Add Docker Scout security scanning to CI workflow #5
Conversation
…tion with documentation. - Added GitHub Actions workflow with Dockerfile linting - Created Dockerfiles for n8n and Temporal services - Added docker-compose.yml for orchestration - Updated .gitignore to exclude volumes - Enhanced README with setup instructions
- Add Docker Scout job to scan container images for vulnerabilities - Build and scan both n8n and temporal Docker images - Generate SARIF reports for security findings - Upload scan results to GitHub using CodeQL action
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a Docker security check by adding a Docker Scout job for vulnerability scanning and generating SARIF reports for n8n and Temporal images. Key changes include:
- Adding a new docker-compose configuration file for n8n and Temporal services.
- Updating the README with detailed usage instructions.
- Enhancing the GitHub workflows with Docker scanning and linting steps to improve security analysis.
Reviewed Changes
Copilot reviewed 4 out of 6 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| docker-compose.yml | Added service definitions for n8n and Temporal services |
| README.md | Updated documentation with setup, usage, and troubleshooting instructions |
| .github/workflows/code-quality.yml | Added new jobs for Dockerfile linting and Docker security scanning |
Files not reviewed (2)
- Dockerfile.n8n: Language not supported
- Dockerfile.temporal: Language not supported
WalkthroughA new job named Changes
Sequence Diagram(s)sequenceDiagram
participant GitHub Actions
participant hadolint Job
participant docker-scout Job
participant Docker Buildx
participant Docker Scout
participant GitHub (SARIF upload)
GitHub Actions->>hadolint Job: Run hadolint job
hadolint Job-->>GitHub Actions: Complete
GitHub Actions->>docker-scout Job: Start after hadolint
docker-scout Job->>Docker Buildx: Build Dockerfile.n8n (n8n-test:latest)
docker-scout Job->>Docker Buildx: Build Dockerfile.temporal (temporal-test:latest)
docker-scout Job->>Docker Scout: Scan n8n-test:latest, output n8n-scan.sarif
docker-scout Job->>Docker Scout: Scan temporal-test:latest, output temporal-scan.sarif
docker-scout Job->>GitHub (SARIF upload): Upload n8n-scan.sarif (category: n8n)
docker-scout Job->>GitHub (SARIF upload): Upload temporal-scan.sarif (category: temporal)
Possibly related PRs
Suggested reviewers
📜 Recent review detailsConfiguration used: CodeRabbit UI 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
killev
changed the title
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Caution
Inline review comments failed to post. This is likely due to GitHub's limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.
Actionable comments posted: 2
🧹 Nitpick comments (16)
.gitignore (1)
137-137: Refine the.gitignorepattern for persistent volumes.
The entryvolumeswill ignore any file or directory namedvolumesanywhere in the repo. If the intention is to ignore only./volumes/at the root, anchor the pattern:- volumes + /volumes/Dockerfile.n8n (1)
1-1: Consider pinning the base image to a digest for immutability.
Tag-based pins (e.g.,1.22.0) can shift under the hood. Using a SHA256 digest ensures you always get the exact same image:FROM n8nio/n8n:1.22.0@sha256:<digest>Dockerfile.temporal (2)
1-1: Consider pinning to a digest for reproducible builds.
Floating tags can change; use a digest to lock the image:FROM temporalio/auto-setup:1.20@sha256:<digest>
17-18: Explicitly qualify the exposed port protocol.
For clarity, specifytcp:EXPOSE 7233/tcpREADME.md (2)
35-35: Rephrase for conciseness.
Consider a tighter phrasing:- If you've made changes to the Dockerfiles, you'll need to rebuild the images: + After updating the Dockerfiles, rebuild the images:🧰 Tools
🪛 LanguageTool
[style] ~35-~35: Consider shortening or rephrasing this to strengthen your wording.
Context: ... ### Building custom images If you've made changes to the Dockerfiles, you'll need to rebuild...(MAKE_CHANGES)
64-65: Avoid bare URLs.
Wrap service endpoints in Markdown links or angle brackets to satisfy MD034:- - **n8n**: http://localhost:5678 - - **Temporal UI**: http://localhost:8080 + - **n8n**: [http://localhost:5678](http://localhost:5678) + - **Temporal UI**: [http://localhost:8080](http://localhost:8080)🧰 Tools
🪛 markdownlint-cli2 (0.17.2)
64-64: Bare URL used
null(MD034, no-bare-urls)
65-65: Bare URL used
null(MD034, no-bare-urls)
.github/workflows/code-quality.yml (3)
32-32: Remove trailing whitespace for YAML compliance.
