latest -> master

.github/dependabot.yml

@@ -0,0 +1,26 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  # Enable Dependabot alerts for `Docker` 
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  # Enable Dependabot alerts for `npm`
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  # Enable Dependabot alerts for `GitHub Actions`
+  - package-ecosystem: "github-actions"
+    directory: ".github/workflows"
+    schedule:
+      interval: "weekly"
+
+

.github/workflows/deploy.yml

@@ -7,7 +7,7 @@
 # To get a newer version, you will need to update the SHA.
 # You can also reference a tag or branch, but the action may change without warning.
 
-name: Build and Deploy to GKE
+name: Build, Release and Deploy to GKE
 
 on:
   push:
@@ -25,6 +25,7 @@ env:
   SLACK_NOTIFICACTION_CHANNEL: ${{ secrets.SLACK_NOTIFICACTION_CHANNEL }}
   AR_LOCATION: ${{ vars.AR_LOCATION }}
   AR_REPOSITORY: ${{ vars.AR_REPOSITORY }}
+  IMAGE_NAME: ${{vars.AR_LOCATION}}-docker.pkg.dev/${{secrets.GKE_PROJECT}}/${{vars.AR_REPOSITORY}}/${{github.ref_name}}
 
 jobs:
   setup-build-publish-deploy:
@@ -37,12 +38,55 @@ jobs:
     steps:
     - uses: actions/checkout@v4
 
+    # fetch Tag from package.json version
+    - name: Get Tag from package.json
+      id: version
+      run: echo "TAG=$(node -p "require('./package.json').version")" >> $GITHUB_OUTPUT
+
+    # echo Tag
+    - name: Echo Tag
+      run: echo ${{ steps.version.outputs.TAG }}
+
+    # parse the changelog to get the release description
+    - name: Parse Changelog Entries
+      uses: actions/github-script@v7
+      id: changelog
+      with:
+        script: |
+          const { open } = require('fs/promises');
+
+          const version ='${{ steps.version.outputs.TAG }}';
+          const delimiter = '### ';
+          const file = await open('./changes.md');
+
+          let description = [];
+          let found = false;
+
+          for await (let line of file.readLines()) {
+            line = line.trim();
+
+            if ( line.startsWith(`${delimiter}${version}`) ) {
+              found = true;
+              continue;
+            }
+
+            if (!found) continue;
+            if ( line.startsWith(delimiter) )  break;
+
+            description.push(line);
+          }
+
+          if ( !description.length ) core.setFailed(`Release ${version} not found in the changelog!`);
+
+          core.setOutput('description', description.join('\n') );
+
     # Setup gcloud CLI
     - id: 'auth'
       uses: 'google-github-actions/auth@v2'
       with:
         credentials_json: '${{ secrets.GKE_SA_KEY }}'
 
+    # Set up Cloud SDK
     - name: 'Set up Cloud SDK'
       uses: 'google-github-actions/setup-gcloud@v2'
       with:
@@ -63,14 +107,57 @@ jobs:
     - name: Build
       run: |-
         docker build \
-          --tag "$AR_LOCATION-docker.pkg.dev/$PROJECT_ID/$AR_REPOSITORY/$GITHUB_REF_NAME:$GITHUB_SHA" \
+          --tag "${{env.IMAGE_NAME}}:${{ steps.version.outputs.TAG }}" \
           --build-arg GITHUB_SHA="$GITHUB_SHA" \
           --build-arg GITHUB_REF="$GITHUB_REF" \
           .
+
     # Push the Docker image to Google Container Registry
     - name: Publish
       run: |-
-        docker push "$AR_LOCATION-docker.pkg.dev/$PROJECT_ID/$AR_REPOSITORY/$GITHUB_REF_NAME:$GITHUB_SHA"
+        docker push "${{env.IMAGE_NAME}}:${{ steps.version.outputs.TAG }}"
+
+    # Scan Docker image for vulnerabilities
+    - name: Scan Docker Image using Trivy
+      if: github.ref_name == 'master'
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: "${{env.IMAGE_NAME}}:${{ steps.version.outputs.TAG }}"
+        exit-code: '0'
+        timeout: '60m0s'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+
+    # Upload Trivy scan results to GitHub Security tab
+    - name: Upload Trivy scan results to GitHub Security tab
+      if: github.ref_name == 'master'
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: 'trivy-results.sarif'
+
+    # Generate SPDX SBOM
+    - name: Generate SBOM with Anchore Action
+      if: github.ref_name == 'master'
+      id: sbom
+      uses: anchore/sbom-action@v0
+      with:
+        image: "${{env.IMAGE_NAME}}:${{ steps.version.outputs.TAG }}"
+        output-file: sbom.spdx.json
+        format: spdx-json
+
+    # Create a release with the version changelog as a description and attach the sbom
+    - name: Create GitHub Release
+      if: github.ref_name == 'master'
+      id: create_github_release
+      uses: softprops/action-gh-release@v1
+      with:
+        name: "Release ${{ steps.version.outputs.TAG }}"
+        body: "${{ steps.changelog.outputs.description }}"
+        tag_name: ${{ steps.version.outputs.TAG }}
+        prerelease: false
+        files: |
+          ./sbom.spdx.json
+
     # Set up kustomize
     - name: Set up Kustomize
       run: |-
@@ -89,7 +176,7 @@ jobs:
         sed -i.bak "s|ACCESS_TOKEN_VALUE|${{ secrets.ACCESS_TOKEN }}|g" ci/deployment-v2.yml
         sed -i.bak "s|SLACK_NOTIFICACTION_URL_VALUE|${{ secrets.SLACK_NOTIFICACTION_URL }}|g" ci/deployment-v2.yml
         sed -i.bak "s|SLACK_NOTIFICACTION_CHANNEL_VALUE|${{ secrets.SLACK_NOTIFICACTION_CHANNEL }}|g" ci/deployment-v2.yml
-        sed -i.bak "s|IMAGE_VERSION|$GITHUB_SHA|g" ci/deployment-v2.yml
+        sed -i.bak "s|IMAGE_VERSION|${{ steps.version.outputs.TAG }}|g" ci/deployment-v2.yml
         sed -i.bak "s|GITHUB_ORG|$GITHUB_REPOSITORY_OWNER|g" ci/service.yml
         sed -i.bak "s|GITHUB_ORG|$GITHUB_REPOSITORY_OWNER|g" ci/deployment-v2.yml
         sed -i.bak "s|GITHUB_BRANCH|$GITHUB_REF_NAME|g" ci/service.yml

