usabilla · WyriHaximus · Sep 25, 2025 · Sep 3, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
diff --git a/Dockerfile-cli b/Dockerfile-cli
@@ -1,5 +1,7 @@
 # syntax=docker/dockerfile:experimental
 FROM php:7.2-cli-alpine3.7 as cli
+ARG TARGETOS
+ARG TARGETARCH
 
 # Add usabilla user and group
 RUN set -x \
@@ -15,6 +17,7 @@ COPY src/php/utils/docker/ /usr/local/bin/
 # Install PHP extensions
 # hadolint ignore=DL4006
 RUN set -x \
+    && apk upgrade --no-cache \
     # Install curl-dev in order to address the curl binary issue in some Alpine versions
     && apk add --no-cache curl-dev \
     # Adding sodium purely for the 7.1 image, it's already in 7.2 and up: https://www.php.net/manual/en/sodium.installation.php \
@@ -31,9 +34,6 @@ RUN set -x \
     && docker-php-source-tarball clean && rm /usr/local/bin/php-cgi && rm /usr/local/bin/phpdbg && rm -rf /tmp/pear ~/.pearrc \
     && apk del .phpize-deps \
 
-    # Patch CVE-2018-14618 (curl), CVE-2018-16842 (libxml2), CVE-2019-11068 (libxslt)
-    && apk upgrade --no-cache curl libxml2 libxslt \
-
     # Create a symlink to the recommended production configuration
     # ref: https://github.com/docker-library/docs/tree/master/php#configuration
     && ln -s $PHP_INI_DIR/php.ini-production $PHP_INI_DIR/php.ini

diff --git a/Dockerfile-fpm b/Dockerfile-fpm
@@ -1,5 +1,7 @@
 # syntax=docker/dockerfile:experimental
 FROM php:7.2-fpm-alpine3.7 as fpm
+ARG TARGETOS
+ARG TARGETARCH
 
 ENV FCGI_CONNECT=/var/run/php-fpm.sock
 ENV PHP_FPM_PM=dynamic
@@ -26,6 +28,7 @@ COPY src/php/utils/install-* /usr/local/bin/
 # Install PHP extensions
 # hadolint ignore=DL4006
 RUN set -x \
+    && apk upgrade --no-cache \
     # Install curl-dev in order to address the curl binary issue in some Alpine versions
     && apk add --no-cache curl-dev \
     # Adding sodium purely for the 7.1 image, it's already in 7.2 and up: https://www.php.net/manual/en/sodium.installation.php \
@@ -43,9 +46,6 @@ RUN set -x \
     && apk del .phpize-deps \
     && apk add --no-cache fcgi \
 
-    # Patch CVE-2018-14618 (curl), CVE-2018-16842 (libxml2), CVE-2019-11068 (libxslt)
-    && apk upgrade --no-cache curl libxml2 libxslt \
-
     # Create a symlink to the recommended production configuration
     # ref: https://github.com/docker-library/docs/tree/master/php#configuration
     && ln -s $PHP_INI_DIR/php.ini-production $PHP_INI_DIR/php.ini

diff --git a/Dockerfile-http b/Dockerfile-http
@@ -1,4 +1,4 @@
-FROM nginx:1.15-alpine as http
+FROM nginx:1.15-alpine AS http
 
 # Add usabilla user and group
 RUN set -x \
@@ -21,8 +21,8 @@ ENV NGINX_LARGE_CLIENT_HEADER_BUFFERS="4 8k"
 ENV NGINX_CORS_ENABLE=false
 ENV NGINX_CORS_ALLOW_ORIGIN="*"
 
-# Patch gCVE-2019-11068 (libxslt)
-RUN apk upgrade --no-cache libxslt
+RUN set -x \
+    && apk upgrade --no-cache
 
 # Nginx helper scripts
 COPY src/http/nginx/docker-nginx-* /usr/local/bin/
@@ -37,6 +37,6 @@ CMD ["docker-nginx-entrypoint"]
 # this can be overriden in the child images
 HEALTHCHECK NONE
 
-FROM http as http-dev
+FROM http AS http-dev
 
 ENV NGINX_EXPOSE_VERSION=on
diff --git a/Makefile b/Makefile
@@ -52,7 +52,7 @@ build-http: clean-tags
 # Adding arbitrary version 1.0 in order to make sure if we break compatibility we have to up it
 build-prometheus-exporter-file: BUILDINGIMAGE=prometheus-exporter-file
 build-prometheus-exporter-file: clean-tags
-	./build-prometheus-exporter-file.sh 1.18 prometheus-exporter-file1.0 prometheus-exporter-file1
+	./build-prometheus-exporter-file.sh 1.29 prometheus-exporter-file1.0 prometheus-exporter-file1
 
