diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index ad7a1cd..ac3a3e6 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -17,7 +17,11 @@ jobs: docker_pipeline: needs: ["lint_test"] - uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.6.0 + uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.10.2 secrets: inherit with: publish: true + docker_scan: true + permissions: + security-events: write + packages: read diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..63355fc --- /dev/null +++ b/.trivyignore @@ -0,0 +1,5 @@ +# LND < 0.17.0 issue, not fixing +CVE-2024-27304 +GHSA-7jwh-3vrq-q3m8 +CVE-2024-27289 +CVE-2024-38359 \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index d78a016..b6fe294 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.22.3-alpine as builder +FROM golang:1.22.7-alpine as builder # TARGETPLATFORM should be one of linux/amd64 or linux/arm64. ARG TARGETPLATFORM="linux/amd64" @@ -7,7 +7,7 @@ ARG VERSION # Use muslc for static libs ARG BUILD_TAGS="muslc" - +# hadolint ignore=DL3018 RUN apk add --no-cache --update openssh git make build-base linux-headers libc-dev \ pkgconfig zeromq-dev musl-dev alpine-sdk libsodium-dev \ libzmq-static libsodium-static gcc @@ -22,20 +22,19 @@ COPY ./ /go/src/github.com/babylonlabs-io/staking-indexer/ # If version is set, then checkout this version RUN if [ -n "${VERSION}" ]; then \ git checkout -f ${VERSION}; \ - fi - -RUN CGO_LDFLAGS="$CGO_LDFLAGS -lstdc++ -lm -lsodium" \ + fi && \ + CGO_LDFLAGS="$CGO_LDFLAGS -lstdc++ -lm -lsodium" \ CGO_ENABLED=1 \ BUILD_TAGS=$BUILD_TAGS \ LINK_STATICALLY=true \ make build # FINAL IMAGE -FROM alpine:3.16 AS run - -RUN addgroup --gid 1138 -S staking-indexer && adduser --uid 1138 -S staking-indexer -G staking-indexer +FROM alpine:3.20 AS run -RUN apk add bash curl jq +# hadolint ignore=DL3018 +RUN addgroup --gid 1138 -S staking-indexer && adduser --uid 1138 -S staking-indexer -G staking-indexer && \ + apk add --no-cache bash curl jq && rm -rf /var/cache/apk/* COPY --from=builder /go/src/github.com/babylonlabs-io/staking-indexer/build/sid /bin/sid diff --git a/go.mod b/go.mod index 9f7c3bd..edadc8a 100644 --- a/go.mod +++ b/go.mod @@ -246,7 +246,7 @@ require ( github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect github.com/rogpeppe/go-internal v1.12.0 // indirect - github.com/rs/cors v1.10.1 // indirect + github.com/rs/cors v1.11.0 // indirect github.com/rs/zerolog v1.32.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/sagikazarmark/locafero v0.4.0 // indirect diff --git a/go.sum b/go.sum index 62580bf..1e53b65 100644 --- a/go.sum +++ b/go.sum @@ -1201,6 +1201,8 @@ github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99 github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= github.com/rs/cors v1.10.1 h1:L0uuZVXIKlI1SShY2nhFfo44TYvDPQ1w4oFkUJNfhyo= github.com/rs/cors v1.10.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= +github.com/rs/cors v1.11.0 h1:0B9GE/r9Bc2UxRMMtymBkHTenPkHDv0CW4Y98GBY+po= +github.com/rs/cors v1.11.0/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ= github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg= github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=