deletions b/‎.github/workflows/security.yml‎
Lines changed: 14 additions & 7 deletions
diff --git a/‎3.10/Dockerfile‎
Lines changed: 17 additions & 13 deletions b/‎3.10/Dockerfile‎
Lines changed: 17 additions & 13 deletions
diff --git a/‎3.11/Dockerfile‎
Lines changed: 17 additions & 13 deletions b/‎3.11/Dockerfile‎
Lines changed: 17 additions & 13 deletions
diff --git a/‎3.12/Dockerfile‎
Lines changed: 28 additions & 0 deletions b/‎3.12/Dockerfile‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎3.6/Dockerfile‎
Lines changed: 0 additions & 24 deletions b/‎3.6/Dockerfile‎
Lines changed: 0 additions & 24 deletions
diff --git a/‎3.7/Dockerfile‎
Lines changed: 0 additions & 24 deletions b/‎3.7/Dockerfile‎
Lines changed: 0 additions & 24 deletions
diff --git a/‎3.8/Dockerfile‎
Lines changed: 0 additions & 24 deletions b/‎3.8/Dockerfile‎
Lines changed: 0 additions & 24 deletions
diff --git a/‎3.8/hadolint.yaml‎
Lines changed: 0 additions & 4 deletions b/‎3.8/hadolint.yaml‎
Lines changed: 0 additions & 4 deletions
diff --git a/‎3.9/Dockerfile‎
Lines changed: 17 additions & 13 deletions b/‎3.9/Dockerfile‎
Lines changed: 17 additions & 13 deletions
diff --git a/‎Makefile‎
Lines changed: 12 additions & 31 deletions b/‎Makefile‎
Lines changed: 12 additions & 31 deletions
@@ -9,17 +9,24 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v4
 
       - name: Set tag var
         id: vars
-        run: echo ::set-output name=docker_tag::$(echo ${GITHUB_REF} | cut -d'/' -f3)-${GITHUB_SHA}
+        run: echo "docker_tag=$(echo ${GITHUB_REF} | cut -d'/' -f3)-${GITHUB_SHA}" >> $GITHUB_OUTPUT
 
       - name: Build the Docker image
-        run: docker build . --file ./3.8/Dockerfile --tag docker-terraform:${{ steps.vars.outputs.docker_tag }}
+        run: docker build . --file ./3.12/Dockerfile --tag serverless-python:${{ steps.vars.outputs.docker_tag }}
 
-      - name: Scan with Phonito Security
-        uses: phonito/phonito-scanner-action@master
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
         with:
-          image: docker-terraform:${{ steps.vars.outputs.docker_tag }}
-          phonito-token: ${{ secrets.PHONITO_TOKEN }}
+          image-ref: serverless-python:${{ steps.vars.outputs.docker_tag }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
@@ -1,23 +1,27 @@
-FROM python:3.10-slim-buster
+FROM python:3.10-slim-bookworm
 
 RUN apt-get update && \
     apt-get install -y \
-        wget=1.20.1-1.1 \
-        zip=3.0-11+b1 \
-        unzip=6.0-23+deb10u2 \
-        git=1:2.20.1-2+deb10u3 \
+        wget \
+        zip \
+        unzip \
+        git \
         curl \
-        npm=5.8.0+ds6-4+deb10u2 && \
-    pip3 install --no-cache-dir --upgrade pip==23.3.1 && \
-    npm install [email protected] -g && \
-    npm install -g [email protected] && \
-    npm install -g [email protected] &&\
+        ca-certificates \
+        gnupg && \
+    pip3 install --no-cache-dir --upgrade pip==25.1.1 && \
     apt-get -q -y clean && \
     rm -rf /var/cache/apt/archives/* /var/lib/apt/lists/*
 
-ARG APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1
-RUN curl -sL https://deb.nodesource.com/setup_18.x | bash
-RUN apt-get install -y nodejs
+RUN mkdir -p /etc/apt/keyrings && \
+    curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
+    echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list && \
+    apt-get update && \
+    apt-get install -y nodejs && \
+    npm install -g [email protected] && \
+    npm install -g [email protected] && \
+    apt-get -q -y clean && \
+    rm -rf /var/cache/apt/archives/* /var/lib/apt/lists/*
 
 WORKDIR /work
 
 
@@ -1,23 +1,27 @@
-FROM python:3.11-slim-buster
+FROM python:3.11-slim-bookworm
 
 RUN apt-get update && \
     apt-get install -y \
-        wget=1.20.1-1.1 \
-        zip=3.0-11+b1 \
-        unzip=6.0-23+deb10u2 \
-        git=1:2.20.1-2+deb10u3 \
+        wget \
+        zip \
+        unzip \
+        git \
         curl \
-        npm=5.8.0+ds6-4+deb10u2 && \
-    pip3 install --no-cache-dir --upgrade pip==23.3.1 && \
-    npm install [email protected] -g && \
-    npm install -g [email protected] && \
-    npm install -g [email protected] &&\
+        ca-certificates \
+        gnupg && \
+    pip3 install --no-cache-dir --upgrade pip==25.1.1 && \
     apt-get -q -y clean && \
     rm -rf /var/cache/apt/archives/* /var/lib/apt/lists/*
 