 .NOTPARALLEL: clean-tags
 clean-tags:
@@ -103,8 +103,4 @@ test-prometheus-exporter-file-e2e: ./tmp/build-prometheus-exporter-file.tags
 	xargs -I % ./test-prometheus-exporter-file-e2e.sh % < ./tmp/build-prometheus-exporter-file.tags
 
 scan-vulnerability:
-	docker compose -f test/security/docker-compose.yml -p clair-ci up -d
-	RETRIES=0 && while ! wget -T 10 -q -O /dev/null http://localhost:6060/v1/namespaces ; do sleep 1 ; echo -n "." ; if [ $${RETRIES} -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; RETRIES=$$(($${RETRIES}+1)) ; done
-	mkdir -p ./tmp/clair/usabillabv
-	cat ./tmp/build-*.tags | xargs -I % sh -c 'clair-scanner --ip 172.17.0.1 -r "./tmp/clair/%.json" -l ./tmp/clair/clair.log % || echo "% is vulnerable"'
-	docker compose -f test/security/docker-compose.yml -p clair-ci down
+	cat ./tmp/build-*.tags | xargs -I % sh -c 'docker run -v /tmp/trivy:/var/lib/trivy -v /var/run/docker.sock:/var/run/docker.sock -t aquasec/trivy:latest --cache-dir /var/lib/trivy image --skip-files "/usr/local/bin/shush" --exit-code 1 --no-progress % || (echo "% is vulnerable" && exit 1)'
diff --git a/build-http.sh b/build-http.sh
@@ -15,22 +15,32 @@ declare -r IMAGE_ORIGINAL_TAG="nginx:1.[0-9][0-9]?-alpine"
 
 declare -r IMAGE_TAG="nginx:${VERSION_NGINX}-alpine"
 declare -r USABILLA_TAG_PREFIX="usabillabv/php"
-declare -r USABILLA_TAG="${USABILLA_TAG_PREFIX}:nginx${VERSION_NGINX}"
-declare -r USABILLA_TAG_DEV="${USABILLA_TAG}-dev"
-
-TAG_FILE="./tmp/build-${IMAGE}.tags"
-
+if [[ ! -v DOCKER_BUILD_PLATFORM ]]; then
+   declare -r DOCKER_BUILD_FLAGS=""
+   declare -r USABILLA_TAG_SUFFIX=""
+else
+   declare -r DOCKER_BUILD_FLAGS="--platform=${DOCKER_BUILD_PLATFORM}"
+   # shellcheck disable=SC2155
+   declare -r USABILLA_TAG_SUFFIX="-${DOCKER_BUILD_PLATFORM//\//-}"
+fi
+declare -r USABILLA_TAG="${USABILLA_TAG_PREFIX}:nginx${VERSION_NGINX}${USABILLA_TAG_SUFFIX}"
+declare -r USABILLA_TAG_DEV="${USABILLA_TAG_PREFIX}:nginx${VERSION_NGINX}-dev${USABILLA_TAG_SUFFIX}"
+
+declare -r TAG_FILE="./tmp/build-${IMAGE}${USABILLA_TAG_SUFFIX}.tags"
+
+# shellcheck disable=SC2086
 sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${IMAGE}" | docker build --pull -t "${USABILLA_TAG}" \
-    --build-arg=NGINX_VHOST_TEMPLATE=php-fpm --target="${IMAGE}" -f - . \
+    --build-arg=NGINX_VHOST_TEMPLATE=php-fpm --target="${IMAGE}" ${DOCKER_BUILD_FLAGS} -f - . \
     && echo "${USABILLA_TAG}" >> "${TAG_FILE}"
 
+# shellcheck disable=SC2086
 sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${IMAGE}" | docker build --pull -t "${USABILLA_TAG_DEV}" \
-    --build-arg=NGINX_VHOST_TEMPLATE=php-fpm --target="${IMAGE}-dev" -f - . \
+    --build-arg=NGINX_VHOST_TEMPLATE=php-fpm --target="${IMAGE}-dev" ${DOCKER_BUILD_FLAGS} -f - . \
     && echo "$USABILLA_TAG_DEV" >> "${TAG_FILE}"
 
