diff --git a/.github/workflows/azure-container-scan.yaml b/.github/workflows/azure-container-scan.yaml new file mode 100644 index 00000000000..1ad619520ae --- /dev/null +++ b/.github/workflows/azure-container-scan.yaml @@ -0,0 +1,38 @@ +name: azure-container-image-scan + +on: + push: + pull_request: + # Publish `main` as Docker `latest` image. + branches: + - main + + # Publish `v1.2.3` tags as releases. + tags: + - v* + + +jobs: + build-secure-and-push: + name: Scan cactus-example-carbon-accounting image + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2.4.0 + env: + # (Required) The token to use to make API calls to GitHub. + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + + - uses: actions/checkout@v1 + - name: Login to DockerHub Registry + run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin + + + - name: Build Images from Dockerfile + run: DOCKER_BUILDKIT=1 docker build -f ./examples/carbon-accounting/Dockerfile . -t cactus-example-carbon-accounting + + - uses: Azure/container-scan@v0.1 + name: Scan image for vulnerabilities + id: container-scan + continue-on-error: true + with: + image-name: cactus-example-carbon-accounting \ No newline at end of file diff --git a/.github/workflows/trivy-container-scan.yaml b/.github/workflows/trivy-container-scan.yaml new file mode 100644 index 00000000000..ced5b34198a --- /dev/null +++ b/.github/workflows/trivy-container-scan.yaml @@ -0,0 +1,52 @@ +name: trivy-container-image-scan + +on: + push: + pull_request: + # Publish `main` as Docker `latest` image. + branches: + - main + + # Publish `v1.2.3` tags as releases. + tags: + - v* + + +jobs: + + build: + name: Scan cactus-example-carbon-accounting table image + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Build an image from Dockerfile + run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting + - name: Run Trivy vulnerability scan for cactus-example-carbon-accounting + uses: aquasecurity/trivy-action@0.11.2 + with: + image-ref: 'cactus-example-carbon-accounting' + format: 'table' + exit-code: '0' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + build2: + name: Scan cactus-example-carbon-accounting json image + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Build an image from Dockerfile + run: | + DOCKER_BUILDKIT=1 docker build ./ -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.11.2 + with: + image-ref: 'cactus-example-carbon-accounting' + format: 'json' + exit-code: '0' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' \ No newline at end of file diff --git a/examples/cactus-example-carbon-accounting-backend/package.json b/examples/cactus-example-carbon-accounting-backend/package.json index 8a4056de1e5..51b1225d1c6 100644 --- a/examples/cactus-example-carbon-accounting-backend/package.json +++ b/examples/cactus-example-carbon-accounting-backend/package.json @@ -76,10 +76,12 @@ "devDependencies": { "@types/express": "4.17.19", "@types/fs-extra": "9.0.13", + "@types/http-cache-semantics": "^4", "@types/json-stable-stringify": "1.0.34", "@types/uuid": "8.3.4", "express-jwt": "8.4.1", "hardhat": "2.17.2", + "http-cache-semantics": "4.1.1", "http-status-codes": "2.1.4", "jose": "4.9.2", "json-stable-stringify": "1.0.2" diff --git a/examples/carbon-accounting/Dockerfile b/examples/carbon-accounting/Dockerfile index 89c203dbe59..e97bd01f447 100644 --- a/examples/carbon-accounting/Dockerfile +++ b/examples/carbon-accounting/Dockerfile @@ -36,9 +36,9 @@ SHELL ["/bin/bash", "--login", "-i", "-c"] RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash RUN source ~/.bashrc && \ nvm install 16.15.1 && \ - npm install -g yarn && \ - yarn add @hyperledger/cactus-example-carbon-accounting-backend@0.9.1-ci-942.cbb849c6.35 --ignore-engines --production - + npm install --location=global yarn && \ + yarn set version 3.6.0 && \ + yarn add @hyperledger/cactus-example-carbon-accounting-backend@2.0.0-alpha.2 SHELL ["/bin/bash", "--login", "-c"] diff --git a/examples/carbon-accounting/supervisord.conf b/examples/carbon-accounting/supervisord.conf index f4349a038c4..e21c123a9ca 100644 --- a/examples/carbon-accounting/supervisord.conf +++ b/examples/carbon-accounting/supervisord.conf @@ -12,7 +12,7 @@ stderr_logfile=/usr/src/app/log/dockerd.err.log stdout_logfile=/usr/src/app/log/dockerd.out.log [program:carbon-accounting-app] -command=/home/appuser/.nvm/versions/node/v16.3.0/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js +command=/home/appuser/.nvm/versions/node/v16.15.1/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js autostart=true autorestart=unexpected exitcodes=0 diff --git a/package.json b/package.json index c8fb103e196..a6f01deefe0 100644 --- a/package.json +++ b/package.json @@ -112,6 +112,7 @@ "@openapitools/openapi-generator-cli": "2.7.0", "@types/adm-zip": "0.5.0", "@types/fs-extra": "9.0.13", + "@types/http-cache-semantics": "^4", "@types/jest": "29.5.3", "@types/node": "16.18.41", "@types/node-fetch": "2.6.4", @@ -145,6 +146,7 @@ "google-protobuf": "3.21.2", "grpc-tools": "1.12.4", "grpc_tools_node_protoc_ts": "5.3.3", + "http-cache-semantics": "4.1.1", "husky": "7.0.4", "inquirer": "8.2.6", "jest": "29.6.2", diff --git a/yarn.lock b/yarn.lock index 3e81a4e1d8c..cd9395b5b6e 100644 --- a/yarn.lock +++ b/yarn.lock @@ -6847,6 +6847,7 @@ __metadata: "@openzeppelin/contracts-upgradeable": 4.9.3 "@types/express": 4.17.19 "@types/fs-extra": 9.0.13 + "@types/http-cache-semantics": ^4 "@types/json-stable-stringify": 1.0.34 "@types/uuid": 8.3.4 async-exit-hook: 2.0.1 @@ -6854,6 +6855,7 @@ __metadata: fabric-network: 2.2.19 fs-extra: 10.1.0 hardhat: 2.17.2 + http-cache-semantics: 4.1.1 http-status-codes: 2.1.4 jose: 4.9.2 json-stable-stringify: 1.0.2 @@ -7812,7 +7814,7 @@ __metadata: "@hyperledger/cactus-test-tooling": 2.0.0-alpha.2 "@types/express": 4.17.20 "@types/uuid": 9.0.6 - axios: 1.5.1 + axios: 1.6.0 body-parser: 1.20.2 cbor: 9.0.1 express: 4.18.2 @@ -8322,6 +8324,7 @@ __metadata: "@openapitools/openapi-generator-cli": 2.7.0 "@types/adm-zip": 0.5.0 "@types/fs-extra": 9.0.13 + "@types/http-cache-semantics": ^4 "@types/jest": 29.5.3 "@types/node": 16.18.41 "@types/node-fetch": 2.6.4 @@ -8355,6 +8358,7 @@ __metadata: google-protobuf: 3.21.2 grpc-tools: 1.12.4 grpc_tools_node_protoc_ts: 5.3.3 + http-cache-semantics: 4.1.1 husky: 7.0.4 inquirer: 8.2.6 jest: 29.6.2 @@ -12905,6 +12909,13 @@ __metadata: languageName: node linkType: hard +"@types/http-cache-semantics@npm:^4": + version: 4.0.4 + resolution: "@types/http-cache-semantics@npm:4.0.4" + checksum: 7f4dd832e618bc1e271be49717d7b4066d77c2d4eed5b81198eb987e532bb3e1c7e02f45d77918185bad936f884b700c10cebe06305f50400f382ab75055f9e8 + languageName: node + linkType: hard + "@types/http-cache-semantics@npm:^4.0.1": version: 4.0.1 resolution: "@types/http-cache-semantics@npm:4.0.1"