carbon accounting trivy scan

aldousalvarez · Nov 20, 2023 · 6bb3c28 · 6bb3c28
1 parent 0af2eb1
commit 6bb3c28
Show file tree

Hide file tree

Showing 7 changed files with 112 additions and 6 deletions.
diff --git a/.github/workflows/azure-container-scan.yaml b/.github/workflows/azure-container-scan.yaml
@@ -0,0 +1,38 @@
+name: azure-container-image-scan
+
+on:
+  push:
+  pull_request:
+    # Publish `main` as Docker `latest` image.
+    branches:
+      - main
+
+    # Publish `v1.2.3` tags as releases.
+    tags:
+      - v*
+
+
+jobs:
+ build-secure-and-push:
+    name: Scan cactus-example-carbon-accounting image
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2.4.0
+      env:
+          # (Required) The token to use to make API calls to GitHub.
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+    - uses: actions/checkout@v1
+    - name: Login to DockerHub Registry
+      run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+
+    - name: Build Images from Dockerfile
+      run: DOCKER_BUILDKIT=1 docker build -f ./examples/carbon-accounting/Dockerfile . -t cactus-example-carbon-accounting
+
+    - uses: Azure/container-scan@v0.1
+      name: Scan image for vulnerabilities
+      id: container-scan
+      continue-on-error: true
+      with:
+       image-name: cactus-example-carbon-accounting
diff --git a/.github/workflows/trivy-container-scan.yaml b/.github/workflows/trivy-container-scan.yaml
@@ -0,0 +1,52 @@
+name: trivy-container-image-scan
+
+on:
+  push:
+  pull_request:
+    # Publish `main` as Docker `latest` image.
+    branches:
+      - main
+
+    # Publish `v1.2.3` tags as releases.
+    tags:
+      - v*
+
+
+jobs:
+
+  build:
+    name: Scan cactus-example-carbon-accounting table image
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build an image from Dockerfile
+        run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
+      - name: Run Trivy vulnerability scan for cactus-example-carbon-accounting
+        uses: aquasecurity/trivy-action@0.11.2
+        with:
+          image-ref: 'cactus-example-carbon-accounting'
+          format: 'table'
+          exit-code: '0'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+  build2:
+    name: Scan cactus-example-carbon-accounting json image
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build an image from Dockerfile
+        run: |
+          DOCKER_BUILDKIT=1 docker build ./ -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.11.2
+        with:
+          image-ref: 'cactus-example-carbon-accounting'
+          format: 'json'
+          exit-code: '0'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
diff --git a/examples/cactus-example-carbon-accounting-backend/package.json b/examples/cactus-example-carbon-accounting-backend/package.json
@@ -76,10 +76,12 @@
   "devDependencies": {
     "@types/express": "4.17.19",
     "@types/fs-extra": "9.0.13",
+    "@types/http-cache-semantics": "^4",
     "@types/json-stable-stringify": "1.0.34",
     "@types/uuid": "8.3.4",
     "express-jwt": "8.4.1",
     "hardhat": "2.17.2",
+    "http-cache-semantics": "4.1.1",
     "http-status-codes": "2.1.4",
     "jose": "4.9.2",
     "json-stable-stringify": "1.0.2"

diff --git a/examples/carbon-accounting/Dockerfile b/examples/carbon-accounting/Dockerfile
@@ -33,11 +33,12 @@ WORKDIR ${APP}
 
 SHELL ["/bin/bash", "--login", "-i", "-c"]
 # Installing Node Version Manager (nvm)
-RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash
-RUN source ~/.bashrc && \
+RUN curl https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash \
+    && source ~/.bashrc && \
     nvm install 16.15.1 && \
-    npm install -g yarn && \
-    yarn add @hyperledger/cactus-example-carbon-accounting-backend@0.9.1-ci-942.cbb849c6.35 --ignore-engines --production
+    npm install --location=global yarn && \
+    npm install -g npm@10.2.4 && \
+    yarn add @hyperledger/cactus-example-carbon-accounting-backend@2.0.0-dev.94
 
