Skip to content

Commit

Permalink
ci: add container scanning to default checks
Browse files Browse the repository at this point in the history
Trivy is a cutting-edge security tool designed to enhance
the safety of containerized applications by conducting thorough
vulnerability assessments. Specifically developed for scanning
container images, ranging from low-severity issues to critical
threats. It employs an intelligent rating system to categorize
vulnerabilities based on their severity levels, ensuring that
high to critical vulnerabilities are given special attention.
Upon detecting vulnerabilities that fall within this elevated
range, Trivy will throw an error.

By integrating Trivy into our deployment pipeline, we can
proactively mitigate security risks and enhance the resilience
of our repository.

Fixes hyperledger#1876

Depends On: hyperledger#2865
Depends On: hyperledger#2864
Depends On: hyperledger#2863
Depends On: hyperledger#2862

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
  • Loading branch information
dependabot[bot] authored and zondervancalvez committed Mar 19, 2024
1 parent f90ca06 commit 6c496c3
Showing 1 changed file with 67 additions and 116 deletions.
183 changes: 67 additions & 116 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
---
env:
NODEJS_VERSION: v18.18.2
RUN_TRIVY_SCAN: false
jobs:
ActionLint:
uses: ./.github/workflows/actionlint.yaml
Expand Down Expand Up @@ -1533,7 +1534,7 @@ jobs:
with:
node-version: ${{ env.NODEJS_VERSION }}
- uses: actions/checkout@v4.1.1

- id: yarn-cache
name: Restore Yarn Cache
uses: actions/cache@v4.0.1
Expand All @@ -1543,6 +1544,19 @@ jobs:
restore-keys: |
${{ runner.os }}-yarn-${{ hashFiles('./yarn.lock') }}
- run: ./tools/ci.sh

- name: Build an image from Dockerfile
run: DOCKER_BUILDKIT=1 docker build . -f ./packages/cactus-plugin-ledger-connector-iroha/Dockerfile -t plugin-ledger-connector-iroha
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for plugin-ledger-connector-iroha
uses: aquasecurity/trivy-action@master
with:
image-ref: 'plugin-ledger-connector-iroha'
format: 'table'
exit-code: '1'
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
cactus-plugin-ledger-connector-iroha2:
continue-on-error: false
needs:
Expand Down Expand Up @@ -1618,7 +1632,7 @@ jobs:
with:
node-version: ${{ env.NODEJS_VERSION }}
- uses: actions/checkout@v4.1.1

- id: yarn-cache
name: Restore Yarn Cache
uses: actions/cache@v4.0.1
Expand All @@ -1628,6 +1642,19 @@ jobs:
restore-keys: |
${{ runner.os }}-yarn-${{ hashFiles('./yarn.lock') }}
- run: ./tools/ci.sh

- name: Build an image from Dockerfile
run: DOCKER_BUILDKIT=1 docker build . -f ./packages/cactus-plugin-ledger-connector-quorum/Dockerfile -t plugin-ledger-connector-quorum
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for plugin-ledger-connector-quorum
uses: aquasecurity/trivy-action@master
with:
image-ref: 'plugin-ledger-connector-quorum'
format: 'table'
exit-code: '1'
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
cactus-plugin-ledger-connector-sawtooth:
continue-on-error: false
env:
Expand Down Expand Up @@ -1970,7 +1997,7 @@ jobs:
with:
node-version: ${{ env.NODEJS_VERSION }}
- uses: actions/checkout@v4.1.1

