Skip to content

Commit

Permalink
ci: add container scanning to default checks
Browse files Browse the repository at this point in the history
Fixes hyperledger-cacti#1876

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
  • Loading branch information
zondervancalvez committed Apr 20, 2022
1 parent dda3f00 commit 403ed9d
Show file tree
Hide file tree
Showing 2 changed files with 143 additions and 0 deletions.
24 changes: 24 additions & 0 deletions .github/containerscan/allowedlist.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
general:
vulnerabilities:
- CVE-2003-1307
- CVE-2007-0086
- CVE-2019-3462
- CVE-2011-3374
- CVE-2022-24771
- CVE-2022-24772
- CVE-2021-32803
- CVE-2021-32804
- CVE-2021-37701
- CVE-2021-37712
- CVE-2021-37713
- CVE-2019-10773
- CVE-2020-8131
- CVE-2021-43138
bestPracticeViolations:
- DKL-LI-0003
- CIS-DI-0006
- DKL-DI-0006
- CIS-DI-0010
- CIS-DI-0001
- DKL-DI-0005
- CIS-DI-0008
119 changes: 119 additions & 0 deletions .github/workflows/azure-container-scan.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
name: azure-container-image-scan

on:
push:
# Publish `main` as Docker `latest` image.
branches:
- main

# Publish `v1.2.3` tags as releases.
tags:
- v*

jobs:
build-secure-and-push:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
env:
# (Required) The token to use to make API calls to GitHub.
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

- uses: actions/checkout@v1
- name: Login to DockerHub Registry
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

# - uses: Azure/container-scan@v0.1
# with:
# image-name: cactus-besu-all-in-one
# run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

# - uses: Azure/container-scan@v0.1
# with:
# image-name: cactus-whitepaper
# run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

- uses: Azure/container-scan@v0.1
with:
image-name: cactus-cmd-api-server
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

# - uses: Azure/container-scan@v0.1
# with:
# image-name: cactus-connector-fabric
# run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

# - uses: Azure/container-scan@v0.1
# with:
# image-name: cactus-connector-corda-server
# run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

# - uses: Azure/container-scan@v0.1
# with:
# image-name: cactus-connector-besu
# run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

# - uses: Azure/container-scan@v0.1
# with:
# image-name: corda-4-6-all-in-one-obligation
# run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

# - uses: Azure/container-scan@v0.1
# with:
# image-name: cactus-corda-4-7-all-in-one-obligation
# run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

# - uses: Azure/container-scan@v0.1
# with:
# image-name: corda-4-8-all-in-one-obligation-publish
# run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

# - uses: Azure/container-scan@v0.1
# with:
# image-name: cactus-dev-container-vscode
# run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

# - uses: Azure/container-scan@v0.1
# with:
# image-name: cactus-example-carbon-accounting
# run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

# - uses: Azure/container-scan@v0.1
# with:
# image-name: cactus-example-supply-chain-app
# run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

# - uses: Azure/container-scan@v0.1
# with:
# image-name: cactus-fabric-all-in-one
# run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

# - uses: Azure/container-scan@v0.1
# with:
# image-name: cactus-fabric2-all-in-one
# run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

# - uses: Azure/container-scan@v0.1
# with:
# image-name: cactus-iroha-all-in-one
# run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

# - uses: Azure/container-scan@v0.1
# with:
# image-name: cactus-keychain-vault-server
# run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

# - uses: Azure/container-scan@v0.1
# with:
# image-name: cactus-quorum-all-in-one
# run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

# - uses: Azure/container-scan@v0.1
# with:
# image-name: cactus-rust-compiler
# run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

# - uses: Azure/container-scan@v0.1
# with:
# image-name: cactus-test-npm-registry
# run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

0 comments on commit 403ed9d

Please sign in to comment.