 for IMAGE_EXTRA_TAG in "${@:2}"
 do
     declare NEW_TAG="${USABILLA_TAG_PREFIX}:${IMAGE_EXTRA_TAG}"
-    docker tag "${USABILLA_TAG}" "${NEW_TAG}" && echo "${NEW_TAG}" >> "${TAG_FILE}"
-    docker tag "${USABILLA_TAG_DEV}" "${NEW_TAG}-dev" && echo "${NEW_TAG}-dev" >> "${TAG_FILE}"
+    docker tag "${USABILLA_TAG}" "${NEW_TAG}${USABILLA_TAG_SUFFIX}" && echo "${NEW_TAG}${USABILLA_TAG_SUFFIX}" >> "${TAG_FILE}"
+    docker tag "${USABILLA_TAG_DEV}" "${NEW_TAG}-dev${USABILLA_TAG_SUFFIX}" && echo "${NEW_TAG}-dev${USABILLA_TAG_SUFFIX}" >> "${TAG_FILE}"
 done
diff --git a/build-php.sh b/build-php.sh
@@ -16,13 +16,24 @@ declare -r VERSION_ALPINE=$3
 declare -r IMAGE_ORIGINAL_TAG="7.[0-9]-${IMAGE}-alpine3.[0-9]"
 
 declare -r IMAGE_TAG="${VERSION_PHP}-${IMAGE}-alpine${VERSION_ALPINE}"
-declare -r USABILLA_TAG="usabillabv/php:${VERSION_PHP}-${IMAGE}-alpine${VERSION_ALPINE}"
-declare -r USABILLA_TAG_DEV="${USABILLA_TAG}-dev"
-
-declare -r TAG_FILE="./tmp/build-${IMAGE}.tags"
-
-sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${IMAGE}" | docker build --pull -t "${USABILLA_TAG}" --target="${IMAGE}" -f - . \
+if [[ ! -v DOCKER_BUILD_PLATFORM ]]; then
+   declare -r DOCKER_BUILD_FLAGS=""
+   declare -r USABILLA_TAG_SUFFIX=""
+else
+   declare -r DOCKER_BUILD_FLAGS="--platform=${DOCKER_BUILD_PLATFORM}"
+   # shellcheck disable=SC2155
+   declare -r USABILLA_TAG_SUFFIX="-${DOCKER_BUILD_PLATFORM//\//-}"
+fi
+declare -r USABILLA_TAG_PREFIX="usabillabv/php:${VERSION_PHP}-${IMAGE}-alpine${VERSION_ALPINE}"
+declare -r USABILLA_TAG="${USABILLA_TAG_PREFIX}${USABILLA_TAG_SUFFIX}"
+declare -r USABILLA_TAG_DEV="${USABILLA_TAG_PREFIX}-dev${USABILLA_TAG_SUFFIX}"
+
+declare -r TAG_FILE="./tmp/build-${IMAGE}${USABILLA_TAG_SUFFIX}.tags"
+
+# shellcheck disable=SC2086
+sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${IMAGE}" | docker build --pull -t "${USABILLA_TAG}" --target="${IMAGE}" ${DOCKER_BUILD_FLAGS} -f - . \
     && echo "$USABILLA_TAG" >> "$TAG_FILE"
 
-sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${IMAGE}" | docker build --pull -t "${USABILLA_TAG_DEV}" --target="${IMAGE}-dev" -f - . \
+# shellcheck disable=SC2086
+sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${IMAGE}" | docker build --pull -t "${USABILLA_TAG_DEV}" --target="${IMAGE}-dev" ${DOCKER_BUILD_FLAGS} -f - . \
     && echo "$USABILLA_TAG_DEV" >> "$TAG_FILE"
diff --git a/build-prometheus-exporter-file.sh b/build-prometheus-exporter-file.sh
@@ -17,16 +17,25 @@ declare -r IMAGE_ORIGINAL_TAG="nginx:1.[0-9][0-9]?-alpine"
 
 declare -r IMAGE_TAG="nginx:${VERSION_NGINX}-alpine"
 declare -r USABILLA_TAG_PREFIX="usabillabv/php"
-declare -r USABILLA_TAG="${USABILLA_TAG_PREFIX}:${IMAGE}"
-
-TAG_FILE="./tmp/build-${IMAGE}.tags"
-
+if [[ ! -v DOCKER_BUILD_PLATFORM ]]; then
+   declare -r DOCKER_BUILD_FLAGS=""
+   declare -r USABILLA_TAG_SUFFIX=""
+else
+   declare -r DOCKER_BUILD_FLAGS="--platform=${DOCKER_BUILD_PLATFORM}"
+   # shellcheck disable=SC2155
+   declare -r USABILLA_TAG_SUFFIX="-${DOCKER_BUILD_PLATFORM//\//-}"
+fi
+declare -r USABILLA_TAG="${USABILLA_TAG_PREFIX}:${IMAGE}${USABILLA_TAG_SUFFIX}"
+
+declare -r TAG_FILE="./tmp/build-${IMAGE}${USABILLA_TAG_SUFFIX}.tags"
+
+# shellcheck disable=SC2086
 sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${DOCKER_FILE}" | docker build --pull -t "${USABILLA_TAG}" \
-    --build-arg=NGINX_VHOST_TEMPLATE=prometheus-exporter-file --target="http" -f - . \
+    --build-arg=NGINX_VHOST_TEMPLATE=prometheus-exporter-file --target="http" ${DOCKER_BUILD_FLAGS} -f - . \
     && echo "${USABILLA_TAG}" >> "${TAG_FILE}"
 
