Samples: Scan dependencies with Trivy

but currently only on Linux x64 and arm64 because Trivy Docker images are not available for arm32 or Windows
dotnet · Dec 12, 2021 · 7ff6d88 · 7ff6d88
1 parent 24ccb9c
commit 7ff6d88
Show file tree

Hide file tree

Showing 22 changed files with 231 additions and 19 deletions.
diff --git a/samples/aspnetapp/Dockerfile.alpine-arm64 b/samples/aspnetapp/Dockerfile.alpine-arm64
@@ -1,13 +1,24 @@
 # https://hub.docker.com/_/microsoft-dotnet
-FROM mcr.microsoft.com/dotnet/sdk:6.0-alpine AS build
+FROM mcr.microsoft.com/dotnet/sdk:6.0-alpine AS restore
 WORKDIR /source
 
 # copy csproj and restore as distinct layers
 COPY *.sln .
 COPY aspnetapp/*.csproj ./aspnetapp/
 RUN dotnet restore -r linux-musl-arm64
 
+# dependencies vulnerability scan
+FROM aquasec/trivy AS trivy
+COPY --from=restore /source /source
+RUN trivy fs \
+    --exit-code 1 \
+    --no-progress \
+    --ignore-unfixed \
+    --severity "HIGH,CRITICAL" \
+    --security-checks vuln /source
+
 # copy everything else and build app
+FROM restore AS build
 COPY aspnetapp/. ./aspnetapp/
 WORKDIR /source/aspnetapp
 RUN dotnet publish -c release -o /app -r linux-musl-arm64 --self-contained false --no-restore

diff --git a/samples/aspnetapp/Dockerfile.alpine-x64 b/samples/aspnetapp/Dockerfile.alpine-x64
@@ -1,13 +1,24 @@
 # https://hub.docker.com/_/microsoft-dotnet
-FROM mcr.microsoft.com/dotnet/sdk:6.0-alpine AS build
+FROM mcr.microsoft.com/dotnet/sdk:6.0-alpine AS restore
 WORKDIR /source
 
 # copy csproj and restore as distinct layers
 COPY *.sln .
 COPY aspnetapp/*.csproj ./aspnetapp/
 RUN dotnet restore -r linux-musl-x64
 
+# dependencies vulnerability scan
+FROM aquasec/trivy AS trivy
+COPY --from=restore /source /source
+RUN trivy fs \
+    --exit-code 1 \
+    --no-progress \
+    --ignore-unfixed \
+    --severity "HIGH,CRITICAL" \
+    --security-checks vuln /source
+
 # copy everything else and build app
+FROM restore AS build
 COPY aspnetapp/. ./aspnetapp/
 WORKDIR /source/aspnetapp
 RUN dotnet publish -c release -o /app -r linux-musl-x64 --self-contained false --no-restore

diff --git a/samples/aspnetapp/Dockerfile.alpine-x64-slim b/samples/aspnetapp/Dockerfile.alpine-x64-slim
@@ -1,13 +1,24 @@
 # https://hub.docker.com/_/microsoft-dotnet
-FROM mcr.microsoft.com/dotnet/sdk:6.0-alpine AS build
+FROM mcr.microsoft.com/dotnet/sdk:6.0-alpine AS restore
 WORKDIR /source
 
 # copy csproj and restore as distinct layers
 COPY *.sln .
 COPY aspnetapp/*.csproj ./aspnetapp/
 RUN dotnet restore -r linux-musl-x64 /p:PublishReadyToRun=true
 
+# dependencies vulnerability scan
+FROM aquasec/trivy AS trivy
+COPY --from=restore /source /source
+RUN trivy fs \
+    --exit-code 1 \
+    --no-progress \
+    --ignore-unfixed \
+    --severity "HIGH,CRITICAL" \
+    --security-checks vuln /source
+
 # copy everything else and build app
+FROM restore AS build
 COPY aspnetapp/. ./aspnetapp/
 WORKDIR /source/aspnetapp
 RUN dotnet publish -c release -o /app -r linux-musl-x64 --self-contained true --no-restore /p:PublishTrimmed=true /p:PublishReadyToRun=true /p:PublishSingleFile=true

diff --git a/samples/aspnetapp/Dockerfile.debian-arm64 b/samples/aspnetapp/Dockerfile.debian-arm64
@@ -1,13 +1,24 @@
 # https://hub.docker.com/_/microsoft-dotnet
-FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+FROM mcr.microsoft.com/dotnet/sdk:6.0 AS restore
 WORKDIR /source
 
