From e0193b3608fff16eb03d76ce41c64a827f2ddd00 Mon Sep 17 00:00:00 2001 From: aldousalvarez Date: Wed, 11 Jan 2023 20:42:11 +0800 Subject: [PATCH] fix(security): vulnerabilities found in keychain-vault-server Fixes #2058 Signed-off-by: aldousalvarez --- .github/containerscan/allowedlist.yaml | 4 +- .github/workflows/azure-container-scan.yaml | 38 +++++++++++++++++++ .../cactus-keychain-vault-server/Dockerfile | 2 +- 3 files changed, 41 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/azure-container-scan.yaml diff --git a/.github/containerscan/allowedlist.yaml b/.github/containerscan/allowedlist.yaml index ecb29320e93..f64bc375945 100644 --- a/.github/containerscan/allowedlist.yaml +++ b/.github/containerscan/allowedlist.yaml @@ -2,5 +2,5 @@ general: vulnerabilities: #besu-all-in-one - -CVE-2022-37734 - -CVE-2022-25857 + - CVE-2022-37734 + - CVE-2022-25857 diff --git a/.github/workflows/azure-container-scan.yaml b/.github/workflows/azure-container-scan.yaml new file mode 100644 index 00000000000..aa693d3396f --- /dev/null +++ b/.github/workflows/azure-container-scan.yaml @@ -0,0 +1,38 @@ +name: azure-container-image-scan + +on: + push: + pull_request: + # Publish `main` as Docker `latest` image. + branches: + - main + + # Publish `v1.2.3` tags as releases. + tags: + - v* + + +jobs: + build-secure-and-push: + name: Scan cactus-keychain-vault-server image + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2.4.0 + env: + # (Required) The token to use to make API calls to GitHub. + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + + - uses: actions/checkout@v1 + - name: Login to DockerHub Registry + run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin + + + - name: Build Images from Dockerfile + run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/ -f ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile -t cactus-keychain-vault-server + + - uses: Azure/container-scan@v0.1 + name: Scan image for vulnerabilities + id: container-scan + continue-on-error: true + with: + image-name: cactus-keychain-vault-server \ No newline at end of file diff --git a/packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile b/packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile index 11a3c85a37b..28404938baa 100644 --- a/packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile +++ b/packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile @@ -1,4 +1,4 @@ -FROM rust:1.63.0 as builder +FROM rust:1.66.0 as builder WORKDIR / RUN USER=root cargo new --bin cactus-keychain-vault-server