Lines 32 and 43 contain only spaces, triggering YAML lint errors. Delete the spaces so they're truly blank lines.Also applies to: 43-43
🧰 Tools
🪛 YAMLlint (1.35.1)
[error] 32-32: trailing spaces
(trailing-spaces)
15-18: DRY up duplicate checkout steps.
Each job repeats:- name: Checkout code uses: actions/checkout@v4Consider moving this into a reusable workflow or composite action to reduce duplication and ensure consistency.
Also applies to: 24-29, 37-43, 49-54
17-18: Implement real linting or remove the stub.
Thelintjob currently runsecho "Linting...". Either replace it with actual lint commands (e.g., ESLint, Prettier) or remove the placeholder if not needed.docker-compose.yml (7)
1-2: Declare Compose file version for clarity
Although Compose v2 infers the version, explicitly stating it (e.g.,"3.8") helps ensure compatibility with newer features and tooling.Apply this diff:
- services: + version: "3.8" + services:
3-15: Add container name and restart policy to n8n service
For consistency with other services and to make local debugging more resilient, add an explicitcontainer_nameand arestart: unless-stoppedpolicy.n8n: - build: + container_name: n8n + restart: unless-stopped + build: context: . dockerfile: Dockerfile.n8n
17-35: Introduce healthcheck and restart policy for Elasticsearch
Adding a healthcheck ensures Temporal doesn’t start before OpenSearch is ready. Also, include arestartpolicy to auto‑recover on failure.elasticsearch: container_name: temporal-elasticsearch + restart: unless-stopped image: opensearchproject/opensearch:2.5.0 + healthcheck: + test: ["CMD-SHELL", "curl -s http://localhost:9200/_cluster/health | grep -q '\"status\":\"green\"'"] + interval: 30s + timeout: 10s + retries: 5 environment: - discovery.type=single-node - bootstrap.memory_lock=true
37-49: Introduce healthcheck and restart policy for PostgreSQL
Ahealthcheckwithpg_isreadywill prevent race conditions, and arestartpolicy improves fault tolerance.postgresql: container_name: temporal-postgresql + restart: unless-stopped image: postgres:14 + healthcheck: + test: ["CMD-SHELL", "pg_isready -U temporal"] + interval: 30s + timeout: 10s + retries: 5 environment: POSTGRES_USER: temporal POSTGRES_PASSWORD: temporal
51-63: Add restart policy to Temporal service
Ensuring the Temporal server restarts automatically on failure will improve local environment stability.temporal: container_name: temporal + restart: unless-stopped build: context: . dockerfile: Dockerfile.temporal
64-76: Add restart policy to Temporal UI service
Applying a restart policy here completes the resilience strategy across all core services.temporal-ui: container_name: temporal-ui + restart: unless-stopped image: temporalio/ui:2.10.3 depends_on: - temporal
77-96: Standardize volume naming
The volume keys mix underscores and hyphens (n8n_datavs.elasticsearch-data). Consider picking one convention (e.g., all hyphens) to improve readability and consistency.
🛑 Comments failed to post (2)
Dockerfile.temporal (1)
4-11: 🛠️ Refactor suggestion
Avoid hardcoding sensitive credentials in the Dockerfile.
EmbeddingPOSTGRES_USERandPOSTGRES_PWDin the image history leaks secrets. Instead, remove them from theENVand supply via runtime (e.g., Docker Compose environment or.envfile):- ENV POSTGRES_USER=temporal \ - POSTGRES_PWD=temporal \Then in
docker-compose.yml:services: temporal: environment: - POSTGRES_USER=${TEMPORAL_DB_USER} - POSTGRES_PWD=${TEMPORAL_DB_PWD}docker-compose.yml (1)
97-99:
⚠️ Potential issueFix trailing whitespace and ensure newline at EOF
YAML lint flags a trailing space ondriver: bridge(line 99) and requires a final newline.networks: app-network: - driver: bridge + driver: bridge(Also ensure the file ends with a newline.)