 for USABILLA_TAG_EXTRA in "${@:2}"
 do
-    docker tag "${USABILLA_TAG}" "${USABILLA_TAG_PREFIX}:${USABILLA_TAG_EXTRA}" \
-    && echo "${USABILLA_TAG_PREFIX}:${USABILLA_TAG_EXTRA}" >> "${TAG_FILE}"
+    docker tag "${USABILLA_TAG}" "${USABILLA_TAG_PREFIX}:${USABILLA_TAG_EXTRA}${USABILLA_TAG_SUFFIX}" \
+    && echo "${USABILLA_TAG_PREFIX}:${USABILLA_TAG_EXTRA}${USABILLA_TAG_SUFFIX}" >> "${TAG_FILE}"
 done
diff --git a/src/php/utils/install-dumb-init b/src/php/utils/install-dumb-init
@@ -4,7 +4,7 @@ set -xeu
 
 VERSION="1.2.2"
 
-curl -sL -o /usr/local/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v"$VERSION"/dumb-init_"$VERSION"_amd64
+curl -sL -o /usr/local/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v"$VERSION"/dumb-init_"$VERSION"_"${TARGETARCH}"
 
 chmod +x /usr/local/bin/dumb-init
 

diff --git a/src/php/utils/install-shush b/src/php/utils/install-shush
@@ -2,9 +2,9 @@
 
 set -xe
 
-curl -sL -o /usr/local/bin/shush https://github.com/realestate-com-au/shush/releases/download/v1.5.0/shush_linux_amd64
+curl -sL -o /usr/local/bin/shush "https://github.com/realestate-com-au/shush/releases/download/v1.5.5/shush_linux_${TARGETARCH}"
 
-echo "cdec941dc5f45dda2d981169aa1845540d2c5bf98bfd1d8a85deaa6a6a43a4d1  /usr/local/bin/shush" | sha256sum -c
+(echo "d0e091405a18b6d11a65ea1d7449802c0cbac51971031897089d038e6f7cc750  /usr/local/bin/shush" | sha256sum -c) || (echo "138af0f1eec3af50176d542fead8824c3ca0f6ba27a4a50e1db8af5959a13116  /usr/local/bin/shush" | sha256sum -c)
 
 chmod +x /usr/local/bin/shush
 

diff --git a/test-cli.sh b/test-cli.sh
@@ -13,7 +13,7 @@ declare -r DOCKER_TAG="$1"
 
 declare TEST_SUITE
 
-if [[ $DOCKER_TAG == *"-dev" ]]; then
+if [[ $DOCKER_TAG == *"-dev"* ]]; then
     TEST_SUITE="php or php_cli or php_dev"
 else
     TEST_SUITE="php or php_cli or php_no_dev and not php_dev"
@@ -36,6 +36,6 @@ docker run --rm -t \
     -v "$(pwd)/test:/tests" \
     -v "$(pwd)/tmp/test-results:/results" \
     -v /var/run/docker.sock:/var/run/docker.sock:ro \
-    renatomefi/docker-testinfra:5 \
+    ghcr.io/wyrihaximusnet/testinfra:2025.03.31 \
     -m "$TEST_SUITE" --junitxml="/results/php-cli-$DOCKER_TAG.xml" \
     --verbose --hosts="docker://$DOCKER_CONTAINER"
diff --git a/test-fpm.sh b/test-fpm.sh
@@ -13,7 +13,7 @@ declare -r DOCKER_TAG="$1"
 
