Trivy compliant

.github/workflows/trivy-scan.yml

@@ -0,0 +1,32 @@
+name: Trivy-scanning
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - master
+      - dev
+
+jobs:
+  Trivy-Scan:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+      -
+        name: Run Trivy fs vulnerability scanner in fs mode
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          #severity: 'CRITICAL'
+      -
+        name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'

Dockerfile

@@ -10,39 +10,40 @@ RUN git clone https://github.com/XTLS/Xray-core.git . && \
     git checkout ${XRAY_VER} && \
     go build -o xray -trimpath -ldflags "-s -w -buildid=" ./main
 
-RUN cd /tmp; \
+RUN curl -sSLO  https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat
-    curl -sSLO https://fukuchi.org/works/qrencode/qrencode-${QREC_VER}.tar.gz && \
+RUN curl -sSLO  https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat
-    tar xvf qrencode-${QREC_VER}.tar.gz && \
-    cd qrencode-${QREC_VER} && \
-    ./configure --without-png && \
-    make install
 
-RUN cd /usr/local; tar zcvf /tmp/qrencode.tar.gz bin lib share
+RUN curl -sSLO  https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/apple.china.conf
+RUN curl -sSLO https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/google.china.conf
+RUN curl -sSLO https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/bogus-nxdomain.china.conf
+RUN curl -sSLO https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/accelerated-domains.china.conf
 
-RUN cd /tmp; curl -sSLO  https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat
+WORKDIR /tmp
-RUN cd /tmp; curl -sSLO  https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat
+RUN curl -sSLO https://fukuchi.org/works/qrencode/qrencode-${QREC_VER}.tar.gz && \
+    tar xvf qrencode-${QREC_VER}.tar.gz
+WORKDIR /tmp/qrencode-${QREC_VER}
+RUN ./configure --without-png && make install
 
-RUN cd /tmp; curl -sSLO  https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/apple.china.conf
+WORKDIR /usr/local
-RUN cd /tmp; curl -sSLO https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/google.china.conf
+RUN tar zcvf /tmp/qrencode.tar.gz bin lib share
-RUN cd /tmp; curl -sSLO https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/bogus-nxdomain.china.conf
-RUN cd /tmp; curl -sSLO https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/accelerated-domains.china.conf
 
 
 FROM alpine:3.20
 
-COPY --from=builder /go/src/XTLS/Xray-core/xray /usr/local/bin/
+COPY --from=builder /go/src/XTLS/Xray-core/xray         /usr/local/bin/
-COPY --from=builder /tmp/geosite.dat /usr/local/bin/
+COPY --from=builder /go/src/XTLS/Xray-core/geosite.dat  /usr/local/bin/
-COPY --from=builder /tmp/geoip.dat /usr/local/bin/
+COPY --from=builder /go/src/XTLS/Xray-core/geoip.dat    /usr/local/bin/
 
 RUN mkdir -p /etc/dnsmasq.disable
 
-COPY --from=builder /tmp/apple.china.conf /etc/dnsmasq.disable/
+COPY --from=builder /go/src/XTLS/Xray-core/apple.china.conf                 /etc/dnsmasq.disable/
-COPY --from=builder /tmp/google.china.conf /etc/dnsmasq.disable/
+COPY --from=builder /go/src/XTLS/Xray-core/google.china.conf                /etc/dnsmasq.disable/
-COPY --from=builder /tmp/bogus-nxdomain.china.conf /etc/dnsmasq.disable/
+COPY --from=builder /go/src/XTLS/Xray-core/bogus-nxdomain.china.conf        /etc/dnsmasq.disable/
-COPY --from=builder /tmp/accelerated-domains.china.conf /etc/dnsmasq.disable/
+COPY --from=builder /go/src/XTLS/Xray-core/accelerated-domains.china.conf   /etc/dnsmasq.disable/
 
 COPY --from=builder /tmp/qrencode.tar.gz /tmp/
-RUN cd /usr/local && tar xvf /tmp/qrencode.tar.gz
+WORKDIR /usr/local
+RUN tar xvf /tmp/qrencode.tar.gz
 RUN rm /tmp/qrencode.tar.gz
 
 RUN apk --no-cache add bash openssl curl jq moreutils \
@@ -50,29 +51,29 @@ RUN apk --no-cache add bash openssl curl jq moreutils \
 
 RUN sed -i "s/^socks4.*/socks5\t127.0.0.1 1080/g" /etc/proxychains/proxychains.conf
 
-ADD proxy-lgp.sh    /proxy-lgp.sh
+COPY proxy-lgp.sh   /proxy-lgp.sh
-ADD proxy-lgr.sh    /proxy-lgr.sh
+COPY proxy-lgr.sh   /proxy-lgr.sh
-ADD proxy-lgt.sh    /proxy-lgt.sh
+COPY proxy-lgt.sh   /proxy-lgt.sh
 
-ADD proxy-lsp.sh    /proxy-lsp.sh
+COPY proxy-lsp.sh   /proxy-lsp.sh
-ADD proxy-lst.sh    /proxy-lst.sh
+COPY proxy-lst.sh   /proxy-lst.sh
 
-ADD proxy-ltr.sh    /proxy-ltr.sh
+COPY proxy-ltr.sh   /proxy-ltr.sh
-ADD proxy-ltt.sh    /proxy-ltt.sh
+COPY proxy-ltt.sh   /proxy-ltt.sh
 
-ADD proxy-lwp.sh    /proxy-lwp.sh
+COPY proxy-lwp.sh   /proxy-lwp.sh
-ADD proxy-lwt.sh    /proxy-lwt.sh
+COPY proxy-lwt.sh   /proxy-lwt.sh
 
-ADD proxy-mtt.sh    /proxy-mtt.sh
+COPY proxy-mtt.sh   /proxy-mtt.sh
-ADD proxy-mwp.sh    /proxy-mwp.sh
+COPY proxy-mwp.sh   /proxy-mwp.sh
-ADD proxy-mwt.sh    /proxy-mwt.sh
+COPY proxy-mwt.sh   /proxy-mwt.sh
 
-ADD proxy-ttt.sh    /proxy-ttt.sh
+COPY proxy-ttt.sh   /proxy-ttt.sh
-ADD proxy-twp.sh    /proxy-twp.sh
+COPY proxy-twp.sh   /proxy-twp.sh
-ADD proxy-twt.sh    /proxy-twt.sh
+COPY proxy-twt.sh   /proxy-twt.sh
 
-ADD qrcode.sh       /qrcode
+COPY qrcode.sh      /qrcode
-ADD run.sh          /run.sh
+COPY run.sh         /run.sh
 
 RUN chmod 755 /*.sh
 RUN chmod 755 /qrcode