Dockerfile

@@ -1,18 +1,40 @@
-FROM node:20.12.0-alpine
-ENV VERSION=v1.29.0
+FROM node:22.6.0-alpine
+ENV VERSION=v1.31.0
 ENV NODE_ENV=production
 ENV SERVICE_ENABLE_SSHD=true
 ENV SERVICE_ENABLE_API=true
 ENV SERVICE_ENABLE_FIREBASE=false
 
-RUN apk update --no-cache && apk upgrade --no-cache && apk add bash
-
-RUN apk add --no-cache git openssh nfs-utils rpcbind curl ca-certificates nano tzdata ncurses make tcpdump \
+RUN apk update --no-cache && apk upgrade --no-cache && apk add bash tar
+
+# Install build dependencies
+RUN apk add --no-cache \
+    build-base \
+    linux-headers \
+    openssl-dev \
+    zlib-dev \
+    file \
+    wget
+
+# Download the latest OpenSSH (9.8p1) source
+RUN wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz \
+    && tar -xzf openssh-9.8p1.tar.gz \
+    && cd openssh-9.8p1 \
+    # Configure and compile the source
+    && ./configure \
+    && make \
+    && make install
+
+# Cleanup build dependencies and unnecessary files
+RUN apk del build-base linux-headers openssl-dev zlib-dev file wget \
+    && rm -rf /openssh-9.8p1.tar.gz /openssh-9.8p1
+
+RUN apk add --no-cache nfs-utils rpcbind curl ca-certificates nano tzdata ncurses make tcpdump \
   && curl -L https://storage.googleapis.com/kubernetes-release/release/$VERSION/bin/linux/amd64/kubectl -o /usr/local/bin/kubectl \
   && chmod +x /usr/local/bin/kubectl \
   && kubectl version --client \
   && rm -rf /etc/ssh/* \
-  && mkdir /etc/ssh/authorized_keys.d \
+  && mkdir -p /etc/ssh/authorized_keys.d \
   && cp /usr/share/zoneinfo/America/New_York /etc/localtime \
   && echo "America/New_York" >  /etc/timezone \
   && apk del tzdata

changes.md

@@ -1,3 +1,9 @@
+### 0.4.0
+* Upgraded parent Docker image to `node:22`
+* Upgraded `kubectl` to `1.31.0`
+* Upgaded `OpenSSH` to `9.8`
+* Solved vulnerabilities in `npm` packages and OS
+
 ### 0.3.0
 * Fixed `JavaScript` errors 
 

package.json

@@ -1,6 +1,6 @@
 {
     "name": "docker-sftp",
-    "version": "0.3.0",
+    "version": "0.4.0",
     "description": "SSH tunnels to Kubernetes containers",
     "main": "bin/server.js",
     "scripts": {

static/ecosystem.config.js

@@ -3,7 +3,7 @@ module.exports.apps = []
 if( process.env.SERVICE_ENABLE_SSHD === 'true' ) {
 
   module.exports.apps.push({
-    "script": "/usr/sbin/sshd",
+    "script": "/usr/local/sbin/sshd",
     "args": "-D -f /etc/ssh/sshd_config -e",
     "name": "sshd",
     "merge_logs": true,