Skip to content

Commit

Permalink
Devops - add docker sec (#28)
Browse files Browse the repository at this point in the history 
Remaining Go-related CVEs that may need to be looked at:
<table>
    <tr>
        <th>Package</th>
        <th>ID</th>
        <th>Severity</th>
        <th>Installed Version</th>
        <th>Fixed Version</th>
    </tr>
    <tr>
        <td><code>cosmossdk.io/math</code></td>
        <td>GHSA-7225-m954-23v7</td>
        <td>HIGH</td>
        <td>v1.3.0</td>
        <td>1.4.0</td>
    </tr>
    <tr>
        <td><code>github.com/cometbft/cometbft</code></td>
        <td>GHSA-p7mv-53f2-4cwj</td>
        <td>HIGH</td>
        <td>v0.38.7</td>
        <td>0.38.15</td>
    </tr>
    <tr>
        <td><code>github.com/cometbft/cometbft</code></td>
        <td>GHSA-g5xx-c4hv-9ccc</td>
        <td>MEDIUM</td>
        <td>v0.38.7</td>
        <td>0.37.11, 0.38.12</td>
    </tr>
    <tr>
        <td><code>github.com/cometbft/cometbft</code></td>
        <td>GHSA-hg58-rf2h-6rr7</td>
        <td>MEDIUM</td>
        <td>v0.38.7</td>
        <td>0.37.7, 0.38.8</td>
    </tr>
</table>
  • Loading branch information
@huynaism
huynaism authored Nov 22, 2024
1 parent bad6003 commit 4bd7985
Show file tree
Hide file tree
Showing 5 changed files with 21 additions and 11 deletions.
6 changes: 5 additions & 1 deletion .github/workflows/publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,11 @@ jobs:

docker_pipeline:
needs: ["lint_test"]
uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.6.0
uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.10.2
secrets: inherit
with:
publish: true
docker_scan: true
permissions:
security-events: write
packages: read
5 changes: 5 additions & 0 deletions .trivyignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# LND < 0.17.0 issue, not fixing
CVE-2024-27304
GHSA-7jwh-3vrq-q3m8
CVE-2024-27289
CVE-2024-38359
17 changes: 8 additions & 9 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.22.3-alpine as builder
FROM golang:1.22.7-alpine as builder

Check warning on line 1 in Dockerfile

View workflow job for this annotation

GitHub Actions / docker_pipeline / docker_build (linux/amd64, ubuntu-24.04)

The 'as' keyword should match the case of the 'from' keyword 

FromAsCasing: 'as' and 'FROM' keywords' casing do not match
More info: https://docs.docker.com/go/dockerfile/rule/from-as-casing/

Check warning on line 1 in Dockerfile

View workflow job for this annotation

GitHub Actions / docker_pipeline / docker_build (linux/amd64, ubuntu-24.04)

The 'as' keyword should match the case of the 'from' keyword 

FromAsCasing: 'as' and 'FROM' keywords' casing do not match
More info: https://docs.docker.com/go/dockerfile/rule/from-as-casing/

Check warning on line 1 in Dockerfile

View workflow job for this annotation

GitHub Actions / docker_pipeline / docker_build (linux/arm64, ubuntu-24.04-arm64)

The 'as' keyword should match the case of the 'from' keyword 

FromAsCasing: 'as' and 'FROM' keywords' casing do not match
More info: https://docs.docker.com/go/dockerfile/rule/from-as-casing/

Check warning on line 1 in Dockerfile

View workflow job for this annotation

GitHub Actions / docker_pipeline / docker_build (linux/arm64, ubuntu-24.04-arm64)

The 'as' keyword should match the case of the 'from' keyword 

FromAsCasing: 'as' and 'FROM' keywords' casing do not match
More info: https://docs.docker.com/go/dockerfile/rule/from-as-casing/

# TARGETPLATFORM should be one of linux/amd64 or linux/arm64.
ARG TARGETPLATFORM="linux/amd64"
Expand All @@ -7,7 +7,7 @@ ARG VERSION

# Use muslc for static libs
ARG BUILD_TAGS="muslc"

# hadolint ignore=DL3018
RUN apk add --no-cache --update openssh git make build-base linux-headers libc-dev \
pkgconfig zeromq-dev musl-dev alpine-sdk libsodium-dev \
libzmq-static libsodium-static gcc
Expand All @@ -22,20 +22,19 @@ COPY ./ /go/src/github.com/babylonlabs-io/staking-indexer/
# If version is set, then checkout this version
RUN if [ -n "${VERSION}" ]; then \
git checkout -f ${VERSION}; \
fi

RUN CGO_LDFLAGS="$CGO_LDFLAGS -lstdc++ -lm -lsodium" \
fi && \
CGO_LDFLAGS="$CGO_LDFLAGS -lstdc++ -lm -lsodium" \
CGO_ENABLED=1 \
BUILD_TAGS=$BUILD_TAGS \
LINK_STATICALLY=true \
make build

# FINAL IMAGE
FROM alpine:3.16 AS run

RUN addgroup --gid 1138 -S staking-indexer && adduser --uid 1138 -S staking-indexer -G staking-indexer
FROM alpine:3.20 AS run

RUN apk add bash curl jq
# hadolint ignore=DL3018
RUN addgroup --gid 1138 -S staking-indexer && adduser --uid 1138 -S staking-indexer -G staking-indexer && \
apk add --no-cache bash curl jq && rm -rf /var/cache/apk/*

COPY --from=builder /go/src/github.com/babylonlabs-io/staking-indexer/build/sid /bin/sid

Expand Down
2 changes: 1 addition & 1 deletion go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -246,7 +246,7 @@ require (
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
github.com/rogpeppe/go-internal v1.12.0 // indirect
github.com/rs/cors v1.10.1 // indirect
github.com/rs/cors v1.11.0 // indirect
github.com/rs/zerolog v1.32.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/sagikazarmark/locafero v0.4.0 // indirect
Expand Down
2 changes: 2 additions & 0 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1201,6 +1201,8 @@ github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99
github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
github.com/rs/cors v1.10.1 h1:L0uuZVXIKlI1SShY2nhFfo44TYvDPQ1w4oFkUJNfhyo=
github.com/rs/cors v1.10.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
github.com/rs/cors v1.11.0 h1:0B9GE/r9Bc2UxRMMtymBkHTenPkHDv0CW4Y98GBY+po=
github.com/rs/cors v1.11.0/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
Expand Down

0 comments on commit 4bd7985

Please sign in to comment.