Merge pull request #181 from rwlxxvii/main

sync

.github/workflows/codeql.yml

@@ -0,0 +1,96 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '43 10 * * 3'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: javascript-typescript
+          build-mode: none
+        - language: python
+          build-mode: none
+        - language: ruby
+          build-mode: none
+        # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+        # Use `c-cpp` to analyze code written in C, C++ or both
+        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+    - if: matrix.build-mode == 'manual'
+      shell: bash
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        echo '  make bootstrap'
+        echo '  make release'
+        exit 1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"

auth/authentik/docker-compose.yml

@@ -85,7 +85,7 @@ services:
 
   server:
     <<: *common-vars-apps
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.2}
     container_name: authentik-server
     hostname: authentik-server.dev.io
     command: server
@@ -123,7 +123,7 @@ services:
 
   worker:
     <<: *common-vars-apps
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.2}
     container_name: authentik-worker
     hostname: authentik-worker.dev.io
     command: worker

auth/boundary/Dockerfile

@@ -1,8 +1,8 @@
 # syntax=docker/dockerfile:1
 # boundary: provides access to applications and critical systems with fine-grained authorizations without managing credentials or exposing your network.
 ARG repo="docker.io" \
-    base_image="alpine:3.19" \
-    image_hash="6457d53fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd0628977d0"
+    base_image="alpine:3.20" \
+    image_hash="beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d"
 
 FROM ${repo}/${base_image}@sha256:${image_hash} AS base
 
@@ -20,7 +20,7 @@ RUN \
 
 FROM base AS build-env
 
-ENV PRODUCT_VERSION=0.15.0 \
+ENV PRODUCT_VERSION=0.16.1 \
     GPG_KEY=C874011F0AB405110D02105534365D9472D7468F \
     SNYK_API=
 
@@ -88,7 +88,7 @@ LABEL org.opencontainers.image.name='Hashicorp Boundary' \
     org.opencontainers.image.url='https://www.boundaryproject.io/' \
     org.opencontainers.image.vendor='Hashicorp' \
     org.opencontainers.image.licenses='Mozilla Public License 2.0' \
-    org.opencontainers.image.schema-version='0.15.0' \
+    org.opencontainers.image.schema-version='0.16.1' \
     MAINTAINER="@rw"
 
 RUN \

auth/defguard/Dockerfile

@@ -45,7 +45,7 @@ RUN \
     pnpm run generate-translation-types; \
     pnpm build
 
-FROM debian:bookworm-slim as runtime
+FROM debian:bookworm-20240701-slim as runtime
 
 RUN \
     apt-get update -y; \

auth/hanko/backend/Dockerfile

@@ -2,8 +2,8 @@
 # hanko: backend provides an HTTP API to build a modern login and registration experience for your users.
 
 ARG repo="docker.io" \
-    base_image="alpine:3.19" \
-    image_hash="13b7e62e8df80264dbb747995705a986aa530415763a6c58f84a3ca8af9a5bcd"
+    base_image="alpine:3.20" \
+    image_hash="beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d"
 
 FROM ${repo}/${base_image}@sha256:${image_hash} AS go-builder
 

auth/hanko/frontend/Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1.4
 ARG repo="docker.io" \
-    base_image="alpine:3.19" \
-    image_hash="13b7e62e8df80264dbb747995705a986aa530415763a6c58f84a3ca8af9a5bcd"
+    base_image="alpine:3.20" \
+    image_hash="beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d"
 
 # build node from source
 FROM ${repo}/${base_image}@sha256:${image_hash} AS node-base

auth/keycloak/Dockerfile

@@ -2,8 +2,8 @@
 # keycloak: Add authentication to applications and secure services with minimum effort.
 
 ARG repo="docker.io" \
-    base_image="alpine:3.19" \
-    image_hash="13b7e62e8df80264dbb747995705a986aa530415763a6c58f84a3ca8af9a5bcd"
+    base_image="alpine:3.20" \
+    image_hash="beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d"
 
 FROM ${repo}/${base_image}@sha256:${image_hash} AS base
 
@@ -12,7 +12,7 @@ LABEL org.opencontainers.image.name='Keycloak' \
     org.opencontainers.image.usage='https://www.keycloak.org/guides' \
     org.opencontainers.image.url='https://www.keycloak.org/' \
     org.opencontainers.image.licenses='Apache License 2.0' \
-    org.opencontainers.image.schema-version='22.0.5'
+    org.opencontainers.image.schema-version='24.0.1'
 