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.networks: app-network: driver: bridge🧰 Tools
🪛 YAMLlint (1.35.1)
[error] 99-99: no new line character at the end of file
(new-line-at-end-of-file)
[error] 99-99: trailing spaces
(trailing-spaces)
- Replace direct path mapping for n8n_data volume with named volume reference - Replace direct path mapping for elasticsearch-data volume with named volume reference - Replace direct path mapping for postgresql-data volume with named volume reference
- Enhanced Dockerfiles with explicit non-root users for n8n and Temporal - Added health check endpoints and metrics configuration to n8n - Improved healthcheck commands with proper shell form in Dockerfiles - Added service dependencies with health conditions in docker-compose.yml - Created check_services.sh script to verify all services accessibility - Added PostgreSQL and Elasticsearch healthcheck configurations - Updated README with service health checking documentation - Added IPC_LOCK capability for Elasticsearch container
- Added new 'service-check' job in GitHub workflow - Implemented steps to build and start docker services for testing - Added verification step using scripts/check_services.sh - Included cleanup to ensure services are stopped after testing
- Changed Docker setup-buildx-action from v2 to v3 - Fixed step name from "Set up Docker Compose" to "Set up Docker Buildx"
- Changed healthcheck in Dockerfile.n8n from shell form to exec form for better practice - Changed healthcheck in Dockerfile.temporal from shell form to exec form for better practi
Add scripts/setup_volumes.sh for creating required volume directories Modify service-check job in code-quality.yml to run the volume setup script before testing
- Add 10-minute timeout for service-check job - Ensure service cleanup runs even if previous steps fail with "if: always()" - Add "-v" flag to docker compose down to remove volumes after tests - Fix whitespace in SonarQube job
# Conflicts: # .github/workflows/code-quality.yml
- Update Docker Scout command format flags to use equals sign format - Add scan result files to .gitignore to prevent accidental commits
* Replace direct Docker Scout CLI calls with official docker/scout-action@v1 GitHub Action * Update n8n and temporal image scanning configuration to use action parameters
* Add GITHUB_TOKEN to Docker Scout scanning steps to resolve authentication issues * Fix 'user githubactions not entitled to use Docker Scout' error
…onment variables - Update n8n from 1.22.0 to 1.89.2 and change working directory - Update Temporal from 1.20 to 1.20.5 and configure with environment variables - Replace Elasticsearch with OpenSearch for Temporal visibility - Add environment variables for n8n and database configurations - Improve container restart policies with unless-stopped - Update documentation with volume setup instructions and troubleshooting - Add .gitignore entries for mcp executable, config files and .cursor - Fix volume paths and opensearch port mapping
…lthchecks - Added .env.example file with configuration variables - Enhanced Dockerfiles with ARG variables for better customization - Updated healthchecks with improved parameters and container naming - Fixed OpenSearch port mapping to match documentation - Added missing healthcheck for temporal-ui service - Improved volume permissions in setup_volumes.sh script - Fixed README path reference to check_services.sh
…file - Modified dockerfiles to reduce hardcoded values and use environment variables - Updated docker-compose.yml to source ports and credentials from environment file - Enhanced check_services.sh to read from .env instead of using hardcoded values - Improved README.md with instructions for environment file setup - Fixed container health checks to use the correct service addresses
- Add step to copy .env.example to .env in code-quality workflow - Ensure environment configuration is available for Docker build process
- Add ARG N8N_PORT=5678 to properly define the port used in healthcheck and EXPOSE
- Simplify Docker rebuild instructions for better readability - Fix code block formatting by specifying text language - Format service URLs as proper markdown links with angle brackets
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
.github/workflows/code-quality.yml (2)
69-82: Pin Docker Scout action and consolidate scan steps
TheScan n8n imageandScan temporal imageblocks duplicate logic. You can merge these into the same matrix used for builds. Also, instead of the floating@v1tag, pin to a specific release (e.g.,docker/[email protected]) to prevent unexpected breaking changes.
83-92: Ensure SARIF uploads on failure and reduce duplication
The SARIF upload steps mirror each other forn8nandtemporal. They can also be driven by a matrix. Additionally, addif: ${{ always() }}to these steps so reports are uploaded even if the scan step fails.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
.github/workflows/code-quality.yml(1 hunks).gitignore(2 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
- .gitignore
🧰 Additional context used
🪛 YAMLlint (1.35.1)
.github/workflows/code-quality.yml
[error] 43-43: trailing spaces
(trailing-spaces)
⏰ Context from checks skipped due to timeout of 90000ms (1)
- GitHub Check: Service Availability Check
🔇 Additional comments (1)
.github/workflows/code-quality.yml (1)
44-48: Job placement and dependency look correct
The newdocker-scoutjob is correctly inserted underjobsand depends onhadolint, ensuring Dockerfiles pass linting before being scanned. Naming and indentation align with existing jobs.
|
Approved |
@DenisChistyakov because of security. |
- Refactor Docker security scanning workflow to use matrix strategy for multiple images - Remove duplicate build and scan steps for different Docker images - Use dynamic service names and paths in workflow steps - Remove ENV file containing SSH key
killev
dismissed stale reviews from DenisChistyakov and anatolyshipitz
via
ba63d0a
There was a problem hiding this comment.
