From 5e694f2aa121c1e492233c344e57163d9a02b53b Mon Sep 17 00:00:00 2001 From: aldousalvarez Date: Tue, 21 Nov 2023 11:44:49 +0800 Subject: [PATCH] carbon accounting trivy scan --- .github/workflows/azure-container-scan.yaml | 38 ++++++++++++++ .github/workflows/trivy-container-scan.yaml | 52 +++++++++++++++++++ .../package.json | 6 ++- examples/carbon-accounting/Dockerfile | 9 ++-- examples/carbon-accounting/supervisord.conf | 2 +- yarn.lock | 27 +++++++++- 6 files changed, 127 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/azure-container-scan.yaml create mode 100644 .github/workflows/trivy-container-scan.yaml diff --git a/.github/workflows/azure-container-scan.yaml b/.github/workflows/azure-container-scan.yaml new file mode 100644 index 00000000000..1ad619520ae --- /dev/null +++ b/.github/workflows/azure-container-scan.yaml @@ -0,0 +1,38 @@ +name: azure-container-image-scan + +on: + push: + pull_request: + # Publish `main` as Docker `latest` image. + branches: + - main + + # Publish `v1.2.3` tags as releases. + tags: + - v* + + +jobs: + build-secure-and-push: + name: Scan cactus-example-carbon-accounting image + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2.4.0 + env: + # (Required) The token to use to make API calls to GitHub. + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + + - uses: actions/checkout@v1 + - name: Login to DockerHub Registry + run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin + + + - name: Build Images from Dockerfile + run: DOCKER_BUILDKIT=1 docker build -f ./examples/carbon-accounting/Dockerfile . -t cactus-example-carbon-accounting + + - uses: Azure/container-scan@v0.1 + name: Scan image for vulnerabilities + id: container-scan + continue-on-error: true + with: + image-name: cactus-example-carbon-accounting \ No newline at end of file diff --git a/.github/workflows/trivy-container-scan.yaml b/.github/workflows/trivy-container-scan.yaml new file mode 100644 index 00000000000..ced5b34198a --- /dev/null +++ b/.github/workflows/trivy-container-scan.yaml @@ -0,0 +1,52 @@ +name: trivy-container-image-scan + +on: + push: + pull_request: + # Publish `main` as Docker `latest` image. + branches: + - main + + # Publish `v1.2.3` tags as releases. + tags: + - v* + + +jobs: + + build: + name: Scan cactus-example-carbon-accounting table image + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Build an image from Dockerfile + run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting + - name: Run Trivy vulnerability scan for cactus-example-carbon-accounting + uses: aquasecurity/trivy-action@0.11.2 + with: + image-ref: 'cactus-example-carbon-accounting' + format: 'table' + exit-code: '0' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + build2: + name: Scan cactus-example-carbon-accounting json image + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Build an image from Dockerfile + run: | + DOCKER_BUILDKIT=1 docker build ./ -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.11.2 + with: + image-ref: 'cactus-example-carbon-accounting' + format: 'json' + exit-code: '0' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' \ No newline at end of file diff --git a/examples/cactus-example-carbon-accounting-backend/package.json b/examples/cactus-example-carbon-accounting-backend/package.json index 8a4056de1e5..adfe4272565 100644 --- a/examples/cactus-example-carbon-accounting-backend/package.json +++ b/examples/cactus-example-carbon-accounting-backend/package.json @@ -76,13 +76,17 @@ "devDependencies": { "@types/express": "4.17.19", "@types/fs-extra": "9.0.13", + "@types/http-cache-semantics": "^4", "@types/json-stable-stringify": "1.0.34", + "@types/qs": "^6", "@types/uuid": "8.3.4", "express-jwt": "8.4.1", "hardhat": "2.17.2", + "http-cache-semantics": "4.1.1", "http-status-codes": "2.1.4", "jose": "4.9.2", - "json-stable-stringify": "1.0.2" + "json-stable-stringify": "1.0.2", + "qs": "6.7.3" }, "engines": { "node": ">=10", diff --git a/examples/carbon-accounting/Dockerfile b/examples/carbon-accounting/Dockerfile index 89c203dbe59..a041f61eadf 100644 --- a/examples/carbon-accounting/Dockerfile +++ b/examples/carbon-accounting/Dockerfile @@ -33,11 +33,12 @@ WORKDIR ${APP} SHELL ["/bin/bash", "--login", "-i", "-c"] # Installing Node Version Manager (nvm) -RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash +RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash RUN source ~/.bashrc && \ - nvm install 16.15.1 && \ - npm install -g yarn && \ - yarn add @hyperledger/cactus-example-carbon-accounting-backend@0.9.1-ci-942.cbb849c6.35 --ignore-engines --production + nvm install 20.9.0 && \ + npm install --location=global yarn && \ + npm install -g npm@10.2.4 && \ + yarn add @hyperledger/cactus-example-carbon-accounting-backend@2.0.0-alpha.2 SHELL ["/bin/bash", "--login", "-c"] diff --git a/examples/carbon-accounting/supervisord.conf b/examples/carbon-accounting/supervisord.conf index f4349a038c4..e21c123a9ca 100644 --- a/examples/carbon-accounting/supervisord.conf +++ b/examples/carbon-accounting/supervisord.conf @@ -12,7 +12,7 @@ stderr_logfile=/usr/src/app/log/dockerd.err.log stdout_logfile=/usr/src/app/log/dockerd.out.log [program:carbon-accounting-app] -command=/home/appuser/.nvm/versions/node/v16.3.0/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js +command=/home/appuser/.nvm/versions/node/v16.15.1/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js autostart=true autorestart=unexpected exitcodes=0 diff --git a/yarn.lock b/yarn.lock index 3e81a4e1d8c..fc096a6adb4 100644 --- a/yarn.lock +++ b/yarn.lock @@ -6847,17 +6847,21 @@ __metadata: "@openzeppelin/contracts-upgradeable": 4.9.3 "@types/express": 4.17.19 "@types/fs-extra": 9.0.13 + "@types/http-cache-semantics": ^4 "@types/json-stable-stringify": 1.0.34 + "@types/qs": ^6 "@types/uuid": 8.3.4 async-exit-hook: 2.0.1 express-jwt: 8.4.1 fabric-network: 2.2.19 fs-extra: 10.1.0 hardhat: 2.17.2 + http-cache-semantics: 4.1.1 http-status-codes: 2.1.4 jose: 4.9.2 json-stable-stringify: 1.0.2 openapi-types: 9.1.0 + qs: 6.7.3 typescript-optional: 2.0.1 uuid: 8.3.2 web3-core: 1.6.1 @@ -7812,7 +7816,7 @@ __metadata: "@hyperledger/cactus-test-tooling": 2.0.0-alpha.2 "@types/express": 4.17.20 "@types/uuid": 9.0.6 - axios: 1.5.1 + axios: 1.6.0 body-parser: 1.20.2 cbor: 9.0.1 express: 4.18.2 @@ -12905,6 +12909,13 @@ __metadata: languageName: node linkType: hard +"@types/http-cache-semantics@npm:^4": + version: 4.0.4 + resolution: "@types/http-cache-semantics@npm:4.0.4" + checksum: 7f4dd832e618bc1e271be49717d7b4066d77c2d4eed5b81198eb987e532bb3e1c7e02f45d77918185bad936f884b700c10cebe06305f50400f382ab75055f9e8 + languageName: node + linkType: hard + "@types/http-cache-semantics@npm:^4.0.1": version: 4.0.1 resolution: "@types/http-cache-semantics@npm:4.0.1" @@ -13490,6 +13501,13 @@ __metadata: languageName: node linkType: hard +"@types/qs@npm:^6": + version: 6.9.10 + resolution: "@types/qs@npm:6.9.10" + checksum: 3e479ee056bd2b60894baa119d12ecd33f20a25231b836af04654e784c886f28a356477630430152a86fba253da65d7ecd18acffbc2a8877a336e75aa0272c67 + languageName: node + linkType: hard + "@types/range-parser@npm:*": version: 1.2.4 resolution: "@types/range-parser@npm:1.2.4" @@ -40110,6 +40128,13 @@ __metadata: languageName: node linkType: hard +"qs@npm:6.7.3": + version: 6.7.3 + resolution: "qs@npm:6.7.3" + checksum: c91046d3a648374d4cb98a872b69753a039a5d57f879bd56174b57d80014ab2bea4f7bcaa5db5e6c1ca7d2e29119b4f844125a082a0facf30adeb90e8e686078 + languageName: node + linkType: hard + "qs@npm:^6.11.0": version: 6.11.2 resolution: "qs@npm:6.11.2"