Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: add container scanning to default checks #2870

Merged
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
156 changes: 51 additions & 105 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
---
env:
NODEJS_VERSION: v18.18.2
RUN_TRIVY_SCAN: true
jobs:
ActionLint:
uses: ./.github/workflows/actionlint.yaml
Expand Down Expand Up @@ -1635,7 +1636,7 @@ jobs:
with:
node-version: ${{ env.NODEJS_VERSION }}
- uses: actions/checkout@v4.1.1

- id: yarn-cache
name: Restore Yarn Cache
uses: actions/cache@v4.0.1
Expand All @@ -1645,6 +1646,19 @@ jobs:
restore-keys: |
${{ runner.os }}-yarn-${{ hashFiles('./yarn.lock') }}
- run: ./tools/ci.sh

- name: Build an image from Dockerfile
run: DOCKER_BUILDKIT=1 docker build . -f ./packages/cactus-plugin-ledger-connector-quorum/Dockerfile -t plugin-ledger-connector-quorum
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for plugin-ledger-connector-quorum
uses: aquasecurity/trivy-action@0.19.0
with:
image-ref: 'plugin-ledger-connector-quorum'
format: 'table'
exit-code: '1'
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
cplc-sawtooth:
continue-on-error: false
env:
Expand Down Expand Up @@ -1984,7 +1998,7 @@ jobs:
with:
node-version: ${{ env.NODEJS_VERSION }}
- uses: actions/checkout@v4.1.1

- id: yarn-cache
name: Restore Yarn Cache
uses: actions/cache@v4.0.1
Expand Down Expand Up @@ -2109,16 +2123,7 @@ jobs:
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-besu-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile -t cactus-besu-all-in-one
- name: Run Trivy vulnerability scan for cactus-besu-all-in-one
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-besu-all-in-one'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile
ghcr-cmd-api-server:
runs-on: ubuntu-22.04
needs:
Expand All @@ -2128,13 +2133,14 @@ jobs:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-cmd-api-server
run: DOCKER_BUILDKIT=1 docker build . -f ./packages/cactus-cmd-api-server/Dockerfile -t cactus-cmd-api-server
- name: Run Trivy vulnerability scan for cactus-cmd-api-server
uses: aquasecurity/trivy-action@0.11.2
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for cactus-cmd-api-server
uses: aquasecurity/trivy-action@0.19.0
with:
image-ref: 'cactus-cmd-api-server'
format: 'table'
exit-code: '1'
ignore-unfixed: true
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-connector-besu:
Expand All @@ -2146,13 +2152,14 @@ jobs:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-connector-besu
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-besu/ -f ./packages/cactus-plugin-ledger-connector-besu/Dockerfile -t cactus-connector-besu
- name: Run Trivy vulnerability scan for cactus-connector-besu
uses: aquasecurity/trivy-action@0.11.2
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for cactus-connector-besu
uses: aquasecurity/trivy-action@0.19.0
with:
image-ref: 'cactus-connector-besu'
format: 'table'
exit-code: '1'
ignore-unfixed: true
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-connector-corda-server:
Expand All @@ -2165,13 +2172,14 @@ jobs:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-connector-corda-server
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-corda/src/main-server/ -f ./packages/cactus-plugin-ledger-connector-corda/src/main-server/Dockerfile -t cactus-connector-corda-server
- name: Run Trivy vulnerability scan for cactus-connector-corda-server
uses: aquasecurity/trivy-action@0.11.2
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for cactus-connector-corda-server
uses: aquasecurity/trivy-action@0.19.0
with:
image-ref: 'cactus-connector-corda-server'
format: 'table'
exit-code: '1'
ignore-unfixed: true
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-connector-fabric:
Expand All @@ -2184,13 +2192,14 @@ jobs:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-connector-fabric
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-fabric/ -f ./packages/cactus-plugin-ledger-connector-fabric/Dockerfile -t cactus-connector-fabric
- name: Run Trivy vulnerability scan for cactus-connector-fabric
uses: aquasecurity/trivy-action@0.11.2
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for cactus-connector-fabric
uses: aquasecurity/trivy-action@0.19.0
with:
image-ref: 'cactus-connector-fabric'
format: 'table'
exit-code: '1'
ignore-unfixed: true
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-corda-all-in-one:
Expand All @@ -2201,16 +2210,8 @@ jobs:
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-corda-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/Dockerfile -t cactus-corda-all-in-one
- name: Run Trivy vulnerability scan for cactus-corda-all-in-one
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-corda-all-in-one'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/Dockerfile

ghcr-corda-all-in-one-flowdb:
runs-on: ubuntu-22.04
steps:
Expand All @@ -2226,15 +2227,7 @@ jobs:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-corda-all-in-one-obligation
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/corda-v4_8/Dockerfile -t cactus-corda-all-in-one-obligation
- name: Run Trivy vulnerability scan for cactus-corda-all-in-one-obligation
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-corda-all-in-one-obligation'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

ghcr-dev-container-vscode:
runs-on: ubuntu-22.04
needs:
Expand All @@ -2257,106 +2250,59 @@ jobs:
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-example-carbon-accounting
run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
- name: Run Trivy vulnerability scan for cactus-example-carbon-accounting
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-example-carbon-accounting'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile

ghcr-example-supply-chain-app:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-example-supply-chain-app
run: DOCKER_BUILDKIT=1 docker build . -f ./examples/cactus-example-supply-chain-backend/Dockerfile -t cactus-example-supply-chain-app
- name: Run Trivy vulnerability scan for cactus-example-supply-chain-app
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-example-supply-chain-app'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

ghcr-fabric-all-in-one:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-fabric-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v1.4.x -t cactus-fabric-all-in-one
- name: Run Trivy vulnerability scan for cactus-fabric-all-in-one
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-fabric-all-in-one'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v1.4.x

ghcr-fabric2-all-in-one:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-fabric2-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v2.x -t cactus-fabric2-all-in-one
- name: Run Trivy vulnerability scan for cactus-fabric2-all-in-one
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-fabric2-all-in-one'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v2.x

ghcr-keychain-vault-server:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-keychain-vault-server
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/ -f ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile -t cactus-keychain-vault-server
- name: Run Trivy vulnerability scan for cactus-keychain-vault-server
uses: aquasecurity/trivy-action@0.11.2
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for cactus-keychain-vault-server
uses: aquasecurity/trivy-action@0.19.0
with:
image-ref: 'cactus-keychain-vault-server'
format: 'table'
exit-code: '1'
ignore-unfixed: true
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-quorum-all-in-one:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-quorum-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-all-in-one/ -f ./tools/docker/quorum-all-in-one/Dockerfile -t cactus-quorum-all-in-one
- name: Run Trivy vulnerability scan for cactus-quorum-all-in-one
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-quorum-all-in-one'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-all-in-one/ -f ./tools/docker/quorum-all-in-one/Dockerfile

ghcr-quorum-multi-party-all-in-one:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-quorum-multi-party-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-multi-party-all-in-one/ -f ./tools/docker/quorum-multi-party-all-in-one/Dockerfile -t cactus-quorum-multi-party-all-in-one
- name: Run Trivy vulnerability scan for cactus-quorum-multi-party-all-in-one
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-quorum-multi-party-all-in-one'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

name: Cactus_CI
'on':
pull_request:
Expand All @@ -2367,4 +2313,4 @@ name: Cactus_CI
push:
branches:
- main
- dev
- dev
Loading