 ARG BUILD_DATE
 ARG VCS_REF

auth/keycloak/ubi9/Dockerfile

@@ -3,10 +3,10 @@
 # additional security configurations applied via "el9-container-hardening.sh", final stage runs a malware scan during build time.
 # snyk source code review and dependency checks, you will need a snyk account and use your api key.
 # STIG benchmarks validate configurations are applied, with reports found in /artifacts
-ARG fetcher_image="registry.access.redhat.com/ubi9/ubi-minimal:9.3-1361.1699548032" \
-    fetcher_hash="3e313209ac617a92b50350286752311d99ea2dafc429ef0e5311889294b0bc21" \
-    keycloak_image="quay.io/keycloak/keycloak:22.0.5" \
-    keycloak_hash="bad320e60a7fadfa36e37ccc56af3d50d0f4001c469cd2a7b363341480593a2b"
+ARG fetcher_image="registry.access.redhat.com/ubi9/ubi-minimal:9.3-1612" \
+    fetcher_hash="bc552efb4966aaa44b02532be3168ac1ff18e2af299d0fe89502a1d9fabafbc5" \
+    keycloak_image="quay.io/keycloak/keycloak:24.0.1" \
+    keycloak_hash="8e38bc8a4e0606e38a37401422dfbf414e2b73797952dfe94c9b56e2f9207897"
 
 FROM ${fetcher_image}@sha256:${fetcher_hash} as fetcher
 
@@ -17,11 +17,11 @@ ARG GOMPLATE_VERSION \
     SNYK_API=" "
 
     # renovate: datasource=github-releases depName=hairyhenderson/gomplate
-ENV GOMPLATE_VERSION="${GOMPLATE_VERSION:-v3.11.5}" \
+ENV GOMPLATE_VERSION="${GOMPLATE_VERSION:-v3.11.7}" \
     # renovate: datasource=github-releases depName=thegeeklab/wait-for
     WAIT_FOR_VERSION="${WAIT_FOR_VERSION:-v0.4.2}" \
     # renovate: datasource=github-releases depName=sventorben/keycloak-restrict-client-auth
-    RESTRICT_CLIENT_AUTH_VERSION="${RESTRICT_CLIENT_AUTH_VERSION:-v22.0.0}"
+    RESTRICT_CLIENT_AUTH_VERSION="${RESTRICT_CLIENT_AUTH_VERSION:-v24.0.0}"
 
 RUN microdnf install -y \
         tar \

auth/vault/Dockerfile

@@ -1,8 +1,8 @@
 # syntax=docker/dockerfile:1
 # vault: Secure, store, and tightly control access to tokens, passwords, certificates, and encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.
 ARG repo="docker.io" \
-    base_image="alpine:3.19" \
-    image_hash="6457d53fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd0628977d0"
+    base_image="alpine:3.20" \
+    image_hash="beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d"
 
 FROM ${repo}/${base_image}@sha256:${image_hash} AS base
 
@@ -18,7 +18,7 @@ RUN \
 
 FROM base AS build-env
 
-ENV VAULT_VER=1.15.5 \
+ENV VAULT_VER=1.16.3 \
     VAULT_GPGKEY=C874011F0AB405110D02105534365D9472D7468F \
     SNYK_API=
 
@@ -87,7 +87,7 @@ LABEL org.opencontainers.image.name='Hashicorp Vault' \
     org.opencontainers.image.url='https://www.hashicorp.com/products/vault' \
     org.opencontainers.image.vendor='Hashicorp' \
     org.opencontainers.image.licenses='Mozilla Public License 2.0' \
-    org.opencontainers.image.schema-version='1.15.5' \
+    org.opencontainers.image.schema-version='1.16.3' \
     MAINTAINER="@rw"
 
 RUN \

auth/zitadel/Dockerfile.quickstart

@@ -1,4 +1,4 @@
-FROM debian:latest as download
+FROM debian:bookworm-20240701 as download
 
 RUN \
     apt-get update; \
@@ -20,7 +20,7 @@ RUN \
         wget -c https://github.com/zitadel/zitadel/releases/download/$LATEST/zitadel-linux-$ARCH.tar.gz -O - | tar -xz; \
         mv zitadel-linux-$ARCH/zitadel /usr/local/bin
 
-FROM debian:latest
+FROM debian:bookworm-20240701
 
 COPY --chmod=755 --from=download /usr/local/bin /usr/local/bin
 

auth/zitadel/crdb/nginx/Dockerfile

@@ -1,4 +1,4 @@
-FROM nginx:alpine
+FROM nginx:1.25.4-alpine3.18
 
 COPY nginx.conf /etc/nginx/nginx.conf
 

dast/caido/Dockerfile

@@ -3,7 +3,7 @@
 
 ARG repo="quay.io/almalinuxorg" \
     base_image="9-minimal" \
-    image_hash="bc83a80849984abca9a46d50cb163d2cd30255fd37485bc294bf817897ed7c26"
+    image_hash="35bc27840422ce1ccc3056994e449c142c3a817417ea5bbb953fa97d0bc63d3b"
 
