Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
carbon accounting trivy scan
Browse files Browse the repository at this point in the history
aldousalvarez committed Feb 7, 2024

Verified

This commit was signed with the committer’s verified signature.
snyk-bot Snyk bot
1 parent db3fe87 commit a9611a8
Showing 12 changed files with 207 additions and 216 deletions.
38 changes: 38 additions & 0 deletions .github/workflows/azure-container-scan.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
name: azure-container-image-scan

on:
push:
pull_request:
# Publish `main` as Docker `latest` image.
branches:
- main

# Publish `v1.2.3` tags as releases.
tags:
- v*


jobs:
build-secure-and-push:
name: Scan cactus-example-carbon-accounting image
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v2.4.0
env:
# (Required) The token to use to make API calls to GitHub.
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

- uses: actions/checkout@v1
- name: Login to DockerHub Registry
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin


- name: Build Images from Dockerfile
run: DOCKER_BUILDKIT=1 docker build -f ./examples/carbon-accounting/Dockerfile . -t cactus-example-carbon-accounting

- uses: Azure/container-scan@v0.1
name: Scan image for vulnerabilities
id: container-scan
continue-on-error: true
with:
image-name: cactus-example-carbon-accounting
16 changes: 15 additions & 1 deletion .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
@@ -16,6 +16,16 @@ jobs:
- name: Get the output response
run: echo "${{ steps.lint-git-repo.outputs.lint-git-repo-response }}"

check_trivy_condition:
name: Check Trivy Condition
runs-on: ubuntu-20.04
outputs:
run_trivy_scan: ${{ steps.set_condition_trivy_scan.outputs.run_trivy_scan }}
steps:
- name: Set Trivy Condition for cactus-example-carbon-accounting
id: set_condition_trivy_scan
run: echo "::set-output name=run_trivy_scan::true" # Set your condition for cactus-example-carbon-accounting here

compute_changed_packages:
outputs:
cmd-api-server-changed: ${{ steps.changes.outputs.cmd-api-server-changed }}
@@ -2021,6 +2031,9 @@ jobs:
- run: ./tools/ci.sh
ghcr-besu-all-in-one:
runs-on: ubuntu-20.04
needs:
- check_trivy_condition
if: needs.check_trivy_condition.outputs.run_trivy_scan == 'true'
steps:
- uses: actions/checkout@v3.5.2
- name: ghcr.io/hyperledger/cactus-besu-all-in-one
@@ -2038,7 +2051,8 @@ jobs:
runs-on: ubuntu-20.04
needs:
- compute_changed_packages
if: needs.compute_changed_packages.outputs.cmd-api-server-changed == 'true'
- check_trivy_condition
if: needs.compute_changed_packages.outputs.cmd-api-server-changed == 'true' || needs.check_trivy_condition.outputs.run_trivy_scan == 'true'
steps:
- uses: actions/checkout@v3.5.2
- name: ghcr.io/hyperledger/cactus-cmd-api-server
64 changes: 64 additions & 0 deletions .github/workflows/trivy-container-scan.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
name: trivy-container-image-scan

on:
push:
pull_request:
branches:
- main
tags:
- v*

jobs:

check_trivy_condition:
name: Check Trivy Condition
runs-on: ubuntu-20.04
outputs:
run_trivy_scan: ${{ steps.set_condition_trivy_scan.outputs.run_trivy_scan }}
steps:
- name: Set Trivy Condition for cactus-example-carbon-accounting
id: set_condition_trivy_scan
run: echo "::set-output name=run_trivy_scan::true" # Set your condition for cactus-example-carbon-accounting here

build:
name: Scan cactus-example-carbon-accounting table image
runs-on: ubuntu-20.04
needs:
- check_trivy_condition
if: ${{ needs.check_trivy_condition.outputs.run_trivy_scan == 'true' }}
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
- name: Run Trivy vulnerability scan for cactus-example-carbon-accounting
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-example-carbon-accounting'
format: 'table'
exit-code: '0'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

build2:
name: Scan cactus-connector-besu json image
runs-on: ubuntu-20.04
needs:
- check_trivy_condition
if: ${{ needs.check_trivy_condition.outputs.run_trivy_scan == 'false' }}
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: |
DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-besu/ -f ./packages/cactus-plugin-ledger-connector-besu/Dockerfile -t cactus-plugin-besu
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-plugin-besu'
format: 'table'
exit-code: '0'
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
Original file line number Diff line number Diff line change
@@ -76,13 +76,19 @@
"devDependencies": {
"@types/express": "4.17.19",
"@types/fs-extra": "9.0.13",
"@types/http-cache-semantics": "4.0.4",
"@types/json-stable-stringify": "1.0.34",
"@types/jsrsasign": "10.5.12",
"@types/qs": "6.9.11",
"@types/uuid": "8.3.4",
"express-jwt": "8.4.1",
"hardhat": "2.17.2",
"http-cache-semantics": "4.1.1",
"http-status-codes": "2.1.4",
"jose": "4.9.2",
"json-stable-stringify": "1.0.2"
"json-stable-stringify": "1.0.2",
"jsrsasign": "11.0.0",
"qs": "6.11.2"
},
"engines": {
"node": ">=18",
9 changes: 5 additions & 4 deletions examples/carbon-accounting/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM cruizba/ubuntu-dind:19.03.11 as runner
FROM cruizba/ubuntu-dind:20.10.9 as runner