 SHELL ["/bin/bash", "--login", "-c"]
 

diff --git a/examples/carbon-accounting/supervisord.conf b/examples/carbon-accounting/supervisord.conf
@@ -12,7 +12,7 @@ stderr_logfile=/usr/src/app/log/dockerd.err.log
 stdout_logfile=/usr/src/app/log/dockerd.out.log
 
 [program:carbon-accounting-app]
-command=/home/appuser/.nvm/versions/node/v16.3.0/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
+command=/home/appuser/.nvm/versions/node/v16.15.1/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
 autostart=true
 autorestart=unexpected
 exitcodes=0

diff --git a/package.json b/package.json
@@ -112,6 +112,7 @@
     "@openapitools/openapi-generator-cli": "2.7.0",
     "@types/adm-zip": "0.5.0",
     "@types/fs-extra": "9.0.13",
+    "@types/http-cache-semantics": "^4",
     "@types/jest": "29.5.3",
     "@types/node": "16.18.41",
     "@types/node-fetch": "2.6.4",
@@ -145,6 +146,7 @@
     "google-protobuf": "3.21.2",
     "grpc-tools": "1.12.4",
     "grpc_tools_node_protoc_ts": "5.3.3",
+    "http-cache-semantics": "4.1.1",
     "husky": "7.0.4",
     "inquirer": "8.2.6",
     "jest": "29.6.2",

diff --git a/yarn.lock b/yarn.lock
@@ -6847,13 +6847,15 @@ __metadata:
     "@openzeppelin/contracts-upgradeable": 4.9.3
     "@types/express": 4.17.19
     "@types/fs-extra": 9.0.13
+    "@types/http-cache-semantics": ^4
     "@types/json-stable-stringify": 1.0.34
     "@types/uuid": 8.3.4
     async-exit-hook: 2.0.1
     express-jwt: 8.4.1
     fabric-network: 2.2.19
     fs-extra: 10.1.0
     hardhat: 2.17.2
+    http-cache-semantics: 4.1.1
     http-status-codes: 2.1.4
     jose: 4.9.2
     json-stable-stringify: 1.0.2
@@ -7812,7 +7814,7 @@ __metadata:
     "@hyperledger/cactus-test-tooling": 2.0.0-alpha.2
     "@types/express": 4.17.20
     "@types/uuid": 9.0.6
-    axios: 1.5.1
+    axios: 1.6.0
     body-parser: 1.20.2
     cbor: 9.0.1
     express: 4.18.2
@@ -8322,6 +8324,7 @@ __metadata:
     "@openapitools/openapi-generator-cli": 2.7.0
     "@types/adm-zip": 0.5.0
     "@types/fs-extra": 9.0.13
+    "@types/http-cache-semantics": ^4
     "@types/jest": 29.5.3
     "@types/node": 16.18.41
     "@types/node-fetch": 2.6.4
@@ -8355,6 +8358,7 @@ __metadata:
     google-protobuf: 3.21.2
     grpc-tools: 1.12.4
     grpc_tools_node_protoc_ts: 5.3.3
+    http-cache-semantics: 4.1.1
     husky: 7.0.4
     inquirer: 8.2.6
     jest: 29.6.2
@@ -12905,6 +12909,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/http-cache-semantics@npm:^4":
+  version: 4.0.4
+  resolution: "@types/http-cache-semantics@npm:4.0.4"
+  checksum: 7f4dd832e618bc1e271be49717d7b4066d77c2d4eed5b81198eb987e532bb3e1c7e02f45d77918185bad936f884b700c10cebe06305f50400f382ab75055f9e8
+  languageName: node
+  linkType: hard
+
 "@types/http-cache-semantics@npm:^4.0.1":
   version: 4.0.1
   resolution: "@types/http-cache-semantics@npm:4.0.1"