Actionable comments posted: 0
🔭 Outside diff range comments (1)
.github/workflows/code-quality.yml (1)
1-2: 🛠️ Refactor suggestionGrant permissions for SARIF upload
Workflows that upload SARIF need write access to security events. Please add a top‑levelpermissionsblock:name: Code Quality +permissions: + security-events: write on: pull_request:
🧹 Nitpick comments (1)
.github/workflows/code-quality.yml (1)
43-43: Remove trailing whitespace
Static analysis flagged trailing spaces on this empty line. Please remove them to satisfy YAML linting.🧰 Tools
🪛 YAMLlint (1.35.1)
[error] 43-43: trailing spaces
(trailing-spaces)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/code-quality.yml(1 hunks)
🧰 Additional context used
🪛 YAMLlint (1.35.1)
.github/workflows/code-quality.yml
[error] 43-43: trailing spaces
(trailing-spaces)
⏰ Context from checks skipped due to timeout of 90000ms (1)
- GitHub Check: Service Availability Check
🔇 Additional comments (4)
.github/workflows/code-quality.yml (4)
45-57: Approve the matrix-based Docker Scout job
The newdocker-scoutjob leverages a matrix to iterate over services (n8nandtemporal), eliminating duplication and making it easy to extend to additional images in the future.
58-69: Approve the Docker image build setup
Steps for setting up Buildx and building the image locally (push: false,load: true) are correct and align with best practices for scanning without pushing to a registry.
70-76: Approve the Docker Scout scan step
Usingdocker/scout-action@v1with thecvescommand and capturing a per-service SARIF file is well-structured.
77-81: Approve the SARIF upload step
Uploading each service’s SARIF report viagithub/codeql-action/upload-sarif@v2with a dedicatedcategoryis correct for integrating these findings into GitHub’s security tab.
- Add Docker Hub login action with credentials - Add summary output to security scan - Set JSON output format for security scan - Enable GitHub comment generation for scan results
🔍 Vulnerabilities of
|
| digest | sha256:2bd32c752ff2e6cb44b6e083b1de6fa60185f876baebcdcaaaa9b48892fe8b01 |
| vulnerabilities |     |
| platform | linux/amd64 |
| size | 243 MB |
| packages | 1628 |
📦 Base Image node:20-alpine
| also known as |
|
| digest | sha256:37a5a350292926f98d48de9af160b0a3f7fcb141566117ee452742739500a5bd |
| vulnerabilities |    |
Description
| ||||||||||||
Description
| ||||||||||||
Description
| ||||||||||||
Description
| ||||||||||||
Description
| ||||||||||||
Description
| ||||||||||||
Description
|
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
- Removed trailing whitespace after Dockerfile.temporal linting step in code-quality.yml
|
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (2)
.github/workflows/code-quality.yml (2)
43-43: Remove trailing whitespace
Static analysis flagged trailing spaces on this empty line which can break YAML parsing. Please remove the trailing spaces.🧰 Tools
🪛 YAMLlint (1.35.1)
[error] 43-43: trailing spaces
(trailing-spaces)
75-84: Scanning step configuration looks good
Leveraging thedocker/scout-action@v1to generate SARIF reports for CVEs integrates seamlessly with the CodeQL upload. If you require stricter enforcement, consider pinning to a specific minor version (e.g.,@v1.2.0) to avoid unexpected changes in the action behavior.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/code-quality.yml(1 hunks)
🧰 Additional context used
🪛 YAMLlint (1.35.1)
.github/workflows/code-quality.yml
[error] 43-43: trailing spaces
(trailing-spaces)
⏰ Context from checks skipped due to timeout of 90000ms (2)
- GitHub Check: Docker Security Scanning (n8n, Dockerfile.n8n, n8n-test:latest)
- GitHub Check: Service Availability Check
🔇 Additional comments (4)
.github/workflows/code-quality.yml (4)
44-53: Great use of a matrix to DRY up thedocker-scoutjob
Implementing the matrix strategy forn8nandtemporalavoids duplication and aligns with best practices.
58-66: Verify Docker Hub credentials and their necessity
You’re logging into Docker Hub before building the images. If your base images are public, you can remove this step; otherwise ensure thatDOCKERHUB_USERNAMEandDOCKERHUB_TOKENare correctly set in the repository secrets with least-privilege access.
67-74: Build step is solid
Usingdocker/build-push-action@v5withpush: falseandload: truecorrectly builds and loads the images locally for scanning.
85-89: SARIF upload step validated
Thegithub/codeql-action/upload-sarif@v2step correctly uploads the generated SARIF file with a distinct category per service.
Summary by CodeRabbit