 # copy csproj and restore as distinct layers
 COPY *.sln .
 COPY aspnetapp/*.csproj ./aspnetapp/
 RUN dotnet restore -r linux-arm64
 
+# dependencies vulnerability scan
+FROM aquasec/trivy AS trivy
+COPY --from=restore /source /source
+RUN trivy fs \
+    --exit-code 1 \
+    --no-progress \
+    --ignore-unfixed \
+    --severity "HIGH,CRITICAL" \
+    --security-checks vuln /source
+
 # copy everything else and build app
+FROM restore AS build
 COPY aspnetapp/. ./aspnetapp/
 WORKDIR /source/aspnetapp
 RUN dotnet publish -c release -o /app -r linux-arm64 --self-contained false --no-restore

diff --git a/samples/aspnetapp/Dockerfile.debian-x64 b/samples/aspnetapp/Dockerfile.debian-x64
@@ -1,13 +1,24 @@
 # https://hub.docker.com/_/microsoft-dotnet
-FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+FROM mcr.microsoft.com/dotnet/sdk:6.0 AS restore
 WORKDIR /source
 
 # copy csproj and restore as distinct layers
 COPY *.sln .
 COPY aspnetapp/*.csproj ./aspnetapp/
 RUN dotnet restore -r linux-x64
 
+# dependencies vulnerability scan
+FROM aquasec/trivy AS trivy
+COPY --from=restore /source /source
+RUN trivy fs \
+    --exit-code 1 \
+    --no-progress \
+    --ignore-unfixed \
+    --severity "HIGH,CRITICAL" \
+    --security-checks vuln /source
+
 # copy everything else and build app
+FROM restore AS build
 COPY aspnetapp/. ./aspnetapp/
 WORKDIR /source/aspnetapp
 RUN dotnet publish -c release -o /app -r linux-x64 --self-contained false --no-restore

diff --git a/samples/aspnetapp/Dockerfile.debian-x64-slim b/samples/aspnetapp/Dockerfile.debian-x64-slim
@@ -1,13 +1,24 @@
 # https://hub.docker.com/_/microsoft-dotnet
-FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+FROM mcr.microsoft.com/dotnet/sdk:6.0 AS restore
 WORKDIR /source
 
 # copy csproj and restore as distinct layers
 COPY *.sln .
 COPY aspnetapp/*.csproj ./aspnetapp/
 RUN dotnet restore -r linux-x64 /p:PublishReadyToRun=true
 
+# dependencies vulnerability scan
+FROM aquasec/trivy AS trivy
+COPY --from=restore /source /source
+RUN trivy fs \
+    --exit-code 1 \
+    --no-progress \
+    --ignore-unfixed \
+    --severity "HIGH,CRITICAL" \
+    --security-checks vuln /source
+
 # copy everything else and build app
+FROM restore AS build
 COPY aspnetapp/. ./aspnetapp/
 WORKDIR /source/aspnetapp
 RUN dotnet publish -c release -o /app -r linux-x64 --self-contained true --no-restore /p:PublishTrimmed=true /p:PublishReadyToRun=true /p:PublishSingleFile=true

diff --git a/samples/aspnetapp/Dockerfile.ubuntu-x64 b/samples/aspnetapp/Dockerfile.ubuntu-x64
@@ -1,13 +1,24 @@
 # https://hub.docker.com/_/microsoft-dotnet
-FROM mcr.microsoft.com/dotnet/sdk:6.0-focal AS build
+FROM mcr.microsoft.com/dotnet/sdk:6.0-focal AS restore
 WORKDIR /source
 
 # copy csproj and restore as distinct layers
 COPY *.sln .
 COPY aspnetapp/*.csproj ./aspnetapp/
 RUN dotnet restore -r linux-x64
 
+# dependencies vulnerability scan
+FROM aquasec/trivy AS trivy
+COPY --from=restore /source /source
+RUN trivy fs \
+    --exit-code 1 \
+    --no-progress \
+    --ignore-unfixed \
+    --severity "HIGH,CRITICAL" \
+    --security-checks vuln /source
+
 # copy everything else and build app
+FROM restore AS build
 COPY aspnetapp/. ./aspnetapp/
 WORKDIR /source/aspnetapp
 RUN dotnet publish -c release -o /app -r linux-x64 --self-contained false --no-restore

diff --git a/samples/aspnetapp/Dockerfile.ubuntu-x64-slim b/samples/aspnetapp/Dockerfile.ubuntu-x64-slim
@@ -1,13 +1,24 @@
 # https://hub.docker.com/_/microsoft-dotnet
-FROM mcr.microsoft.com/dotnet/sdk:6.0-focal AS build
+FROM mcr.microsoft.com/dotnet/sdk:6.0-focal AS restore
 WORKDIR /source
 
