carbon accounting trivy scan

aldousalvarez · Nov 21, 2023 · 3ac1ed8 · 3ac1ed8
1 parent 0af2eb1
commit 3ac1ed8
Show file tree

Hide file tree

Showing 6 changed files with 128 additions and 8 deletions.
diff --git a/.github/workflows/azure-container-scan.yaml b/.github/workflows/azure-container-scan.yaml
@@ -0,0 +1,38 @@
+name: azure-container-image-scan
+
+on:
+  push:
+  pull_request:
+    # Publish `main` as Docker `latest` image.
+    branches:
+      - main
+
+    # Publish `v1.2.3` tags as releases.
+    tags:
+      - v*
+
+
+jobs:
+ build-secure-and-push:
+    name: Scan cactus-example-carbon-accounting image
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/[email protected]
+      env:
+          # (Required) The token to use to make API calls to GitHub.
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+    - uses: actions/checkout@v1
+    - name: Login to DockerHub Registry
+      run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+
+    - name: Build Images from Dockerfile
+      run: DOCKER_BUILDKIT=1 docker build -f ./examples/carbon-accounting/Dockerfile . -t cactus-example-carbon-accounting
+
+    - uses: Azure/[email protected]
+      name: Scan image for vulnerabilities
+      id: container-scan
+      continue-on-error: true
+      with:
+       image-name: cactus-example-carbon-accounting
diff --git a/.github/workflows/trivy-container-scan.yaml b/.github/workflows/trivy-container-scan.yaml
@@ -0,0 +1,52 @@
+name: trivy-container-image-scan
+
+on:
+  push:
+  pull_request:
+    # Publish `main` as Docker `latest` image.
+    branches:
+      - main
+
+    # Publish `v1.2.3` tags as releases.
+    tags:
+      - v*
+
+
+jobs:
+
+  build:
+    name: Scan cactus-example-carbon-accounting table image
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build an image from Dockerfile
+        run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
+      - name: Run Trivy vulnerability scan for cactus-example-carbon-accounting
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'cactus-example-carbon-accounting'
+          format: 'table'
+          exit-code: '0'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+  build2:
+    name: Scan cactus-example-carbon-accounting json image
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build an image from Dockerfile
+        run: |
+          DOCKER_BUILDKIT=1 docker build ./ -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'cactus-example-carbon-accounting'
+          format: 'json'
+          exit-code: '0'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
diff --git a/examples/cactus-example-carbon-accounting-backend/package.json b/examples/cactus-example-carbon-accounting-backend/package.json
@@ -76,13 +76,17 @@
   "devDependencies": {
     "@types/express": "4.17.19",
     "@types/fs-extra": "9.0.13",
+    "@types/http-cache-semantics": "^4",
     "@types/json-stable-stringify": "1.0.34",
+    "@types/qs": "^6",
     "@types/uuid": "8.3.4",
     "express-jwt": "8.4.1",
     "hardhat": "2.17.2",
+    "http-cache-semantics": "4.1.1",
     "http-status-codes": "2.1.4",
     "jose": "4.9.2",
-    "json-stable-stringify": "1.0.2"
+    "json-stable-stringify": "1.0.2",
+    "qs": "6.7.3"
   },
   "engines": {
     "node": ">=10",

diff --git a/examples/carbon-accounting/Dockerfile b/examples/carbon-accounting/Dockerfile
@@ -33,12 +33,13 @@ WORKDIR ${APP}
 
 SHELL ["/bin/bash", "--login", "-i", "-c"]
 # Installing Node Version Manager (nvm)
-RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash
 RUN source ~/.bashrc && \
-    nvm install 16.15.1 && \
-    npm install -g yarn && \
-    yarn add @hyperledger/cactus-example-carbon-accounting-backend@0.9.1-ci-942.cbb849c6.35 --ignore-engines --production
-
+    nvm install 20.9.0 && \
+    npm install --location=global yarn && \
+    yarn set version 3.6.0 && \
+    yarn add @hyperledger/[email protected]
+
 SHELL ["/bin/bash", "--login", "-c"]
 
 

diff --git a/examples/carbon-accounting/supervisord.conf b/examples/carbon-accounting/supervisord.conf
@@ -12,7 +12,7 @@ stderr_logfile=/usr/src/app/log/dockerd.err.log
 stdout_logfile=/usr/src/app/log/dockerd.out.log
 
 [program:carbon-accounting-app]
-command=/home/appuser/.nvm/versions/node/v16.3.0/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
+command=/home/appuser/.nvm/versions/node/v16.15.1/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
 autostart=true
 autorestart=unexpected
 exitcodes=0

diff --git a/yarn.lock b/yarn.lock
@@ -6847,17 +6847,21 @@ __metadata:
     "@openzeppelin/contracts-upgradeable": 4.9.3
     "@types/express": 4.17.19
     "@types/fs-extra": 9.0.13
+    "@types/http-cache-semantics": ^4
     "@types/json-stable-stringify": 1.0.34
+    "@types/qs": ^6
     "@types/uuid": 8.3.4
     async-exit-hook: 2.0.1
     express-jwt: 8.4.1
     fabric-network: 2.2.19
     fs-extra: 10.1.0
     hardhat: 2.17.2
+    http-cache-semantics: 4.1.1
     http-status-codes: 2.1.4
     jose: 4.9.2
     json-stable-stringify: 1.0.2
     openapi-types: 9.1.0
+    qs: 6.7.3
     typescript-optional: 2.0.1
     uuid: 8.3.2
     web3-core: 1.6.1
@@ -7812,7 +7816,7 @@ __metadata:
     "@hyperledger/cactus-test-tooling": 2.0.0-alpha.2
     "@types/express": 4.17.20
     "@types/uuid": 9.0.6
-    axios: 1.5.1
+    axios: 1.6.0
     body-parser: 1.20.2
     cbor: 9.0.1
     express: 4.18.2
@@ -12905,6 +12909,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/http-cache-semantics@npm:^4":
+  version: 4.0.4
+  resolution: "@types/http-cache-semantics@npm:4.0.4"
+  checksum: 7f4dd832e618bc1e271be49717d7b4066d77c2d4eed5b81198eb987e532bb3e1c7e02f45d77918185bad936f884b700c10cebe06305f50400f382ab75055f9e8
+  languageName: node
+  linkType: hard
+
 "@types/http-cache-semantics@npm:^4.0.1":
   version: 4.0.1
   resolution: "@types/http-cache-semantics@npm:4.0.1"
@@ -13490,6 +13501,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/qs@npm:^6":
+  version: 6.9.10
+  resolution: "@types/qs@npm:6.9.10"
+  checksum: 3e479ee056bd2b60894baa119d12ecd33f20a25231b836af04654e784c886f28a356477630430152a86fba253da65d7ecd18acffbc2a8877a336e75aa0272c67
+  languageName: node
+  linkType: hard
+
 "@types/range-parser@npm:*":
   version: 1.2.4
   resolution: "@types/range-parser@npm:1.2.4"
@@ -40110,6 +40128,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"qs@npm:6.7.3":
+  version: 6.7.3
+  resolution: "qs@npm:6.7.3"
+  checksum: c91046d3a648374d4cb98a872b69753a039a5d57f879bd56174b57d80014ab2bea4f7bcaa5db5e6c1ca7d2e29119b4f844125a082a0facf30adeb90e8e686078
+  languageName: node
+  linkType: hard
+
 "qs@npm:^6.11.0":
   version: 6.11.2
   resolution: "qs@npm:6.11.2"