From f0ff7752549abc3286b4f1059056770b93b4f184 Mon Sep 17 00:00:00 2001
From: Tom Halpin <tom_halpin@hotmail.com>
Date: Thu, 5 Sep 2024 12:35:01 +0100
Subject: [PATCH 1/3] Added additional security checks via GitHub Actions

---
 .github/config/.safety-policy.yml       |  5 ++++
 .github/workflows/docker-build-push.yml | 10 +++++++
 .github/workflows/safety.yml            | 38 +++++++++++++++++++++++++
 CHANGELOG.md                            |  7 +++++
 README.md                               |  3 ++
 5 files changed, 63 insertions(+)
 create mode 100644 .github/config/.safety-policy.yml
 create mode 100644 .github/workflows/safety.yml

diff --git a/.github/config/.safety-policy.yml b/.github/config/.safety-policy.yml
new file mode 100644
index 0000000..58c5e64
--- /dev/null
+++ b/.github/config/.safety-policy.yml
@@ -0,0 +1,5 @@
+---
+security:
+  ignore-vulnerabilities:
+    70612:
+      reason: ignoring as per CVE-2019-8341 maintainer doesn't believe it is a valid vulnerability
\ No newline at end of file
diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml
index f4021fc..1836573 100644
--- a/.github/workflows/docker-build-push.yml
+++ b/.github/workflows/docker-build-push.yml
@@ -19,6 +19,16 @@ jobs:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
+    - name: Scan Docker image for vulnerabilities with Trivy
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ secrets.DOCKERHUB_USERNAME }}/template-repo-template:${{ env.IMAGE_TAG }}
+        format: 'table'
+        exit-code: '1'
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'HIGH,CRITICAL'
+
     - name: Build and Push Docker image
       run: |
         IMAGE_TAG="$(grep -oP '^## \[\K([\d.]+)' CHANGELOG.md | head -n 1)"
diff --git a/.github/workflows/safety.yml b/.github/workflows/safety.yml
new file mode 100644
index 0000000..ac096b1
--- /dev/null
+++ b/.github/workflows/safety.yml
@@ -0,0 +1,38 @@
+name: Safety Check
+
+# Description: This GitHub Action workflow checks the Python dependencies for known security vulnerabilities
+# using the 'safety' tool. It runs on every push to the main branch and on pull requests targeting the main branch.
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  safety:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Install safety
+        run: |
+          pip install safety
+
+      - name: Run safety check
+        run: |
+          safety check --full-report --policy-file .github/config/.safety-policy.yml
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9d15aab..95089cf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.7.0] - 2024-09-05
+
+- [ADDED] Safety GitHub Action workflow to check Python dependencies for known security vulnerabilities.
+- [ADDED] Trivy scan of the Docker image for vulnerabilities
+- [FIXED] Vulnerability in docker imaged reported by Trivy
+- [CHANGED] Updates to README.md
+
 ## [1.6.1] - 2023-10-15
 
 - [ADDED] Ensured docker image pushed to Docker Hub before README.md
diff --git a/README.md b/README.md
index 5d01395..695655e 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,7 @@ This is a template repository for creating new repositories with pre-configured
 
 [![License: MPL 2.0](https://img.shields.io/badge/License-MPL%202.0-brightgreen.svg)](https://opensource.org/licenses/MPL-2.0)
 <!--[![Bandit](https://github.com/genai-musings/template-repo-template/actions/workflows/bandit.yml/badge.svg)](https://github.com/genai-musings/template-repo-template/actions/new?category=security)-->
+[![Safety Check](https://github.com/genai-musings/template-repo-template/actions/workflows/safety.yml/badge.svg)](https://github.com/genai-musings/template-repo-template/actions/workflows/safety.yml)
 [![Super-Linter](https://github.com/genai-musings/template-repo-template/actions/workflows/linter.yml/badge.svg)](https://github.com/marketplace/actions/super-linter)
 [![CodeQL](https://github.com/genai-musings/template-repo-template/workflows/CodeQL/badge.svg?branch=main)
 [![Markdown Links Check](https://github.com/genai-musings/template-repo-template/actions/workflows/md-links.yml/badge.svg)](https://github.com/gaurav-nelson/github-action-markdown-link-check)
@@ -39,6 +40,8 @@ It includes bug and feature issue templates, a pull request (PR) template, CodeQ
 
 - ```.github/workflows/md-links.yml```: GitHub Actions workflow for Markdown link validation.
 
+- ```.github/workflows/safety.yml```: GitHub Actions workflow for checking Python dependencies for known security vulnerabilities using the Saftey tool.
+
 - ```.github/workflows/spellcheck.yml```: GitHub Actions workflow for spell checking Markdown.
 
 - ```.github/workflows/stale.yml```: GitHub Actions workflow for managing stale issues and pull requests.

From 9c13c088251931aa5df88c0dd0665d478f90cebe Mon Sep 17 00:00:00 2001
From: Tom Halpin <tom_halpin@hotmail.com>
Date: Thu, 5 Sep 2024 12:41:09 +0100
Subject: [PATCH 2/3] Added additional security checks via GitHub Actions

---
 .github/config/.wordlist.txt | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/config/.wordlist.txt b/.github/config/.wordlist.txt
index 4cad337..b2ea2a8 100644
--- a/.github/config/.wordlist.txt
+++ b/.github/config/.wordlist.txt
@@ -29,9 +29,11 @@ Python
 reponame
 Readme
 README
+Safety
 spellingcheck
 superlinter
 TODO
+Trivy
 URLs
 username
 yamllint

From 3be4b8ec315c125298338fa4d056239dc6c6a0e2 Mon Sep 17 00:00:00 2001
From: Tom Halpin <tom_halpin@hotmail.com>
Date: Thu, 5 Sep 2024 12:45:34 +0100
Subject: [PATCH 3/3] Added additional security checks via GitHub Actions

---
 .github/config/.wordlist.txt | 1 -
 README.md                    | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/config/.wordlist.txt b/.github/config/.wordlist.txt
index b2ea2a8..fd1fd10 100644
--- a/.github/config/.wordlist.txt
+++ b/.github/config/.wordlist.txt
@@ -29,7 +29,6 @@ Python
 reponame
 Readme
 README
-Safety
 spellingcheck
 superlinter
 TODO
diff --git a/README.md b/README.md
index 695655e..129bb12 100644
--- a/README.md
+++ b/README.md
@@ -40,7 +40,7 @@ It includes bug and feature issue templates, a pull request (PR) template, CodeQ
 
 - ```.github/workflows/md-links.yml```: GitHub Actions workflow for Markdown link validation.
 
-- ```.github/workflows/safety.yml```: GitHub Actions workflow for checking Python dependencies for known security vulnerabilities using the Saftey tool.
+- ```.github/workflows/safety.yml```: GitHub Actions workflow for checking Python dependencies for known security vulnerabilities using the Safety tool.
 
 - ```.github/workflows/spellcheck.yml```: GitHub Actions workflow for spell checking Markdown.