 # copy csproj and restore as distinct layers
 COPY *.sln .
 COPY aspnetapp/*.csproj ./aspnetapp/
 RUN dotnet restore -r linux-x64 /p:PublishReadyToRun=true
 
+# dependencies vulnerability scan
+FROM aquasec/trivy AS trivy
+COPY --from=restore /source /source
+RUN trivy fs \
+    --exit-code 1 \
+    --no-progress \
+    --ignore-unfixed \
+    --severity "HIGH,CRITICAL" \
+    --security-checks vuln /source
+
 # copy everything else and build app
+FROM restore AS build
 COPY aspnetapp/. ./aspnetapp/
 WORKDIR /source/aspnetapp
 RUN dotnet publish -c release -o /app -r linux-x64 --self-contained true --no-restore /p:PublishTrimmed=true /p:PublishReadyToRun=true /p:PublishSingleFile=true

diff --git a/samples/aspnetapp/aspnetapp/aspnetapp.csproj b/samples/aspnetapp/aspnetapp/aspnetapp.csproj
@@ -5,6 +5,7 @@
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
     <UserSecretsId>57393389627611478466</UserSecretsId>
+    <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
   </PropertyGroup>
 
 </Project>
diff --git a/samples/complexapp/Dockerfile b/samples/complexapp/Dockerfile
@@ -1,5 +1,5 @@
 # https://hub.docker.com/_/microsoft-dotnet
-FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+FROM mcr.microsoft.com/dotnet/sdk:6.0 AS restore
 WORKDIR /source
 
 # copy csproj and restore as distinct layers
@@ -8,7 +8,18 @@ COPY libfoo/*.csproj libfoo/
 COPY libbar/*.csproj libbar/
 RUN dotnet restore complexapp/complexapp.csproj
 
+# dependencies vulnerability scan
+FROM aquasec/trivy AS trivy
+COPY --from=restore /source /source
+RUN trivy fs \
+    --exit-code 1 \
+    --no-progress \
+    --ignore-unfixed \
+    --severity "HIGH,CRITICAL" \
+    --security-checks vuln /source
+
 # copy and build app and libraries
+FROM restore AS build
 COPY complexapp/ complexapp/
 COPY libfoo/ libfoo/
 COPY libbar/ libbar/

diff --git a/samples/complexapp/complexapp/complexapp.csproj b/samples/complexapp/complexapp/complexapp.csproj
@@ -4,6 +4,7 @@
     <OutputType>Exe</OutputType>
     <TargetFramework>net6.0</TargetFramework>
     <Nullable>enable</Nullable>
+    <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
   </PropertyGroup>
 
   <ItemGroup>

diff --git a/samples/dotnetapp/Dockerfile b/samples/dotnetapp/Dockerfile
@@ -1,12 +1,23 @@
 # https://hub.docker.com/_/microsoft-dotnet
-FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+FROM mcr.microsoft.com/dotnet/sdk:6.0 AS restore
 WORKDIR /source
 
 # copy csproj and restore as distinct layers
 COPY *.csproj .
 RUN dotnet restore
 
+# dependencies vulnerability scan
+FROM aquasec/trivy AS trivy
+COPY --from=restore /source /source
+RUN trivy fs \
+    --exit-code 1 \
+    --no-progress \
+    --ignore-unfixed \
+    --severity "HIGH,CRITICAL" \
+    --security-checks vuln /source
+
 # copy and publish app and libraries
+FROM restore AS build
 COPY . .
 RUN dotnet publish -c release -o /app --no-restore
 

diff --git a/samples/dotnetapp/Dockerfile.alpine-arm64 b/samples/dotnetapp/Dockerfile.alpine-arm64
@@ -1,12 +1,23 @@
 # https://hub.docker.com/_/microsoft-dotnet
-FROM mcr.microsoft.com/dotnet/sdk:6.0-alpine AS build
+FROM mcr.microsoft.com/dotnet/sdk:6.0-alpine AS restore
 WORKDIR /source
 
