From ea8729e93f7e886af251b12a7e91681c6242d163 Mon Sep 17 00:00:00 2001 From: ammnt Date: Mon, 9 Mar 2026 11:29:17 +0300 Subject: [PATCH 01/15] fix(env): update OpenSSL version to 4.0.0 for improved security feat(README): add support for Encrypted Client Hello (ECH) in TLS 1.3 fix(example.conf): update log format and add commented SSL configurations --- .env | 2 +- README.md | 1 + example.conf | 12 ++++++++++-- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/.env b/.env index 2c8590d..66c9657 100644 --- a/.env +++ b/.env @@ -1,6 +1,6 @@ BASE_VERSION=3.23.3 BASE_HASH=25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 -OPENSSL_VERSION=3.6.1 +OPENSSL_VERSION=4.0.0 APP_VERSION=1.29.5 PCRE_VERSION=10.47 ZLIB_VERSION=2.3.3 diff --git a/README.md b/README.md index 1b754f8..734de13 100644 --- a/README.md +++ b/README.md @@ -114,6 +114,7 @@ spec: - **Native QUIC and HTTP/3 support** - OpenSSL and QUIC without patches or experimental implementations (RFC 9114, RFC 9000) - **Native PQC support** - hybrid post-quantum key exchange algorithms in elliptic curves (NIST PQC Standardization, FIPS 203/204/205) - **Native TLS 1.3 with 0-RTT** (RFC 8446, RFC 9001) +- **Native support for the Encrypted Client Hello (ECH)** - extension of the TLS 1.3 protocol ### **Supply Chain Integrity** - **Signed images** - signatures and **provenance attestation** (SLSA Level 3 requirements, in-toto attestations) diff --git a/example.conf b/example.conf index 706a88a..6b04c8f 100644 --- a/example.conf +++ b/example.conf @@ -46,6 +46,10 @@ http { ssl_session_tickets off; ssl_session_timeout 1440m; ssl_buffer_size 4k; + # ssl_protocols TLSv1.3; + # ssl_ecdh_curve X25519MLKEM768:X25519; + # ssl_ciphers TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE:!COMPLEMENTOFDEFAULT; + # ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384; ssl_protocols TLSv1.3 TLSv1.2; ssl_ecdh_curve X25519MLKEM768:X25519:SecP384r1MLKEM1024:SecP256r1MLKEM768:secp521r1:secp384r1; ssl_ciphers TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDH+AESGCM+AES256:ECDH+CHACHA20; @@ -56,6 +60,7 @@ http { ssl_certificate_key /etc/freenginx/ssl/privkey.pem; ssl_trusted_certificate /etc/freenginx/ssl/fullchain.pem; ssl_dhparam /etc/freenginx/ssl/dhparam.pem; + # ssl_ech_file /etc/angie/ssl/ech.pem.ech; ssl_stapling on; ssl_stapling_verify on; ssl_ocsp on; @@ -68,7 +73,9 @@ http { add_header Alt-Svc 'h3=":443"; ma=2592000; persist=1' always; quic_retry on; quic_gso on; - log_format main '$time_iso8601 $ssl_server_name $scheme $ssl_alpn_protocol $status $uri $ssl_protocol $server_protocol $ssl_curve $ssl_cipher'; + log_format main '[$time_local] $request_time $uri $status $ssl_protocol $server_protocol $ssl_curve $ssl_cipher'; + # log_format ech '[$time_local] $request_time "$request" $status $uri $status $ssl_protocol $server_protocol $ssl_curve $ssl_cipher' + # 'ECH:$ssl_ech_status:$ssl_ech_outer_server_name $ssl_server_name'; log_format debug escape=json '{' '"@timestamp": "$time_iso8601", ' '"msec": "$msec", ' @@ -114,8 +121,9 @@ http { '"http_cf_ray": "$http_cf_ray", ' '"http_x_forwarded_proto": "$http_x_forwarded_proto" ' '}'; - access_log /dev/stdout simple; + access_log /dev/stdout main; error_log stderr warn; + gzip on; gzip_vary on; gzip_proxied any; From 1c93cdc7b94951c595e6d344a2188b245ff7e771 Mon Sep 17 00:00:00 2001 From: ammnt Date: Mon, 9 Mar 2026 11:35:29 +0300 Subject: [PATCH 02/15] fix(env): update OpenSSL version to 4.0.0 for improved security feat(README): add support for Encrypted Client Hello (ECH) in TLS 1.3 fix(example.conf): update log format and add commented SSL configurations --- example.