ci: add container scanning to default checks

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
hyperledger-cacti · Jul 20, 2023 · 345fb30 · 345fb30
1 parent 15d9e9d
commit 345fb30
Show file tree

Hide file tree

Showing 10 changed files with 77 additions and 16 deletions.
diff --git a/.cspell.json b/.cspell.json
@@ -17,6 +17,7 @@
         "Bools",
         "brioux",
         "cactusf",
+        "cactuts",
         "cafile",
         "caio",
         "cccs",

diff --git a/.github/workflows/trivy-container-scan.yaml b/.github/workflows/trivy-container-scan.yaml
@@ -0,0 +1,53 @@
+name: trivy-container-image-scan
+
+on:
+  push:
+  pull_request:
+    # Publish `main` as Docker `latest` image.
+    branches:
+      - main
+
+    # Publish `v1.2.3` tags as releases.
+    tags:
+      - v*
+
+
+jobs:
+
+  build:
+    name: Scan cactus-connector-besu table image
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build an image from Dockerfile
+        run: |
+          DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-besu -f ./packages/cactus-plugin-ledger-connector-besu/Dockerfile -t cactus-connector-besu
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.11.2
+        with:
+          image-ref: 'cactus-connector-besu'
+          format: 'table'
+          exit-code: '0'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+  build2:
+    name: Scan cactus-connector-besu json image
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build an image from Dockerfile
+        run: |
+          DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-besu -f ./packages/cactus-plugin-ledger-connector-besu/Dockerfile -t cactus-connector-besu
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.11.2
+        with:
+          image-ref: 'cactus-connector-besu'
+          format: 'json'
+          exit-code: '0'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
diff --git a/examples/carbon-accounting/Dockerfile b/examples/carbon-accounting/Dockerfile
@@ -37,7 +37,7 @@ RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | b
 RUN source ~/.bashrc && \
     nvm install 16.15.1 && \
     npm install -g yarn && \
-    yarn add @hyperledger/cactus-example-carbon-accounting-backend@0.9.1-ci-942.cbb849c6.35 --ignore-engines --production
+    yarn add @hyperledger/cactus-example-carbon-accounting-backend@1.1.0 --ignore-engines --production
 
 SHELL ["/bin/bash", "--login", "-c"]
 

diff --git a/packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile b/packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile
@@ -1,12 +1,12 @@
-FROM rust:1.63.0 as builder
+FROM rust:1.65.0 as builder
 
 WORKDIR /
 RUN USER=root cargo new --bin cactus-keychain-vault-server
 WORKDIR /cactus-keychain-vault-server
 ADD ./rust/gen/ ./
 RUN cargo build --release --example server
 
-FROM debian:buster-slim
+FROM debian:bullseye-slim
 ARG APP=/usr/src/app
 
 RUN apt-get update

diff --git a/packages/cactus-plugin-ledger-connector-besu/Dockerfile b/packages/cactus-plugin-ledger-connector-besu/Dockerfile
@@ -1,4 +1,4 @@
-FROM ghcr.io/hyperledger/cactus-cmd-api-server:2022-08-05-7309f2a
+FROM ghcr.io/hyperledger/cactus-cmd-api-server:2022-11-15-f4ae605
 RUN npm install -g yarn@1.22.17
 
 ENV NODE_ENV=production

diff --git a/...fabric/src/test/typescript/integration/fabric-v2-2-x/deploy-cc-from-golang-source.test.ts b/...fabric/src/test/typescript/integration/fabric-v2-2-x/deploy-cc-from-golang-source.test.ts
@@ -58,8 +58,12 @@ test(testCase, async (t: Test) => {
   const ledger = new FabricTestLedgerV1({
     emitContainerLogs: true,
     publishAllPorts: true,
-    imageName: "ghcr.io/hyperledger/cactus-fabric2-all-in-one",
-    envVars: new Map([["FABRIC_VERSION", "2.2.0"]]),
+    imageName: "cactuts/faio",
+    envVars: new Map([
+      ["FABRIC_VERSION", "2.4.4"],
+      ["CA_VERSION", "1.5.3"],
+    ]),
+    imageVersion: "latest",
     logLevel,
   });
 

diff --git a/tools/docker/besu-all-in-one/Dockerfile b/tools/docker/besu-all-in-one/Dockerfile
@@ -6,6 +6,8 @@ FROM quorumengineering/tessera:$TESSERA_VERSION AS tessera
 
