Automatically rebuild images when detecting "critical" CVEs

[alessfg]

Is your feature request related to a problem? Please describe

CVEs are routinely posted for these images. Most of them do not affect NGINX directly, but that's not always the case.

Describe the solution you'd like

We should scan for CVEs on a daily basis and flag any relevant CVEs as critical (CVEs with a critical severity that directly impact NGINX or a package used by NGINX). Should any critical CVEs be flagged, we should check if a fix for the CVEs is available, and if so, immediately rebuild the relevant images.

Additional context

As of today, Docker builds are cached using the GitHub Actions cache. The base Alpine/Debian images are not necessarily rebuilt/pushed when a new CVE is found and fixed, so we might need to wipe the GitHub Actions cache before rebuilding any relevant images. See #137 for tracking info.

Tasks

Preview Give feedback

1. Implement CVE scanner
2. Configure CVE scanner alerts
3. Rebuild images on critical alerts if there is a fix available for the CVE

[K2ouMais]

Is there a way to update openssl? It seems I cant update it as the "nginx" user?

I am scanning my images only for CRITICAL and HIGH CVEs.

An update to Alpine Linux 3.18 would also resolve this.

[alessfg]

Did you pull the latest image released this AM? The issue should have been fixed.

Also, for future reference, I would appreciate if you open a new issue if you think there's a security issue (assuming it qualifies per the Security guidelines) 😄

[t4nguy3n]

I wonder if the new image build includes running security update e.g., sudo apt list --upgradable | grep security |cut -d\/ -f1|xargs sudo apt-get install -y

[alessfg]

See #174 for my answer 🙂