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/example.conf b/example.conf index 6b04c8f..c3e0463 100644 --- a/example.conf +++ b/example.conf @@ -60,7 +60,7 @@ http { ssl_certificate_key /etc/freenginx/ssl/privkey.pem; ssl_trusted_certificate /etc/freenginx/ssl/fullchain.pem; ssl_dhparam /etc/freenginx/ssl/dhparam.pem; - # ssl_ech_file /etc/angie/ssl/ech.pem.ech; + # ssl_encrypted_hello_key /etc/angie/ssl/ech.pem.ech; ssl_stapling on; ssl_stapling_verify on; ssl_ocsp on; From c7ba452628bd8318504bee096f334bf1d0a19545 Mon Sep 17 00:00:00 2001 From: ammnt Date: Mon, 9 Mar 2026 12:02:26 +0300 Subject: [PATCH 03/15] fix(env): update OpenSSL version to 4.0.0 for improved security feat(README): add support for Encrypted Client Hello (ECH) in TLS 1.3 fix(example.conf): update log format and add commented SSL configurations --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 734de13..2555c8d 100644 --- a/README.md +++ b/README.md @@ -114,7 +114,7 @@ spec: - **Native QUIC and HTTP/3 support** - OpenSSL and QUIC without patches or experimental implementations (RFC 9114, RFC 9000) - **Native PQC support** - hybrid post-quantum key exchange algorithms in elliptic curves (NIST PQC Standardization, FIPS 203/204/205) - **Native TLS 1.3 with 0-RTT** (RFC 8446, RFC 9001) -- **Native support for the Encrypted Client Hello (ECH)** - extension of the TLS 1.3 protocol +- **Native support for the Encrypted Client Hello (ECH)** - extension of the TLS 1.3 protocol (RFC 9849) ### **Supply Chain Integrity** - **Signed images** - signatures and **provenance attestation** (SLSA Level 3 requirements, in-toto attestations) From 22836d53a8790369ede30ba543846d9c4091ec7d Mon Sep 17 00:00:00 2001 From: ammnt Date: Mon, 9 Mar 2026 12:41:52 +0300 Subject: [PATCH 04/15] fix(env): update OpenSSL version to 4.0.0 for improved security feat(README): add support for Encrypted Client Hello (ECH) in TLS 1.3 fix(example.conf): update log format and add commented SSL configurations --- example.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/example.conf b/example.conf index c3e0463..740a199 100644 --- a/example.conf +++ b/example.conf @@ -1,4 +1,4 @@ -# This is an example of a configuration file for enabling QUIC, HTTP3 and "A+" SSL tests rating. Further configuration is required. +# This is an example of a configuration file for enabling QUIC, HTTP3, PQC, ECH and "A+" SSL tests rating. Further configuration is required. worker_processes auto; worker_rlimit_nofile 65536; pid /tmp/freenginx.pid; From 8d91b802eec3b96e02e196c0e04e0f57be6bca26 Mon Sep 17 00:00:00 2001 From: ammnt Date: Mon, 9 Mar 2026 17:21:28 +0300 Subject: [PATCH 05/15] fix(env): update OpenSSL version to 4.0.0 for improved security feat(README): add support for Encrypted Client Hello (ECH) in TLS 1.3 fix(example.conf): update log format and add commented SSL configurations --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2555c8d..b36a7d9 100644 --- a/README.md +++ b/README.md @@ -8,16 +8,16 @@ ![GitHub Maintained](https://img.shields.io/badge/open%20source-yes-orange) ![GitHub Maintained](https://img.shields.io/badge/maintained-yes-yellow) -> **Production-ready, security-focused FreeNGINX image with HTTP/3, QUIC and PQC support.** +> **Production-ready, security-focused FreeNGINX image with HTTP/3, QUIC, ECH and PQC support.** > [!IMPORTANT] -> QuicTLS is now deprecated. I use OpenSSL, since this library natively supports OCSP, PQC and QUIC⚠️ +> QuicTLS is now deprecated. I use OpenSSL, since this library natively supports OCSP, PQC, ECH and QUIC⚠️ > [!IMPORTANT] > NJS module has been removed due to security vulnerabilities in libxml2/libxslt dependencies⚠️ > [!TIP] -> You can find an example [configuration file](example.conf) in the repository for successfully configuring HTTP/3 and PQC💡 +> You can find an example [configuration file](example.conf) in the repository for successfully configuring HTTP/3, ECH and PQC💡 > [!IMPORTANT] > UID/GID changed to 10001 - it's [recommended](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for Kubernetes and prevents conflicts with system users⚠️ From 8ebb86c785b47ea3319f47482e3934804373a7ba Mon Sep 17 00:00:00 2001 From: ammnt Date: Mon, 9 Mar 2026 17:23:26 +0300 Subject: [PATCH 06/15] fix(env): update OpenSSL version to 4.0.0 for improved security feat(README): add support for Encrypted Client Hello (ECH) in TLS 1.3 fix(example.conf): update log format and add commented SSL configurations --- Dockerfile.template | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile.template b/Dockerfile.template index 7132e03..b63bd14 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -194,11 +194,11 @@ COPY --chown="${UID}:${GID}" ./default.conf /etc/freenginx/conf.d/default.conf EXPOSE 8080/tcp 8443/tcp 8443/udp # OCI labels for image metadata -LABEL description="Distroless FreeNGINX with HTTP/3, QUIC and PQC support🚀" \ +LABEL description="Distroless FreeNGINX with HTTP/3, QUIC, ECH and PQC support🚀" \ maintainer="ammnt " \ - org.opencontainers.image.description="Distroless FreeNGINX with HTTP/3, QUIC and PQC support🚀" \ + org.opencontainers.image.description="Distroless FreeNGINX with HTTP/3, QUIC, ECH and PQC support🚀" \ org.opencontainers.image.authors="ammnt, admin@msftcnsi.com" \ - org.opencontainers.image.title="Distroless FreeNGINX with HTTP/3, QUIC and PQC support🚀" \ + org.opencontainers.image.title="Distroless FreeNGINX with HTTP/3, QUIC, ECH and PQC support🚀" \ org.opencontainers.image.source="https://github.com/ammnt/freenginx/" \ org.opencontainers.image.created=${BUILD_DATE} \ org.opencontainers.image.documentation="https://github.com/ammnt/freenginx/blob/main/README.md" \ From a34432c7d1afb4c946abcdf395fe43dda630920e Mon Sep 17 00:00:00 2001 From: ammnt Date: Tue, 10 Mar 2026 19:30:21 +0300 Subject: [PATCH 07/15] fix(env): update APP_VERSION to 1.29.6 --- .env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.env b/.env index 66c9657..f796a93 100644 --- a/.env +++ b/.env @@ -1,7 +1,7 @@ BASE_VERSION=3.23.3 BASE_HASH=25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 OPENSSL_VERSION=4.0.0 -APP_VERSION=1.29.5 +APP_VERSION=1.29.6 PCRE_VERSION=10.47 ZLIB_VERSION=2.3.3 ZSTD_VERSION=0.1.1 From 8226553a9405bb010b121b86c55f17f9ac44ffaf Mon Sep 17 00:00:00 2001 From: ammnt Date: Thu, 19 Mar 2026 20:18:39 +0300 Subject: [PATCH 08/15] fix(workflow): update SYFT version to 1.42.3 --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ac2aeba..3180d06 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -17,7 +17,7 @@ env: MINT_VERSION: "1.41.8" DIVE_VERSION: "0.13.1" GRYPE_VERSION: "0.109.0" - SYFT_VERSION: "1.42.1" + SYFT_VERSION: "1.42.3" DOCKER_BUILDKIT: 1 BUILDKIT_PROGRESS: quiet # BUILDKIT_PROGRESS: plain From 11d246c834817960ece3ed16e789e836ed559b15 Mon Sep 17 00:00:00 2001 From: ammnt Date: Thu, 19 Mar 2026 21:32:35 +0300 Subject: [PATCH 09/15] fix(workflow): update GRYPE version to 0.110.0 --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3180d06..e9de86c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -16,7 +16,7 @@ env: BUILDKIT_VERSION: "0.28.0" MINT_VERSION: "1.41.8" DIVE_VERSION: "0.13.1" - GRYPE_VERSION: "0.109.0" + GRYPE_VERSION: "0.110.0" SYFT_VERSION: "1.42.3" DOCKER_BUILDKIT: 1 BUILDKIT_PROGRESS: quiet From 2663e618b0167f317b9cecac95aaace4a91e285d Mon Sep 17 00:00:00 2001 From: ammnt Date: Wed, 25 Mar 2026 21:06:17 +0300 Subject: [PATCH 10/15] fix(env): update BUILDKIT_VERSION to 0.28.1 --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e9de86c..03cfe5b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,7 +13,7 @@ env: IMAGE_NAME: ${{ github.repository }} COSIGN_VERSION: "3.0.5" BUILDX_VERSION: "0.32.1" - BUILDKIT_VERSION: "0.28.0" + BUILDKIT_VERSION: "0.28.1" MINT_VERSION: "1.41.8" DIVE_VERSION: "0.13.1" GRYPE_VERSION: "0.110.0" From 