 FROM ${repo}/${base_image}@sha256:${image_hash} AS base
 
@@ -12,7 +12,7 @@ LABEL org.opencontainers.image.name='Caido' \
       org.opencontainers.image.usage='https://docs.caido.io/user_guide' \
       org.opencontainers.image.url='https://caido.io/' \
       org.opencontainers.image.vendor='Caido' \
-      org.opencontainers.image.schema-version='0.30.4' \
+      org.opencontainers.image.schema-version='0.40.0' \
       MAINTAINER="@rw"
 
 RUN \

dast/caido/cdk/package.json

@@ -18,6 +18,6 @@
     "typescript": "~5.2.2"
   },
   "dependencies": {
-    "aws-cdk-lib": "2.126.0"
+    "aws-cdk-lib": "2.144.0"
   }
 }

dast/nuclei/Dockerfile

@@ -1,8 +1,8 @@
 # syntax=docker/dockerfile:1
 # nuclei: Fast and customizable vulnerability scanner based on simple YAML based DSL.
 ARG repo="docker.io" \
-    base_image="alpine:3.19" \
-    image_hash="6457d53fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd0628977d0"
+    base_image="alpine:3.20" \
+    image_hash="beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d"
 
 FROM ${repo}/${base_image}@sha256:${image_hash} AS base
 
@@ -13,7 +13,7 @@ LABEL \
     org.opencontainers.image.url='https://projectdiscovery.io/#/' \
     org.opencontainers.image.vendor='Project Discovery' \
     org.opencontainers.image.licenses='MIT' \
-    org.opencontainers.image.schema-version='3.1.10'
+    org.opencontainers.image.schema-version='3.3.2'
 
 RUN \
     apk add --no-cache \
@@ -25,7 +25,7 @@ RUN \
 FROM base AS go-builder
 
 ENV GOPATH=/usr/local/bin/go \
-    VER=3.1.10 \
+    VER=3.3.2 \
     SNYK_API=
 
 RUN \

dast/siege/Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 ARG repo="docker.io" \
-    base_image="alpine:3.19" \
-    image_hash="6457d53fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd0628977d0"
+    base_image="alpine:3.20" \
+    image_hash="beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d"
 
 FROM ${repo}/${base_image}@sha256:${image_hash} AS builder
 

dast/wapiti/Dockerfile

@@ -2,7 +2,7 @@
 # wapiti: Audit the security of your websites or web applications.
 ARG repo="quay.io/almalinuxorg" \
     base_image="9-minimal" \
-    image_hash="bc83a80849984abca9a46d50cb163d2cd30255fd37485bc294bf817897ed7c26"
+    image_hash="35bc27840422ce1ccc3056994e449c142c3a817417ea5bbb953fa97d0bc63d3b"
 
 FROM ${repo}/${base_image}@sha256:${image_hash} AS base
 
@@ -12,7 +12,7 @@ LABEL \
     org.opencontainers.image.usage='https://github.com/wapiti-scanner/wapiti/blob/master/doc/wapiti.ronn' \
     org.opencontainers.image.url='https://wapiti-scanner.github.io/' \
     org.opencontainers.image.licenses='GNU General Public License v2.0' \
-    org.opencontainers.image.schema-version='3.1.7'
+    org.opencontainers.image.schema-version='3.2.0'
 
 RUN \
     microdnf install -y yum-utils epel-release; \
@@ -37,7 +37,7 @@ FROM base AS builder
 ENV PYTHONDONTWRITEBYTECODE=1 \
     SNYK_API=
 
-ARG VER=3.1.7
+ARG VER=3.2.0
 
 WORKDIR /tmp
 

dast/wapiti/Dockerfile.ol9

@@ -7,7 +7,7 @@ ENV PYTHONDONTWRITEBYTECODE=1
 #In the CLI, run snyk auth [<API_TOKEN>] or snyk config set api=<token>. The <API_TOKEN>is validated by the Snyk API.
 #ENV SNYK_API=
 
-ARG VER=3.1.7
+ARG VER=3.1.8
 
 WORKDIR /tmp
 RUN set -eux; \

dast/zap/Dockerfile-alpine

@@ -39,7 +39,7 @@ RUN set -eux; \
     apk del --purge .build-deps; \
     rm -rf /var/cache/apk/*
 
-FROM alpine:3.18.3
+FROM alpine:3
 RUN set -eux; \
 	  \
     apk add --no-cache \

data/deeplake/Dockerfile

@@ -1,8 +1,8 @@
 # syntax=docker/dockerfile:1
 # deeplake: Database for AI powered by a storage format optimized for deep-learning applications.
 ARG repo="docker.io" \
-    base_image="alpine:3.19" \
-    image_hash="6457d53fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd0628977d0"
+    base_image="alpine:3.20" \
+    image_hash="beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d"
 
 FROM ${repo}/${base_image}@sha256:${image_hash}