Merge pull request #67 from melodee-project/fix-pr-66

Fix pr 66

Author: sphildreth

.github/docker/Dockerfile.container-scan

@@ -0,0 +1,15 @@
+FROM mcr.microsoft.com/dotnet/aspnet:10.0.4
+
+WORKDIR /app
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        ffmpeg \
+        postgresql-client \
+        curl \
+        lbzip2 \
+        && rm -rf /var/lib/apt/lists/*
+
+COPY scan/publish/ .
+
+ENTRYPOINT ["dotnet", "server.dll"]

.github/workflows/dotnet.yml

@@ -22,7 +22,7 @@ jobs:
     - name: Setup .NET
       uses: actions/setup-dotnet@v4
       with:
-        dotnet-version: 10.0.x
+        dotnet-version: 10.0.104
     - name: Restore dependencies
       run: dotnet restore
     - name: Validate localization resources

.github/workflows/gitleaks.yml

@@ -29,16 +29,20 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Run gitleaks
-        uses: gitleaks/gitleaks-action@v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITLEAKS_ENABLE_COMMENTS: true
-          GITLEAKS_ENABLE_SARIF: true
-          GITLEAKS_SARIF_FILE: gitleaks.sarif
+      - name: Run gitleaks on pull request commits
+        if: github.event_name == 'pull_request'
+        uses: docker://zricethezav/gitleaks:v8.30.0
+        with:
+          args: detect --source . --redact --report-format sarif --report-path gitleaks.sarif --exit-code 1 --log-opts=${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}
+
+      - name: Run gitleaks on pushed commits
+        if: github.event_name == 'push'
+        uses: docker://zricethezav/gitleaks:v8.30.0
+        with:
+          args: detect --source . --redact --report-format sarif --report-path gitleaks.sarif --exit-code 1 --log-opts=${{ github.event.before }}..${{ github.sha }}
 
       - name: Upload SARIF results
-        if: always()
+        if: always() && hashFiles('gitleaks.sarif') != ''
         uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: gitleaks.sarif

.github/workflows/localization.yml

@@ -64,7 +64,7 @@ jobs:
     - name: Setup .NET
       uses: actions/setup-dotnet@v4
       with:
-        dotnet-version: 10.0.x
+        dotnet-version: 10.0.104
 
     - name: Restore dependencies
       run: dotnet restore

.github/workflows/sca-container-scan.yml

@@ -36,15 +36,6 @@ jobs:
           fail-on-severity: high
           # Comment on pull requests with details
           comment-summary-in-pr: on-failure
-          # Output format for GitHub Security tab
-          sarif-output: srp-results.sarif
-
-      - name: Upload SARIF results
-        if: always()
-        uses: github/codeql-action/upload-sarif@v4
-        with:
-          sarif_file: srp-results.sarif
-          category: "dependency-review"
 
   container-scan:
     name: Container Image Scan
@@ -58,13 +49,22 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.104
+
+      - name: Publish application for scanning
+        run: dotnet publish src/Melodee.Blazor/Melodee.Blazor.csproj -c Release -o scan/publish --self-contained false -p:PublishTrimmed=false
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
       - name: Build Docker image for scanning
         uses: docker/build-push-action@v5
         with:
           context: .
+          file: .github/docker/Dockerfile.container-scan
           load: true
           tags: melodee:latest
           cache-from: type=gha
@@ -80,7 +80,7 @@ jobs:
           limit-severity-skip: false
 
       - name: Upload SARIF results
-        if: always()
+        if: always() && hashFiles('trivy-results.sarif') != ''
         uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: trivy-results.sarif
@@ -100,7 +100,7 @@ jobs:
       - name: Setup .NET
         uses: actions/setup-dotnet@v4
         with:
-          dotnet-version: 10.0.x
+          dotnet-version: 10.0.104
 
       - name: Check for vulnerable NuGet packages
         run: |

Directory.Build.props

@@ -2,4 +2,4 @@
   <PropertyGroup>
     <AllowMissingPrunePackageData>true</AllowMissingPrunePackageData>
   </PropertyGroup>
-</Project>
+</Project>

global.json

@@ -1,6 +1,6 @@
 {
   "sdk": {
-    "version": "10.0.100",
-    "rollForward": "latestMinor"
+    "version": "10.0.104",
+    "rollForward": "latestPatch"
   }
 }