0a50a267ab9309004d3e211a3a0a5d664f0ed32c Mon Sep 17 00:00:00 2001 From: ammnt Date: Fri, 27 Mar 2026 20:40:36 +0300 Subject: [PATCH 11/15] fix(workflow): add TRIVY_VERSION and update build steps for improved image scanning fix(docker): update perl version to 5.42.1 for compatibility add(trivy): create trivy.yaml configuration for vulnerability scanning --- .github/workflows/build.yml | 109 ++++++++++++++++++++++++------------ Dockerfile.template | 2 +- trivy.yaml | 15 +++++ 3 files changed, 89 insertions(+), 37 deletions(-) create mode 100644 trivy.yaml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 03cfe5b..cd35fd0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,6 +18,7 @@ env: DIVE_VERSION: "0.13.1" GRYPE_VERSION: "0.110.0" SYFT_VERSION: "1.42.3" + TRIVY_VERSION: "0.69.3" DOCKER_BUILDKIT: 1 BUILDKIT_PROGRESS: quiet # BUILDKIT_PROGRESS: plain @@ -33,25 +34,41 @@ jobs: attestations: write outputs: digest: ${{ steps.digest.outputs.digest }} + app_version: ${{ steps.load_env.outputs.APP_VERSION }} + base_version: ${{ steps.load_env.outputs.BASE_VERSION }} + base_hash: ${{ steps.load_env.outputs.BASE_HASH }} + openssl_version: ${{ steps.load_env.outputs.OPENSSL_VERSION }} + pcre_version: ${{ steps.load_env.outputs.PCRE_VERSION }} + zlib_version: ${{ steps.load_env.outputs.ZLIB_VERSION }} + zstd_version: ${{ steps.load_env.outputs.ZSTD_VERSION }} + uid: ${{ steps.load_env.outputs.UID }} + gid: ${{ steps.load_env.outputs.GID }} + build_date: ${{ steps.load_env.outputs.BUILD_DATE }} + vcs_ref: ${{ steps.load_env.outputs.VCS_REF }} steps: - name: Checkout repository📥 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - name: Load .env variables☁️ + id: load_env run: | while IFS= read -r line; do if [[ ! "$line" =~ ^# ]] && [[ -n "$line" ]]; then - echo "$line" >> $GITHUB_ENV + key="${line%%=*}" + value="${line#*=}" + echo "$key=$value" >> $GITHUB_OUTPUT fi done < .env - echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV - echo "VCS_REF=$(git rev-parse HEAD)" >> $GITHUB_ENV + echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_OUTPUT + echo "VCS_REF=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - - name: Install Cosign🔐 - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad + - name: Login to GHCR🔑 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: - cosign-release: v${{ env.COSIGN_VERSION }} + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GH_TOKEN }} - name: Setup Docker Buildx🏗️ uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f @@ -72,36 +89,38 @@ jobs: file: ./Dockerfile.template platforms: linux/amd64 load: true - tags: ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }} + tags: ghcr.io/ammnt/freenginx:${{ steps.load_env.outputs.APP_VERSION }} cache-from: type=gha cache-to: type=gha,mode=max build-args: | - BASE_VERSION=${{ env.BASE_VERSION }} - BASE_HASH=${{ env.BASE_HASH }} - OPENSSL_VERSION=${{ env.OPENSSL_VERSION }} - APP_VERSION=${{ env.APP_VERSION }} - PCRE_VERSION=${{ env.PCRE_VERSION }} - ZLIB_VERSION=${{ env.ZLIB_VERSION }} - ZSTD_VERSION=${{ env.ZSTD_VERSION }} - VCS_REF=${{ env.VCS_REF }} - UID=${{ env.UID }} - GID=${{ env.GID }} - BUILD_DATE=${{ env.BUILD_DATE }} + BASE_VERSION=${{ steps.load_env.outputs.BASE_VERSION }} + BASE_HASH=${{ steps.load_env.outputs.BASE_HASH }} + OPENSSL_VERSION=${{ steps.load_env.outputs.OPENSSL_VERSION }} + APP_VERSION=${{ steps.load_env.outputs.APP_VERSION }} + PCRE_VERSION=${{ steps.load_env.outputs.PCRE_VERSION }} + ZLIB_VERSION=${{ steps.load_env.outputs.ZLIB_VERSION }} + ZSTD_VERSION=${{ steps.load_env.outputs.ZSTD_VERSION }} + VCS_REF=${{ steps.load_env.outputs.VCS_REF }} + UID=${{ steps.load_env.outputs.UID }} + GID=${{ steps.load_env.outputs.GID }} + BUILD_DATE=${{ steps.load_env.outputs.BUILD_DATE }} - - name: Slim image with Mint🔧 + - name: Slim and push image with Mint🔧 run: | curl -sSL -o ds.tar.gz https://github.com/mintoolkit/mint/releases/download/${{ env.MINT_VERSION }}/dist_linux.tar.gz tar -xf ds.tar.gz ./dist_linux/mint --quiet build \ - --target ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }} \ - --tag ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }} \ + --target ghcr.io/ammnt/freenginx:${{ steps.load_env.outputs.APP_VERSION }} \ + --tag ghcr.io/ammnt/freenginx:${{ steps.load_env.outputs.APP_VERSION }} \ + --tag ghcr.io/ammnt/freenginx:latest \ --http-probe=false --continue-after=5 \ --include-path=/etc/shadow --include-path=/etc/group + docker push ghcr.io/ammnt/freenginx --all-tags - name: Get image digest🔢 id: digest run: | - DIGEST=$(docker inspect -f='{{index .RepoDigests 0}}' ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }} | cut -d'@' -f2) + DIGEST=$(docker inspect -f='{{index .RepoDigests 0}}' ghcr.io/ammnt/freenginx:${{ steps.load_env.outputs.APP_VERSION }} | cut -d'@' -f2) echo "digest=$DIGEST" >> $GITHUB_OUTPUT security-scans: @@ -110,11 +129,22 @@ jobs: permissions: contents: read security-events: write + packages: write + id-token: write strategy: matrix: scanner: [hadolint, dive, dockle, scout, trivy, grype, snyk, syft] fail-fast: false steps: + - name: Checkout repository📥 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + + - name: Login to Docker Hub🔑 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Lint Dockerfile with Hadolint🔍 if: matrix.scanner == 'hadolint' uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 @@ -129,15 +159,16 @@ jobs: env: CI: true run: | + docker pull ghcr.io/ammnt/freenginx:${{ needs.build.outputs.app_version }} wget -q https://github.com/wagoodman/dive/releases/download/v${{ env.DIVE_VERSION }}/dive_${{ env.DIVE_VERSION }}_linux_amd64.tar.gz tar xzf dive_${{ env.DIVE_VERSION }}_linux_amd64.tar.gz -C /usr/local/bin - dive --config ./dive-ci.yml ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }} + dive --config ./dive-ci.yml ghcr.io/ammnt/freenginx:${{ needs.build.outputs.app_version }} - name: Dockle scan🛡️ if: matrix.scanner == 'dockle' uses: goodwithtech/dockle-action@e30e6af832aad6ea7dca2a248d31a85eab6dbd68 with: - image: ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }} + image: ghcr.io/ammnt/freenginx:${{ needs.build.outputs.app_version }} exit-code: "1" exit-level: "warn" ignore: "CIS-DI-0010" @@ -147,7 +178,7 @@ jobs: uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de with: command: cves,sbom - image: ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }} + image: ghcr.io/ammnt/freenginx:${{ needs.build.outputs.app_version }} sarif-file: scout.sarif write-comment: true summary: false @@ -158,7 +189,7 @@ jobs: if: matrix.scanner == 'trivy' uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 with: - image-ref: ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }} + image-ref: ghcr.io/ammnt/freenginx:${{ needs.build.outputs.app_version }} scan-type: image format: sarif output: trivy.sarif @@ -166,12 +197,14 @@ jobs: scanners: "vuln,secret" exit-code: "1" github-pat: ${{ secrets.GH_TOKEN }} + version: v${{ env.TRIVY_VERSION }} + trivy-config: trivy.yaml - name: Grype scan🛡️ if: matrix.scanner == 'grype' uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c with: - image: ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }} + image: ghcr.io/ammnt/freenginx:${{ needs.build.outputs.app_version }} fail-build: false severity-cutoff: critical output-format: sarif @@ -185,7 +218,7 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - image: ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }} + image: ghcr.io/ammnt/freenginx:${{ needs.build.outputs.app_version }} sarif: true args: --file=Dockerfile.template --sarif-file-output=snyk.sarif @@ -194,7 +227,7 @@ jobs: uses: anchore/sbom-action@17ae1740179002c89186b61233e0f892c3118b11 with: syft-version: v${{ env.SYFT_VERSION }} - image: ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }} + image: ghcr.io/ammnt/freenginx:${{ needs.build.outputs.app_version }} format: cyclonedx-json upload-artifact: true dependency-snapshot: true @@ -226,6 +259,11 @@ jobs: id-token: write attestations: write steps: + - name: Install Cosign🔐 + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad + with: + cosign-release: v${{ env.COSIGN_VERSION }} + - name: Login to GHCR🔑 uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: @@ -239,16 +277,15 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Push images to registries🚚 + - name: Push images to Docker Hub🚚 run: | - docker tag ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }} ghcr.io/ammnt/freenginx:latest - docker tag ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }} ammnt/freenginx:${{ env.APP_VERSION }} - docker tag ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }} ammnt/freenginx:latest - docker push ghcr.io/ammnt/freenginx --all-tags + docker pull ghcr.io/ammnt/freenginx:${{ needs.build.outputs.app_version }} + docker tag ghcr.io/ammnt/freenginx:${{ needs.build.outputs.app_version }} ammnt/freenginx:${{ needs.build.outputs.app_version }} + docker tag ghcr.io/ammnt/freenginx:${{ needs.build.outputs.app_version }} ammnt/freenginx:latest docker push ammnt/freenginx --all-tags - name: Attest image provenance📜 - continue-on-error: true + # continue-on-error: true uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 with: subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} @@ -258,7 +295,7 @@ jobs: github-token: ${{ secrets.GH_TOKEN }} - name: Sign container images✍️ - continue-on-error: true + # continue-on-error: true env: COSIGN_EXPERIMENTAL: "true" COSIGN_KEY: ${{ secrets.COSIGN_KEY }} diff --git a/Dockerfile.template b/Dockerfile.template index b63bd14..5270189 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -26,7 +26,7 @@ RUN set -eu \ linux-headers=6.16.12-r0 \ tzdata=2026a-r0 \ upx=5.0.2-r0 \ - perl=5.42.0-r0 \ + perl=5.42.1-r0 \ cmake=4.1.3-r0 \ zstd-dev=1.5.7-r2 \ zstd-static=1.5.7-r2 \ diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000..58738a7 --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,15 @@ +cache: + # Same as '--cache-dir' + dir: "/tmp/cache" + +# Same as '--debug' +debug: false + +# Same as '--insecure' +insecure: false + +# Same as '--quiet' +quiet: true + +# Same as '--timeout' +timeout: 5m0s From 7b1487b1c5eb341f51ee47aecdd4316e2bb7a2ae Mon Sep 17 00:00:00 2001 From: ammnt Date: Fri, 27 Mar 2026 23:38:23 +0300 Subject: [PATCH 12/15] fix(workflow): add TRIVY_VERSION and update build steps for improved image scanning fix(docker): update perl version to 5.42.1 for compatibility add(trivy): create trivy.yaml configuration for vulnerability scanning --- Dockerfile.template | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile.template b/Dockerfile.template index 5270189..284e0b9 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -12,7 +12,7 @@ ARG GID WORKDIR /tmp # System setup and dependency installation -RUN set -eu \ +RUN set -euo pipefail \ # Create non-root user for security (freenginx:freenginx) && addgroup --system --gid "${GID}" freenginx && adduser --disabled-password --shell /bin/false --ingroup freenginx --uid "${UID}" --no-create-home freenginx \ # Update system and install build dependencies @@ -57,7 +57,7 @@ RUN set -eu \ # Build zlib-ng and Brotli compression libraries with optimizations WORKDIR /tmp/zlib-ng -RUN set -eu \ +RUN set -euo pipefail \ && mkdir -p /tmp/ngx_brotli/deps/brotli/out \ # Configure Brotli with performance optimizations && cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF \ @@ -73,7 +73,7 @@ RUN set -eu \ # Configure and build FreeNGINX with security hardening and optimizations WORKDIR /tmp/freenginx -RUN set -eu \ +RUN set -euo pipefail \ && ./auto/configure \ --with-debug \ # Installation paths From 4077b2fff0ee8be60ddabbc45c415dcbbc118db9 Mon Sep 17 00:00:00 2001 From: ammnt Date: Fri, 27 Mar 2026 23:49:41 +0300 Subject: [PATCH 13/15] fix(workflow): add TRIVY_VERSION and update build steps for improved image scanning fix(docker): update perl version to 5.42.1 for compatibility add(trivy): create trivy.yaml configuration for vulnerability scanning --- Dockerfile.template | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile.template b/Dockerfile.template index 284e0b9..5270189 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -12,7 +12,7 @@ ARG GID WORKDIR /tmp # System setup and dependency installation -RUN set -euo pipefail \ +RUN set -eu \ # Create non-root user for security (freenginx:freenginx) && addgroup --system --gid "${GID}" freenginx && adduser --disabled-password --shell /bin/false --ingroup freenginx --uid "${UID}" --no-create-home freenginx \ # Update system and install build dependencies @@ -57,7 +57,7 @@ RUN set -euo pipefail \ # Build zlib-ng and Brotli compression libraries with optimizations WORKDIR /tmp/zlib-ng -RUN set -euo pipefail \ +RUN set -eu \ && mkdir -p /tmp/ngx_brotli/deps/brotli/out \ # Configure Brotli with performance optimizations && cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF \ @@ -73,7 +73,7 @@ RUN set -euo pipefail \ # Configure and build FreeNGINX with security hardening and optimizations WORKDIR /tmp/freenginx -RUN set -euo pipefail \ +RUN set -eu \ && ./auto/configure \ --with-debug \ # Installation paths From 473f121d10c5daa6f0fc48c5d8ccc2da7ca6d41c Mon Sep 17 00:00:00 2001 From: ammnt Date: Sat, 28 Mar 2026 11:07:08 +0300 Subject: [PATCH 14/15] fix(workflow): add TRIVY_VERSION and update build steps for improved image scanning fix(docker): update perl version to 5.42.1 for compatibility add(trivy): create trivy.yaml configuration for vulnerability scanning --- .github/workflows/build.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cd35fd0..2fd505c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -117,6 +117,12 @@ jobs: --include-path=/etc/shadow --include-path=/etc/group docker push ghcr.io/ammnt/freenginx --all-tags + - name: Upload Mint report📁 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f + with: + name: mint-report + path: slim.report.json + - name: Get image digest🔢 id: digest run: | From d722cae241b31578d92d50c3c0b582092567a07f Mon Sep 17 00:00:00 2001 From: ammnt Date: Sun, 29 Mar 2026 11:40:02 +0300 Subject: [PATCH 15/15] fix(workflow): add TRIVY_VERSION and update build steps for improved image scanning fix(docker): update perl version to 5.42.1 for compatibility add(trivy): create trivy.yaml configuration for vulnerability scanning --- example.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/example.conf b/example.conf index 740a199..73df75f 100644 --- a/example.conf +++ b/example.conf @@ -73,8 +73,8 @@ http { add_header Alt-Svc 'h3=":443"; ma=2592000; persist=1' always; quic_retry on; quic_gso on; - log_format main '[$time_local] $request_time $uri $status $ssl_protocol $server_protocol $ssl_curve $ssl_cipher'; - # log_format ech '[$time_local] $request_time "$request" $status $uri $status $ssl_protocol $server_protocol $ssl_curve $ssl_cipher' + log_format main '[$time_local] $request_time $request_method $uri $status $ssl_protocol $server_protocol $ssl_curve $ssl_cipher'; + # log_format ech '[$time_local] $request_time $request_method "$request" $status $uri $status $ssl_protocol $server_protocol $ssl_curve $ssl_cipher' # 'ECH:$ssl_ech_status:$ssl_ech_outer_server_name $ssl_server_name'; log_format debug escape=json '{' '"@timestamp": "$time_iso8601", '