-ARG APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1
-RUN curl -sL https://deb.nodesource.com/setup_18.x | bash 
-RUN apt-get install -y nodejs
+RUN mkdir -p /etc/apt/keyrings && \
+    curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
+    echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list && \
+    apt-get update && \
+    apt-get install -y nodejs && \
+    npm install -g [email protected] && \
+    npm install -g [email protected] && \
+    apt-get -q -y clean && \
+    rm -rf /var/cache/apt/archives/* /var/lib/apt/lists/*
 
 WORKDIR /work
 
 
@@ -0,0 +1,28 @@
+FROM python:3.12-slim-bookworm
+
+RUN apt-get update && \
+    apt-get install -y \
+        wget \
+        zip \
+        unzip \
+        git \
+        curl \
+        ca-certificates \
+        gnupg && \
+    pip3 install --no-cache-dir --upgrade pip==25.1.1 && \
+    apt-get -q -y clean && \
+    rm -rf /var/cache/apt/archives/* /var/lib/apt/lists/*
+
+RUN mkdir -p /etc/apt/keyrings && \
+    curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
+    echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list && \
+    apt-get update && \
+    apt-get install -y nodejs && \
+    npm install -g [email protected] && \
+    npm install -g [email protected] && \
+    apt-get -q -y clean && \
+    rm -rf /var/cache/apt/archives/* /var/lib/apt/lists/*
+
+WORKDIR /work
+
+ENTRYPOINT ["/bin/sh"]
@@ -1,23 +1,27 @@
-FROM python:3.9-slim-buster
+FROM python:3.9-slim-bookworm
 
 RUN apt-get update && \
     apt-get install -y \
-        wget=1.20.1-1.1 \
-        zip=3.0-11+b1 \
-        unzip=6.0-23+deb10u2 \
-        git=1:2.20.1-2+deb10u3 \
+        wget \
+        zip \
+        unzip \
+        git \
         curl \
-        npm=5.8.0+ds6-4+deb10u2 && \
-    pip3 install --no-cache-dir --upgrade pip==23.3.1 && \
-    npm install [email protected] -g && \
-    npm install -g [email protected] && \
-    npm install -g [email protected] &&\
+        ca-certificates \
+        gnupg && \
+    pip3 install --no-cache-dir --upgrade pip==25.1.1 && \
     apt-get -q -y clean && \
     rm -rf /var/cache/apt/archives/* /var/lib/apt/lists/*
 
-ARG APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1
-RUN curl -sL https://deb.nodesource.com/setup_18.x | bash 
-RUN apt-get install -y nodejs
+RUN mkdir -p /etc/apt/keyrings && \
+    curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
+    echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list && \
+    apt-get update && \
+    apt-get install -y nodejs && \
+    npm install -g [email protected] && \
+    npm install -g [email protected] && \
+    apt-get -q -y clean && \
+    rm -rf /var/cache/apt/archives/* /var/lib/apt/lists/*
 
 
 WORKDIR /work
 
@@ -2,59 +2,40 @@
 build:
 	echo "Build specific tag/release"
 
-	# Python 3.6
-	docker build \
-		--build-arg base_image=python:3.6-slim \
-		-t ${REPO}:3.6-${IMAGE_TAG} \
-		./3.6/.
-
-	# Python 3.7
-	docker build \
-		--build-arg base_image=python:3.7-slim \
-		-t ${REPO}:3.7-${IMAGE_TAG} \
-		./3.7/.
-
-	# Python 3.8
-	docker build \
-		--build-arg base_image=python:3.8-slim \
-		-t ${REPO}:3.8-${IMAGE_TAG} \
-		./3.8/.
-
 	# Python 3.9
 	docker build \
-		--build-arg base_image=python:3.9-slim \
+		--build-arg base_image=python:3.9-slim-bookworm \
 		-t ${REPO}:3.9-${IMAGE_TAG} \
 		./3.9/.
 
 	# Python 3.10
 	docker build \
-		--build-arg base_image=python:3.10-slim \
+		--build-arg base_image=python:3.10-slim-bookworm \
 		-t ${REPO}:3.10-${IMAGE_TAG} \
 		./3.10/.
 
 	# Python 3.11
 	docker build \
-		--build-arg base_image=python:3.11-slim \
+		--build-arg base_image=python:3.11-slim-bookworm \
 		-t ${REPO}:3.11-${IMAGE_TAG} \
 		./3.11/.
 
+	# Python 3.12
+	docker build \
+		--build-arg base_image=python:3.12-slim-bookworm \
+		-t ${REPO}:3.12-${IMAGE_TAG} \
+		./3.12/.
 push:
 	echo "Push specific tag/release"
 
-	# Python 3.6
-	docker push ${REPO}:3.6-${IMAGE_TAG} 
-		
-	# Python 3.7
-	docker push ${REPO}:3.7-${IMAGE_TAG} 
-
-	# Python 3.8
-	docker push ${REPO}:3.8-${IMAGE_TAG} 
-
 	# Python 3.9
 	docker push ${REPO}:3.9-${IMAGE_TAG} 
 
 	# Python 3.10
 	docker push ${REPO}:3.10-${IMAGE_TAG} 
 
 	# Python 3.11
-	docker push ${REPO}:3.11-${IMAGE_TAG} 
+	docker push ${REPO}:3.11-${IMAGE_TAG} 
+
+	# Python 3.12
+	docker push ${REPO}:3.12-${IMAGE_TAG}