- id: yarn-cache
name: Restore Yarn Cache
uses: actions/cache@v4.0.1
Expand Down Expand Up @@ -2095,16 +2122,7 @@ jobs:
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-besu-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile -t cactus-besu-all-in-one
- name: Run Trivy vulnerability scan for cactus-besu-all-in-one
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-besu-all-in-one'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile
ghcr-cmd-api-server:
runs-on: ubuntu-22.04
needs:
Expand All @@ -2114,13 +2132,14 @@ jobs:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-cmd-api-server
run: DOCKER_BUILDKIT=1 docker build . -f ./packages/cactus-cmd-api-server/Dockerfile -t cactus-cmd-api-server
- name: Run Trivy vulnerability scan for cactus-cmd-api-server
uses: aquasecurity/trivy-action@0.11.2
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for cactus-cmd-api-server
uses: aquasecurity/trivy-action@master
with:
image-ref: 'cactus-cmd-api-server'
format: 'table'
exit-code: '1'
ignore-unfixed: true
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-connector-besu:
Expand All @@ -2132,13 +2151,14 @@ jobs:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-connector-besu
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-besu/ -f ./packages/cactus-plugin-ledger-connector-besu/Dockerfile -t cactus-connector-besu
- name: Run Trivy vulnerability scan for cactus-connector-besu
uses: aquasecurity/trivy-action@0.11.2
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for cactus-connector-besu
uses: aquasecurity/trivy-action@master
with:
image-ref: 'cactus-connector-besu'
format: 'table'
exit-code: '1'
ignore-unfixed: true
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-connector-corda-server:
Expand All @@ -2151,13 +2171,14 @@ jobs:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-connector-corda-server
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-corda/src/main-server/ -f ./packages/cactus-plugin-ledger-connector-corda/src/main-server/Dockerfile -t cactus-connector-corda-server
- name: Run Trivy vulnerability scan for cactus-connector-corda-server
uses: aquasecurity/trivy-action@0.11.2
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for cactus-connector-corda-server
uses: aquasecurity/trivy-action@master
with:
image-ref: 'cactus-connector-corda-server'
format: 'table'
exit-code: '1'
ignore-unfixed: true
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-connector-fabric:
Expand All @@ -2170,13 +2191,14 @@ jobs:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-connector-fabric
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-fabric/ -f ./packages/cactus-plugin-ledger-connector-fabric/Dockerfile -t cactus-connector-fabric
- name: Run Trivy vulnerability scan for cactus-connector-fabric
uses: aquasecurity/trivy-action@0.11.2
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for cactus-connector-fabric
uses: aquasecurity/trivy-action@master
with:
image-ref: 'cactus-connector-fabric'
format: 'table'
exit-code: '1'
ignore-unfixed: true
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-corda-all-in-one:
Expand All @@ -2187,16 +2209,8 @@ jobs:
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-corda-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/Dockerfile -t cactus-corda-all-in-one
- name: Run Trivy vulnerability scan for cactus-corda-all-in-one
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-corda-all-in-one'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/Dockerfile

ghcr-corda-all-in-one-flowdb:
runs-on: ubuntu-22.04
steps:
Expand All @@ -2212,15 +2226,7 @@ jobs:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-corda-all-in-one-obligation
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/corda-v4_8/Dockerfile -t cactus-corda-all-in-one-obligation
- name: Run Trivy vulnerability scan for cactus-corda-all-in-one-obligation
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-corda-all-in-one-obligation'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

ghcr-dev-container-vscode:
runs-on: ubuntu-22.04
needs:
Expand All @@ -2243,121 +2249,66 @@ jobs:
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-example-carbon-accounting
run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
- name: Run Trivy vulnerability scan for cactus-example-carbon-accounting
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-example-carbon-accounting'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile

ghcr-example-supply-chain-app:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-example-supply-chain-app
run: DOCKER_BUILDKIT=1 docker build . -f ./examples/cactus-example-supply-chain-backend/Dockerfile -t cactus-example-supply-chain-app
- name: Run Trivy vulnerability scan for cactus-example-supply-chain-app
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-example-supply-chain-app'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

ghcr-fabric-all-in-one:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-fabric-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v1.4.x -t cactus-fabric-all-in-one
- name: Run Trivy vulnerability scan for cactus-fabric-all-in-one
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-fabric-all-in-one'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v1.4.x

ghcr-fabric2-all-in-one:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-fabric2-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v2.x -t cactus-fabric2-all-in-one
- name: Run Trivy vulnerability scan for cactus-fabric2-all-in-one
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-fabric2-all-in-one'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v2.x

ghcr-iroha-all-in-one:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-iroha-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/iroha-all-in-one/ -f ./tools/docker/iroha-all-in-one/Dockerfile -t cactus-iroha-all-in-one
- name: Run Trivy vulnerability scan for cactus-iroha-all-in-one
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-iroha-all-in-one'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/iroha-all-in-one/ -f ./tools/docker/iroha-all-in-one/Dockerfile

ghcr-keychain-vault-server:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-keychain-vault-server
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/ -f ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile -t cactus-keychain-vault-server
- name: Run Trivy vulnerability scan for cactus-keychain-vault-server
uses: aquasecurity/trivy-action@0.11.2
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for cactus-keychain-vault-server
uses: aquasecurity/trivy-action@master
with:
image-ref: 'cactus-keychain-vault-server'
format: 'table'
exit-code: '1'
ignore-unfixed: true
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-quorum-all-in-one:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-quorum-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-all-in-one/ -f ./tools/docker/quorum-all-in-one/Dockerfile -t cactus-quorum-all-in-one
- name: Run Trivy vulnerability scan for cactus-quorum-all-in-one
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-quorum-all-in-one'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-all-in-one/ -f ./tools/docker/quorum-all-in-one/Dockerfile

ghcr-quorum-multi-party-all-in-one:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-quorum-multi-party-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-multi-party-all-in-one/ -f ./tools/docker/quorum-multi-party-all-in-one/Dockerfile -t cactus-quorum-multi-party-all-in-one
- name: Run Trivy vulnerability scan for cactus-quorum-multi-party-all-in-one
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'cactus-quorum-multi-party-all-in-one'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

name: Cactus_CI
'on':
pull_request:
Expand All @@ -2368,4 +2319,4 @@ name: Cactus_CI
push:
branches:
- main
- dev
- dev

0 comments on commit 6c496c3

Please sign in to comment.