From eb064c5626ab38f655c494cb1471069bb6799672 Mon Sep 17 00:00:00 2001 From: aldousalvarez Date: Tue, 21 Nov 2023 11:44:49 +0800 Subject: [PATCH] carbon accounting trivy scan --- .github/workflows/azure-container-scan.yaml | 38 ++++++++++++++ .github/workflows/trivy-container-scan.yaml | 52 +++++++++++++++++++ .../package.json | 2 + examples/carbon-accounting/Dockerfile | 7 +-- examples/carbon-accounting/supervisord.conf | 2 +- yarn.lock | 11 +++- 6 files changed, 107 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/azure-container-scan.yaml create mode 100644 .github/workflows/trivy-container-scan.yaml diff --git a/.github/workflows/azure-container-scan.yaml b/.github/workflows/azure-container-scan.yaml new file mode 100644 index 00000000000..1ad619520ae --- /dev/null +++ b/.github/workflows/azure-container-scan.yaml @@ -0,0 +1,38 @@ +name: azure-container-image-scan + +on: + push: + pull_request: + # Publish `main` as Docker `latest` image. + branches: + - main + + # Publish `v1.2.3` tags as releases. + tags: + - v* + + +jobs: + build-secure-and-push: + name: Scan cactus-example-carbon-accounting image + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2.4.0 + env: + # (Required) The token to use to make API calls to GitHub. + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + + - uses: actions/checkout@v1 + - name: Login to DockerHub Registry + run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin + + + - name: Build Images from Dockerfile + run: DOCKER_BUILDKIT=1 docker build -f ./examples/carbon-accounting/Dockerfile . -t cactus-example-carbon-accounting + + - uses: Azure/container-scan@v0.1 + name: Scan image for vulnerabilities + id: container-scan + continue-on-error: true + with: + image-name: cactus-example-carbon-accounting \ No newline at end of file diff --git a/.github/workflows/trivy-container-scan.yaml b/.github/workflows/trivy-container-scan.yaml new file mode 100644 index 00000000000..ced5b34198a --- /dev/null +++ b/.github/workflows/trivy-container-scan.yaml @@ -0,0 +1,52 @@ +name: trivy-container-image-scan + +on: + push: + pull_request: + # Publish `main` as Docker `latest` image. + branches: + - main + + # Publish `v1.2.3` tags as releases. + tags: + - v* + + +jobs: + + build: + name: Scan cactus-example-carbon-accounting table image + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Build an image from Dockerfile + run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting + - name: Run Trivy vulnerability scan for cactus-example-carbon-accounting + uses: aquasecurity/trivy-action@0.11.2 + with: + image-ref: 'cactus-example-carbon-accounting' + format: 'table' + exit-code: '0' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + build2: + name: Scan cactus-example-carbon-accounting json image + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Build an image from Dockerfile + run: | + DOCKER_BUILDKIT=1 docker build ./ -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.11.2 + with: + image-ref: 'cactus-example-carbon-accounting' + format: 'json' + exit-code: '0' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' \ No newline at end of file diff --git a/examples/cactus-example-carbon-accounting-backend/package.json b/examples/cactus-example-carbon-accounting-backend/package.json index 8a4056de1e5..51b1225d1c6 100644 --- a/examples/cactus-example-carbon-accounting-backend/package.json +++ b/examples/cactus-example-carbon-accounting-backend/package.json @@ -76,10 +76,12 @@ "devDependencies": { "@types/express": "4.17.19", "@types/fs-extra": "9.0.13", + "@types/http-cache-semantics": "^4", "@types/json-stable-stringify": "1.0.34", "@types/uuid": "8.3.4", "express-jwt": "8.4.1", "hardhat": "2.17.2", + "http-cache-semantics": "4.1.1", "http-status-codes": "2.1.4", "jose": "4.9.2", "json-stable-stringify": "1.0.2" diff --git a/examples/carbon-accounting/Dockerfile b/examples/carbon-accounting/Dockerfile index 89c203dbe59..a12ba8ded53 100644 --- a/examples/carbon-accounting/Dockerfile +++ b/examples/carbon-accounting/Dockerfile @@ -36,9 +36,10 @@ SHELL ["/bin/bash", "--login", "-i", "-c"] RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash RUN source ~/.bashrc && \ nvm install 16.15.1 && \ - npm install -g yarn && \ - yarn add @hyperledger/cactus-example-carbon-accounting-backend@0.9.1-ci-942.cbb849c6.35 --ignore-engines --production - + npm install --location=global yarn && \ + yarn set version 3.6.0 && \ + yarn add @hyperledger/cactus-example-carbon-accounting-backend@2.0.0-alpha.2 + SHELL ["/bin/bash", "--login", "-c"] diff --git a/examples/carbon-accounting/supervisord.conf b/examples/carbon-accounting/supervisord.conf index f4349a038c4..e21c123a9ca 100644 --- a/examples/carbon-accounting/supervisord.conf +++ b/examples/carbon-accounting/supervisord.conf @@ -12,7 +12,7 @@ stderr_logfile=/usr/src/app/log/dockerd.err.log stdout_logfile=/usr/src/app/log/dockerd.out.log [program:carbon-accounting-app] -command=/home/appuser/.nvm/versions/node/v16.3.0/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js +command=/home/appuser/.nvm/versions/node/v16.15.1/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js autostart=true autorestart=unexpected exitcodes=0 diff --git a/yarn.lock b/yarn.lock index 3e81a4e1d8c..dc02c878551 100644 --- a/yarn.lock +++ b/yarn.lock @@ -6847,6 +6847,7 @@ __metadata: "@openzeppelin/contracts-upgradeable": 4.9.3 "@types/express": 4.17.19 "@types/fs-extra": 9.0.13 + "@types/http-cache-semantics": ^4 "@types/json-stable-stringify": 1.0.34 "@types/uuid": 8.3.4 async-exit-hook: 2.0.1 @@ -6854,6 +6855,7 @@ __metadata: fabric-network: 2.2.19 fs-extra: 10.1.0 hardhat: 2.17.2 + http-cache-semantics: 4.1.1 http-status-codes: 2.1.4 jose: 4.9.2 json-stable-stringify: 1.0.2 @@ -7812,7 +7814,7 @@ __metadata: "@hyperledger/cactus-test-tooling": 2.0.0-alpha.2 "@types/express": 4.17.20 "@types/uuid": 9.0.6 - axios: 1.5.1 + axios: 1.6.0 body-parser: 1.20.2 cbor: 9.0.1 express: 4.18.2 @@ -12905,6 +12907,13 @@ __metadata: languageName: node linkType: hard +"@types/http-cache-semantics@npm:^4": + version: 4.0.4 + resolution: "@types/http-cache-semantics@npm:4.0.4" + checksum: 7f4dd832e618bc1e271be49717d7b4066d77c2d4eed5b81198eb987e532bb3e1c7e02f45d77918185bad936f884b700c10cebe06305f50400f382ab75055f9e8 + languageName: node + linkType: hard + "@types/http-cache-semantics@npm:^4.0.1": version: 4.0.1 resolution: "@types/http-cache-semantics@npm:4.0.1"