USER root

@@ -34,11 +34,12 @@ WORKDIR ${APP}
SHELL ["/bin/bash", "--login", "-i", "-c"]
# Installing Node Version Manager (nvm)
RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash
ARG NPM_PKG_VERSION=latest
RUN source ~/.bashrc && \
nvm install 16.15.1 && \
nvm install 16.20.2 && \
npm install -g yarn && \
yarn add @hyperledger/cactus-example-carbon-accounting-backend@0.9.1-ci-942.cbb849c6.35 --ignore-engines --production

yarn add @hyperledger/cactus-example-carbon-accounting-backend@${NPM_PKG_VERSION} --ignore-engines --production
SHELL ["/bin/bash", "--login", "-c"]


2 changes: 1 addition & 1 deletion examples/carbon-accounting/supervisord.conf
Original file line number Diff line number Diff line change
@@ -12,7 +12,7 @@ stderr_logfile=/usr/src/app/log/dockerd.err.log
stdout_logfile=/usr/src/app/log/dockerd.out.log

[program:carbon-accounting-app]
command=/home/appuser/.nvm/versions/node/v16.3.0/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
command=/home/appuser/.nvm/versions/node/v16.15.1/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
autostart=true
autorestart=unexpected
exitcodes=0
2 changes: 1 addition & 1 deletion packages/cactus-plugin-ledger-connector-besu/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM ghcr.io/hyperledger/cactus-cmd-api-server:2022-08-05-7309f2a
FROM ghcr.io/hyperledger/cactus-cmd-api-server:2024-01-24-dd85b12
RUN npm install -g yarn@1.22.17

ENV NODE_ENV=production
10 changes: 10 additions & 0 deletions packages/cactus-plugin-ledger-connector-besu/package.json
Original file line number Diff line number Diff line change
@@ -78,12 +78,22 @@
"@hyperledger/cactus-plugin-keychain-memory": "2.0.0-alpha.2",
"@hyperledger/cactus-test-tooling": "2.0.0-alpha.2",
"@types/body-parser": "1.19.4",
"@types/convict": "6.1.1",
"@types/express": "4.17.19",
"@types/http-cache-semantics": "4.0.4",
"@types/http-errors": "2.0.4",
"@types/node-forge": "1.0.1",
"@types/qs": "6.9.10",
"@types/uuid": "9.0.6",
"body-parser": "1.20.2",
"convict": "6.2.4",
"http-cache-semantics": "4.1.1",
"key-encoder": "2.0.3",
"node-forge": "1.3.0",
"protobufjs": "6.11.4",
"qs": "6.7.3",
"socket.io": "4.5.4",
"socket.io-parser": "4.2.3",
"uuid": "9.0.1",
"web3-core": "1.6.1",
"web3-eth": "1.6.1"
6 changes: 3 additions & 3 deletions packages/cactus-plugin-ledger-connector-iroha/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
FROM ghcr.io/hyperledger/cactus-cmd-api-server:2022-11-14-6ff6aac
RUN npm install -g yarn@1.22.17
FROM ghcr.io/hyperledger/cactus-cmd-api-server:2023-12-21-f8f6bcb
RUN npm i -g corepack && corepack enable && corepack prepare yarn@3.6.0 --activate

ENV NODE_ENV=production
ARG NPM_PKG_VERSION=latest

RUN yarn add @hyperledger/cactus-plugin-ledger-connector-iroha@${NPM_PKG_VERSION} --production --ignore-engines
RUN yarn add @hyperledger/cactus-plugin-ledger-connector-iroha@${NPM_PKG_VERSION}
4 changes: 2 additions & 2 deletions packages/cactus-plugin-persistence-ethereum/package.json
Original file line number Diff line number Diff line change
@@ -77,8 +77,8 @@
"@openapitools/openapi-generator-cli": "2.7.0",
"@types/express": "4.17.19",
"@types/pg": "8.6.5",
"body-parser": "1.19.0",
"express": "4.17.1",
"body-parser": "1.20.2",
"express": "4.18.2",
"jest-extended": "4.0.1",
"npm-run-all": "4.1.5",
"rxjs": "7.8.1",
6 changes: 3 additions & 3 deletions tools/docker/iroha-all-in-one/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
FROM hyperledger/iroha:1.4.0-patch-3
FROM hyperledger/iroha:1.6.0-hotfix-3

ARG DEBIAN_FRONTEND=noninteractive
RUN set -e && apt-get update && \
ARG DEBIAN_FRONTEND=noninteractive
RUN set -e && apt-get update && \
apt-get install -y moreutils jq wget python3 python3-pip && \
pip install iroha && \
apt-get purge -y `apt-get -s purge python3-pip | grep '^ ' | tr -d '*'` && \
Loading

0 comments on commit a9611a8

Please sign in to comment.