From 6bb3c282415e32131ce3027c29b42e6074c96e89 Mon Sep 17 00:00:00 2001 From: aldousalvarez Date: Thu, 21 Sep 2023 14:41:08 +0800 Subject: [PATCH] carbon accounting trivy scan --- .github/workflows/azure-container-scan.yaml | 38 ++++++++++++++ .github/workflows/trivy-container-scan.yaml | 52 +++++++++++++++++++ .../package.json | 2 + examples/carbon-accounting/Dockerfile | 9 ++-- examples/carbon-accounting/supervisord.conf | 2 +- package.json | 2 + yarn.lock | 13 ++++- 7 files changed, 112 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/azure-container-scan.yaml create mode 100644 .github/workflows/trivy-container-scan.yaml diff --git a/.github/workflows/azure-container-scan.yaml b/.github/workflows/azure-container-scan.yaml new file mode 100644 index 0000000000..1ad619520a --- /dev/null +++ b/.github/workflows/azure-container-scan.yaml @@ -0,0 +1,38 @@ +name: azure-container-image-scan + +on: + push: + pull_request: + # Publish `main` as Docker `latest` image. + branches: + - main + + # Publish `v1.2.3` tags as releases. + tags: + - v* + + +jobs: + build-secure-and-push: + name: Scan cactus-example-carbon-accounting image + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2.4.0 + env: + # (Required) The token to use to make API calls to GitHub. + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + + - uses: actions/checkout@v1 + - name: Login to DockerHub Registry + run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin + + + - name: Build Images from Dockerfile + run: DOCKER_BUILDKIT=1 docker build -f ./examples/carbon-accounting/Dockerfile . -t cactus-example-carbon-accounting + + - uses: Azure/container-scan@v0.1 + name: Scan image for vulnerabilities + id: container-scan + continue-on-error: true + with: + image-name: cactus-example-carbon-accounting \ No newline at end of file diff --git a/.github/workflows/trivy-container-scan.yaml b/.github/workflows/trivy-container-scan.yaml new file mode 100644 index 0000000000..ced5b34198 --- /dev/null +++ b/.github/workflows/trivy-container-scan.yaml @@ -0,0 +1,52 @@ +name: trivy-container-image-scan + +on: + push: + pull_request: + # Publish `main` as Docker `latest` image. + branches: + - main + + # Publish `v1.2.3` tags as releases. + tags: + - v* + + +jobs: + + build: + name: Scan cactus-example-carbon-accounting table image + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Build an image from Dockerfile + run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting + - name: Run Trivy vulnerability scan for cactus-example-carbon-accounting + uses: aquasecurity/trivy-action@0.11.2 + with: + image-ref: 'cactus-example-carbon-accounting' + format: 'table' + exit-code: '0' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + build2: + name: Scan cactus-example-carbon-accounting json image + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Build an image from Dockerfile + run: | + DOCKER_BUILDKIT=1 docker build ./ -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.11.2 + with: + image-ref: 'cactus-example-carbon-accounting' + format: 'json' + exit-code: '0' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' \ No newline at end of file diff --git a/examples/cactus-example-carbon-accounting-backend/package.json b/examples/cactus-example-carbon-accounting-backend/package.json index 8a4056de1e..51b1225d1c 100644 --- a/examples/cactus-example-carbon-accounting-backend/package.json +++ b/examples/cactus-example-carbon-accounting-backend/package.json @@ -76,10 +76,12 @@ "devDependencies": { "@types/express": "4.17.19", "@types/fs-extra": "9.0.13", + "@types/http-cache-semantics": "^4", "@types/json-stable-stringify": "1.0.34", "@types/uuid": "8.3.4", "express-jwt": "8.4.1", "hardhat": "2.17.2", + "http-cache-semantics": "4.1.1", "http-status-codes": "2.1.4", "jose": "4.9.2", "json-stable-stringify": "1.0.2" diff --git a/examples/carbon-accounting/Dockerfile b/examples/carbon-accounting/Dockerfile index 89c203dbe5..e955c0bfa0 100644 --- a/examples/carbon-accounting/Dockerfile +++ b/examples/carbon-accounting/Dockerfile @@ -33,11 +33,12 @@ WORKDIR ${APP} SHELL ["/bin/bash", "--login", "-i", "-c"] # Installing Node Version Manager (nvm) -RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash -RUN source ~/.bashrc && \ +RUN curl https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash \ + && source ~/.bashrc && \ nvm install 16.15.1 && \ - npm install -g yarn && \ - yarn add @hyperledger/cactus-example-carbon-accounting-backend@0.9.1-ci-942.cbb849c6.35 --ignore-engines --production + npm install --location=global yarn && \ + npm install -g npm@10.2.4 && \ + yarn add @hyperledger/cactus-example-carbon-accounting-backend@2.0.0-dev.94 SHELL ["/bin/bash", "--login", "-c"] diff --git a/examples/carbon-accounting/supervisord.conf b/examples/carbon-accounting/supervisord.conf index f4349a038c..e21c123a9c 100644 --- a/examples/carbon-accounting/supervisord.conf +++ b/examples/carbon-accounting/supervisord.conf @@ -12,7 +12,7 @@ stderr_logfile=/usr/src/app/log/dockerd.err.log stdout_logfile=/usr/src/app/log/dockerd.out.log [program:carbon-accounting-app] -command=/home/appuser/.nvm/versions/node/v16.3.0/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js +command=/home/appuser/.nvm/versions/node/v16.15.1/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js autostart=true autorestart=unexpected exitcodes=0 diff --git a/package.json b/package.json index c8fb103e19..a6f01deefe 100644 --- a/package.json +++ b/package.json @@ -112,6 +112,7 @@ "@openapitools/openapi-generator-cli": "2.7.0", "@types/adm-zip": "0.5.0", "@types/fs-extra": "9.0.13", + "@types/http-cache-semantics": "^4", "@types/jest": "29.5.3", "@types/node": "16.18.41", "@types/node-fetch": "2.6.4", @@ -145,6 +146,7 @@ "google-protobuf": "3.21.2", "grpc-tools": "1.12.4", "grpc_tools_node_protoc_ts": "5.3.3", + "http-cache-semantics": "4.1.1", "husky": "7.0.4", "inquirer": "8.2.6", "jest": "29.6.2", diff --git a/yarn.lock b/yarn.lock index 3e81a4e1d8..cd9395b5b6 100644 --- a/yarn.lock +++ b/yarn.lock @@ -6847,6 +6847,7 @@ __metadata: "@openzeppelin/contracts-upgradeable": 4.9.3 "@types/express": 4.17.19 "@types/fs-extra": 9.0.13 + "@types/http-cache-semantics": ^4 "@types/json-stable-stringify": 1.0.34 "@types/uuid": 8.3.4 async-exit-hook: 2.0.1 @@ -6854,6 +6855,7 @@ __metadata: fabric-network: 2.2.19 fs-extra: 10.1.0 hardhat: 2.17.2 + http-cache-semantics: 4.1.1 http-status-codes: 2.1.4 jose: 4.9.2 json-stable-stringify: 1.0.2 @@ -7812,7 +7814,7 @@ __metadata: "@hyperledger/cactus-test-tooling": 2.0.0-alpha.2 "@types/express": 4.17.20 "@types/uuid": 9.0.6 - axios: 1.5.1 + axios: 1.6.0 body-parser: 1.20.2 cbor: 9.0.1 express: 4.18.2 @@ -8322,6 +8324,7 @@ __metadata: "@openapitools/openapi-generator-cli": 2.7.0 "@types/adm-zip": 0.5.0 "@types/fs-extra": 9.0.13 + "@types/http-cache-semantics": ^4 "@types/jest": 29.5.3 "@types/node": 16.18.41 "@types/node-fetch": 2.6.4 @@ -8355,6 +8358,7 @@ __metadata: google-protobuf: 3.21.2 grpc-tools: 1.12.4 grpc_tools_node_protoc_ts: 5.3.3 + http-cache-semantics: 4.1.1 husky: 7.0.4 inquirer: 8.2.6 jest: 29.6.2 @@ -12905,6 +12909,13 @@ __metadata: languageName: node linkType: hard +"@types/http-cache-semantics@npm:^4": + version: 4.0.4 + resolution: "@types/http-cache-semantics@npm:4.0.4" + checksum: 7f4dd832e618bc1e271be49717d7b4066d77c2d4eed5b81198eb987e532bb3e1c7e02f45d77918185bad936f884b700c10cebe06305f50400f382ab75055f9e8 + languageName: node + linkType: hard + "@types/http-cache-semantics@npm:^4.0.1": version: 4.0.1 resolution: "@types/http-cache-semantics@npm:4.0.1"