 declare TEST_SUITE
 
-if [[ $DOCKER_TAG == *"-dev" ]]; then
+if [[ $DOCKER_TAG == *"-dev"* ]]; then
     TEST_SUITE="php or php_fpm or php_dev"
 else
     VERSION_SUITE=$(echo "${DOCKER_TAG}" | grep -P ':\d.\d-' -o | sed 's/[^0-9]*//g')
@@ -37,6 +37,6 @@ docker run --rm -t \
     -v "$(pwd)/test:/tests" \
     -v "$(pwd)/tmp/test-results:/results" \
     -v /var/run/docker.sock:/var/run/docker.sock:ro \
-    renatomefi/docker-testinfra:5 \
+    ghcr.io/wyrihaximusnet/testinfra:2025.03.31 \
     -m "$TEST_SUITE" --junitxml="/results/php-fpm-$DOCKER_TAG.xml" \
     --verbose --hosts="docker://$DOCKER_CONTAINER"
diff --git a/test-http-e2e.sh b/test-http-e2e.sh
@@ -18,6 +18,6 @@ docker run --net="host" --rm -t \
     -v "$(pwd)/test/e2e:/tests" \
     -v "$(pwd)/tmp/test-results:/results" \
     -v /var/run/docker.sock:/var/run/docker.sock:ro \
-    renatomefi/docker-testinfra:5 \
+    ghcr.io/wyrihaximusnet/testinfra:2025.03.31 \
     -m "$TEST_SUITE" --junitxml="/results/http-e2e-$DOCKER_NGINX_TAG.xml" \
     --verbose --tag="$1"
diff --git a/test-http.sh b/test-http.sh
@@ -36,6 +36,6 @@ docker run --rm -t \
     -v "$(pwd)/test:/tests" \
     -v "$(pwd)/tmp/test-results:/results" \
     -v /var/run/docker.sock:/var/run/docker.sock:ro \
-    renatomefi/docker-testinfra:5 \
+    ghcr.io/wyrihaximusnet/testinfra:2025.03.31 \
     -m "$TEST_SUITE" --junitxml="/results/http-$DOCKER_NGINX_TAG.xml" \
     --verbose --hosts="docker://$DOCKER_NGINX_CONTAINER"
diff --git a/test-prometheus-exporter-file-e2e.sh b/test-prometheus-exporter-file-e2e.sh
@@ -18,6 +18,6 @@ docker run --net="host" --rm -t \
     -v "$(pwd)/test/e2e:/tests" \
     -v "$(pwd)/tmp/test-results:/results" \
     -v /var/run/docker.sock:/var/run/docker.sock:ro \
-    renatomefi/docker-testinfra:5 \
+    ghcr.io/wyrihaximusnet/testinfra:2025.03.31 \
     -m "$TEST_SUITE" --junitxml="/results/http-e2e-$DOCKER_TAG.xml" \
     --verbose --tag="$1"
diff --git a/test/e2e/test_nginx_entrypoint.py b/test/e2e/test_nginx_entrypoint.py
@@ -1,4 +1,5 @@
 import pytest
+import time
 
 
 @pytest.mark.nginx_e2e
@@ -22,6 +23,10 @@ def test_nginx_sigterm_handling(host, container):
 @pytest.mark.nginx_e2e
 @pytest.mark.parametrize('container', [{'env': {'NGINX_PORT': '5556'}, 'port': '5556'}], indirect=True)
 def test_nginx_can_host_different_ports(host, container):
+    start = time.time()
+    while host.run('docker exec -t {} sh -c "wget http://127.0.0.1:5556/"'.format(container)).rc is not 1 and time.time() - start < 13:
+        time.sleep(1)
+
     wget_custom_port = host.run('docker exec -t {} sh -c "wget http://127.0.0.1:5556/"'.format(container))
     assert wget_custom_port.rc is 1
     assert u'502 Bad Gateway' in wget_custom_port.stdout
diff --git a/test/e2e/test_nginx_logs.py b/test/e2e/test_nginx_logs.py
@@ -1,10 +1,17 @@
 import pytest
+import time
 
 
 @pytest.mark.nginx_e2e
 def test_nginx_logs_to_stdout_and_stderr(host, container):
     nginx_port = host.check_output("docker inspect " + container + " --format '{{ (index (index .NetworkSettings.Ports \"80/tcp\") 0).HostPort }}'")
 
+    host.run('wget -O /dev/null -S 127.0.0.1:{}/not-valid'.format(nginx_port))
+    start = time.time()
+    while 'GET /not-valid' not in host.run('docker logs {}'.format(container)).stdout and time.time() - start < 13:
+        time.sleep(1)
+        host.run('wget -O /dev/null -S 127.0.0.1:{}/not-valid'.format(nginx_port))
+
     wget = host.run('wget -O /dev/null -S 127.0.0.1:{}/invalid'.format(nginx_port))
     assert wget.rc is not 0
 

diff --git a/test/security/docker-compose.yml b/test/security/docker-compose.yml