 COPY --from=besu /opt/besu/ /opt/besu/
 
+USER root
+
 RUN mkdir /config/
 RUN mkdir /config/orion/
 RUN mkdir /config/besu/

diff --git a/tools/docker/corda-all-in-one/Dockerfile b/tools/docker/corda-all-in-one/Dockerfile
@@ -2,7 +2,7 @@ FROM docker:24.0.2-dind
 
 ARG SAMPLES_KOTLIN_SHA=30fd841dd035934bae75ab8910da3b6e3d5d6ee7
 ARG SAMPLES_KOTLIN_CORDAPP_SUB_DIR_PATH="./Advanced/obligation-cordapp/"
-ARG CORDA_TOOLS_SHELL_CLI_VERSION=4.7
+ARG CORDA_TOOLS_SHELL_CLI_VERSION=4.8.9
 
 WORKDIR /
 

diff --git a/tools/docker/corda-all-in-one/corda-v4_8/Dockerfile b/tools/docker/corda-all-in-one/corda-v4_8/Dockerfile
@@ -1,10 +1,10 @@
 FROM docker:24.0.2-dind
 
-# cordaVersion=4.8.5
-# cordaCoreVersion=4.8.5
+# cordaVersion=4.9
+# cordaCoreVersion=4.9
 ARG SAMPLES_KOTLIN_SHA=1504878ce446555bd861bbe4dd3d1154e905a07f
 ARG SAMPLES_KOTLIN_CORDAPP_SUB_DIR_PATH="./Advanced/obligation-cordapp/"
-ARG CORDA_TOOLS_SHELL_CLI_VERSION=4.8
+ARG CORDA_TOOLS_SHELL_CLI_VERSION=4.8.7
 
 WORKDIR /
 

diff --git a/tools/docker/fabric-all-in-one/Dockerfile_v2.x b/tools/docker/fabric-all-in-one/Dockerfile_v2.x
@@ -2,10 +2,11 @@
 # https://github.com/docker-library/docker/issues/170
 FROM docker:24.0.2-dind
 
-ARG FABRIC_VERSION=2.2.0
-ARG CA_VERSION=1.4.9
+ARG FABRIC_VERSION=2.4.4
+ARG CA_VERSION=1.5.3
 ARG COUCH_VERSION_FABRIC=0.4
-ARG COUCH_VERSION=3.1.1
+ARG COUCH_VERSION=3.2.2
+ARG FABRIC_NODEENV=2.4.2
 
 WORKDIR /
 
@@ -46,8 +47,8 @@ RUN apk add --no-cache file
 RUN apk add --no-cache npm nodejs
 
 # Download and setup path variables for Go
-RUN wget https://golang.org/dl/go1.15.5.linux-amd64.tar.gz
-RUN tar -xvf go1.15.5.linux-amd64.tar.gz
+RUN wget https://golang.org/dl/go1.18.3.linux-amd64.tar.gz
+RUN tar -xvf go1.18.3.linux-amd64.tar.gz
 RUN mv go /usr/local
 ENV GOROOT=/usr/local/go
 ENV GOPATH=/usr/local/go
@@ -149,7 +150,7 @@ RUN mkdir -p /etc/couchdb/
 RUN /download-frozen-image-v2.sh /etc/hyperledger/fabric/fabric-peer/ hyperledger/fabric-peer:${FABRIC_VERSION}
 RUN /download-frozen-image-v2.sh /etc/hyperledger/fabric/fabric-orderer/ hyperledger/fabric-orderer:${FABRIC_VERSION}
 RUN /download-frozen-image-v2.sh /etc/hyperledger/fabric/fabric-ccenv/ hyperledger/fabric-ccenv:${FABRIC_VERSION}
-RUN /download-frozen-image-v2.sh /etc/hyperledger/fabric/fabric-nodeenv/ hyperledger/fabric-nodeenv:${FABRIC_VERSION}
+RUN /download-frozen-image-v2.sh /etc/hyperledger/fabric/fabric-nodeenv/ hyperledger/fabric-nodeenv:${FABRIC_NODEENV}
 RUN /download-frozen-image-v2.sh /etc/hyperledger/fabric/fabric-tools/ hyperledger/fabric-tools:${FABRIC_VERSION}
 RUN /download-frozen-image-v2.sh /etc/hyperledger/fabric/fabric-baseos/ hyperledger/fabric-baseos:${FABRIC_VERSION}
 RUN /download-frozen-image-v2.sh /etc/hyperledger/fabric/fabric-ca/ hyperledger/fabric-ca:${CA_VERSION}