 # copy csproj and restore as distinct layers
 COPY *.csproj .
 RUN dotnet restore -r linux-musl-arm64
 
+# dependencies vulnerability scan
+FROM aquasec/trivy AS trivy
+COPY --from=restore /source /source
+RUN trivy fs \
+    --exit-code 1 \
+    --no-progress \
+    --ignore-unfixed \
+    --severity "HIGH,CRITICAL" \
+    --security-checks vuln /source
+
 # copy and publish app and libraries
+FROM restore AS build
 COPY . .
 RUN dotnet publish -c release -o /app -r linux-musl-arm64 --self-contained false --no-restore
 

diff --git a/samples/dotnetapp/Dockerfile.alpine-x64 b/samples/dotnetapp/Dockerfile.alpine-x64
@@ -1,12 +1,23 @@
 # https://hub.docker.com/_/microsoft-dotnet
-FROM mcr.microsoft.com/dotnet/sdk:6.0-alpine AS build
+FROM mcr.microsoft.com/dotnet/sdk:6.0-alpine AS restore
 WORKDIR /source
 
 # copy csproj and restore as distinct layers
 COPY *.csproj .
 RUN dotnet restore -r linux-musl-x64
 
+# dependencies vulnerability scan
+FROM aquasec/trivy AS trivy
+COPY --from=restore /source /source
+RUN trivy fs \
+    --exit-code 1 \
+    --no-progress \
+    --ignore-unfixed \
+    --severity "HIGH,CRITICAL" \
+    --security-checks vuln /source
+
 # copy and publish app and libraries
+FROM restore AS build
 COPY . .
 RUN dotnet publish -c release -o /app -r linux-musl-x64 --self-contained false --no-restore
 

diff --git a/samples/dotnetapp/Dockerfile.alpine-x64-slim b/samples/dotnetapp/Dockerfile.alpine-x64-slim
@@ -1,12 +1,23 @@
 # https://hub.docker.com/_/microsoft-dotnet
-FROM mcr.microsoft.com/dotnet/sdk:6.0-alpine AS build
+FROM mcr.microsoft.com/dotnet/sdk:6.0-alpine AS restore
 WORKDIR /source
 
 # copy csproj and restore as distinct layers
 COPY *.csproj .
 RUN dotnet restore -r linux-musl-x64 /p:PublishReadyToRun=true
 
+# dependencies vulnerability scan
+FROM aquasec/trivy AS trivy
+COPY --from=restore /source /source
+RUN trivy fs \
+    --exit-code 1 \
+    --no-progress \
+    --ignore-unfixed \
+    --severity "HIGH,CRITICAL" \
+    --security-checks vuln /source
+
 # copy and publish app and libraries
+FROM restore AS build
 COPY . .
 RUN dotnet publish -c release -o /app -r linux-musl-x64 --self-contained true --no-restore /p:PublishTrimmed=true /p:PublishReadyToRun=true /p:PublishSingleFile=true
 

diff --git a/samples/dotnetapp/Dockerfile.debian-arm64 b/samples/dotnetapp/Dockerfile.debian-arm64
@@ -1,12 +1,23 @@
 # https://hub.docker.com/_/microsoft-dotnet
-FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+FROM mcr.microsoft.com/dotnet/sdk:6.0 AS restore
 WORKDIR /source
 
 # copy csproj and restore as distinct layers
 COPY *.csproj .
 RUN dotnet restore -r linux-arm64
 
+# dependencies vulnerability scan
+FROM aquasec/trivy AS trivy
+COPY --from=restore /source /source
+RUN trivy fs \
+    --exit-code 1 \
+    --no-progress \
+    --ignore-unfixed \
+    --severity "HIGH,CRITICAL" \
+    --security-checks vuln /source
+
 # copy and publish app and libraries
+FROM restore AS build
 COPY . .
 RUN dotnet publish -c release -o /app -r linux-arm64 --self-contained false --no-restore
 

diff --git a/samples/dotnetapp/Dockerfile.debian-x64 b/samples/dotnetapp/Dockerfile.debian-x64
@@ -1,12 +1,23 @@
 # https://hub.docker.com/_/microsoft-dotnet
-FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
+FROM mcr.microsoft.com/dotnet/sdk:6.0 AS restore
 WORKDIR /source
 
 # copy csproj and restore as distinct layers
 COPY *.csproj .
 RUN dotnet restore -r linux-x64
 
+# dependencies vulnerability scan
+FROM aquasec/trivy AS trivy
+COPY --from=restore /source /source
+RUN trivy fs \
+    --exit-code 1 \
+    --no-progress \
+    --ignore-unfixed \
+    --severity "HIGH,CRITICAL" \
+    --security-checks vuln /source
+
 # copy and publish app and libraries
+FROM restore AS build
 COPY . .
 RUN dotnet publish -c release -o /app -r linux-x64 --self-contained false --no-restore