carbon accounting trivy scan

aldousalvarez · Oct 20, 2023 · 171cb27 · 171cb27
1 parent a86adc9
commit 171cb27
Show file tree

Hide file tree

Showing 4 changed files with 94 additions and 4 deletions.
diff --git a/.github/workflows/azure-container-scan.yaml b/.github/workflows/azure-container-scan.yaml
@@ -0,0 +1,38 @@
+name: azure-container-image-scan
+
+on:
+ push:
+ pull_request:
+ # Publish `main` as Docker `latest` image.
+ branches:
+ - main
+
+ # Publish `v1.2.3` tags as releases.
+ tags:
+ - v*
+
+
+jobs:
+ build-secure-and-push:
+ name: Scan cactus-example-carbon-accounting image
+ runs-on: ubuntu-20.04
+ steps:
+ - uses: actions/checkout@v2.4.0
+ env:
+ # (Required) The token to use to make API calls to GitHub.
+ GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+ - uses: actions/checkout@v1
+ - name: Login to DockerHub Registry
+ run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+
+ - name: Build Images from Dockerfile
+ run: DOCKER_BUILDKIT=1 docker build -f ./examples/carbon-accounting/Dockerfile . -t cactus-example-carbon-accounting
+
+ - uses: Azure/container-scan@v0.1
+ name: Scan image for vulnerabilities
+ id: container-scan
+ continue-on-error: true
+ with:
+ image-name: cactus-example-carbon-accounting
diff --git a/.github/workflows/trivy-container-scan.yaml b/.github/workflows/trivy-container-scan.yaml
@@ -0,0 +1,52 @@
+name: trivy-container-image-scan
+
+on:
+ push:
+ pull_request:
+ # Publish `main` as Docker `latest` image.
+ branches:
+ - main
+
+ # Publish `v1.2.3` tags as releases.
+ tags:
+ - v*
+
+
+jobs:
+
+ build:
+ name: Scan cactus-example-carbon-accounting table image
+ runs-on: ubuntu-20.04
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+ - name: Build an image from Dockerfile
+ run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
+ - name: Run Trivy vulnerability scan for cactus-example-carbon-accounting
+ uses: aquasecurity/trivy-action@0.11.2
+ with:
+ image-ref: 'cactus-example-carbon-accounting'
+ format: 'table'
+ exit-code: '0'
+ ignore-unfixed: true
+ vuln-type: 'os,library'
+ severity: 'CRITICAL,HIGH'
+
+ build2:
+ name: Scan cactus-example-carbon-accounting json image
+ runs-on: ubuntu-20.04
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+ - name: Build an image from Dockerfile
+ run: |
+ DOCKER_BUILDKIT=1 docker build ./ -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
+ - name: Run Trivy vulnerability scanner
+ uses: aquasecurity/trivy-action@0.11.2
+ with:
+ image-ref: 'cactus-example-carbon-accounting'
+ format: 'json'
+ exit-code: '0'
+ ignore-unfixed: true
+ vuln-type: 'os,library'
+ severity: 'CRITICAL,HIGH'
diff --git a/examples/carbon-accounting/Dockerfile b/examples/carbon-accounting/Dockerfile
@@ -36,9 +36,9 @@ SHELL ["/bin/bash", "--login", "-i", "-c"]
 RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash
 RUN source ~/.bashrc && \
  nvm install 16.15.1 && \
- npm install -g yarn && \
- yarn add @hyperledger/cactus-example-carbon-accounting-backend@0.9.1-ci-942.cbb849c6.35 --ignore-engines --production
-
+ npm install --location=global yarn && \
+ yarn set version 3.6.0 && \
+ yarn add @hyperledger/cactus-example-carbon-accounting-backend@2.0.0-alpha.2
 SHELL ["/bin/bash", "--login", "-c"]
 
 

diff --git a/examples/carbon-accounting/supervisord.conf b/examples/carbon-accounting/supervisord.conf
@@ -12,7 +12,7 @@ stderr_logfile=/usr/src/app/log/dockerd.err.log
 stdout_logfile=/usr/src/app/log/dockerd.out.log
 
 [program:carbon-accounting-app]
-command=/home/appuser/.nvm/versions/node/v16.3.0/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
+command=/home/appuser/.nvm/versions/node/v16.15.1/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
 autostart=true
 autorestart=unexpected
 exitcodes=0