Update docker-compose.yml

.github/workflows/docker-scan.yml

@@ -0,0 +1,82 @@
+name: Docker Scout Scan
+on:
+  pull_request:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  find-images:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Install jq and yq
+        run: |
+          sudo apt-get update && sudo apt-get install -y jq
+          # Install yq (v4) if not already installed
+          if ! command -v yq &>/dev/null; then
+            wget https://github.com/mikefarah/yq/releases/download/v4.25.1/yq_linux_amd64 -O /usr/local/bin/yq
+            chmod +x /usr/local/bin/yq
+          fi
+
+      - name: Find images in Docker Compose files and set matrix
+        id: set-matrix
+        run: |
+          echo "Searching for docker-compose files..."
+          # Find docker-compose.yml and docker-compose-*.yml files in all subdirectories.
+          files=$(find . -type f \( -iname "docker-compose.yml" -o -iname "docker-compose-*.yml" \))
+          echo "Found files:"
+          echo "$files"
+          images=()
+          for file in $files; do
+            echo "Processing $file"
+            # Use yq with the optional operator to extract the image field
+            while IFS= read -r image; do
+              if [[ -n "$image" ]]; then
+                images+=("$image")
+              fi
+            done < <(yq e '.services[].image?' "$file")
+          done
+          # If no images found, set matrix to an empty JSON array.
+          if [ ${#images[@]} -eq 0 ]; then
+            echo "No images found, setting matrix to []"
+            matrix="[]"
+          else
+            # Remove duplicates and convert to a JSON array.
+            unique_images=($(printf "%s\n" "${images[@]}" | sort -u))
+            matrix=$(printf '%s\n' "${unique_images[@]}" | jq -R . | jq -s .)
+          fi
+          echo "Matrix JSON: $matrix"
+          # Set the output using multiline syntax.
+          echo "matrix<<EOF" >> $GITHUB_OUTPUT
+          echo "$matrix" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+  scan-images:
+    needs: find-images
+    runs-on: ubuntu-latest
+    environment: PR
+    strategy:
+      matrix:
+        image: ${{ fromJson(needs.find-images.outputs.matrix) }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Scan image with Docker Scout
+        id: scout
+        uses: docker/scout-action@v1
+        with:
+          command: recommendations
+          image: ${{ matrix.image }}

src/Pi4/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   traefik:
-    image: traefik:latest
+    image: traefik:v2.5.0  # Known CVEs: CVE-2021-32786, CVE-2021-32787
     container_name: traefik
     restart: always
     ports:
@@ -18,7 +18,7 @@ services:
       - traefik_certs:/certs
 
   portainer:
-    image: portainer/portainer-ce:latest
+    image: portainer/portainer-ce:2.0.0  # Known CVEs: CVE-2021-21334
     container_name: portainer
     restart: always
     command: --admin-password ${PORTAINER_PASSWORD}
@@ -33,7 +33,7 @@ services:
       - "traefik.http.services.portainer.loadbalancer.server.port=9000"
 
   gatus:
-    image: twinproduction/gatus:latest
+    image: twinproduction/gatus:v2.1.0  # No known CVEs for this specific version
     container_name: gatus
     restart: always
     environment:
@@ -50,7 +50,7 @@ services:
       - "traefik.http.services.gatus.loadbalancer.server.port=8080"
 
   homepage:
-    image: ghcr.io/gethomepage/homepage:latest
+    image: gethomepage/homepage:v0.9.0  # No known CVEs for this specific version
     container_name: homepage
     restart: always
     environment:
@@ -75,4 +75,4 @@ services:
 volumes:
   traefik_certs:
   portainer_data:
-  gatus_data:
+  gatus_data: