ci: add container scanning to default checks

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
hyperledger-cacti · May 5, 2022 · 78a4c09 · 78a4c09
1 parent 865ec2f
commit 78a4c09
Show file tree

Hide file tree

Showing 2 changed files with 107 additions and 0 deletions.
diff --git a/.github/containerscan/allowedlist.yaml b/.github/containerscan/allowedlist.yaml
@@ -0,0 +1,25 @@
+general:
+  vulnerabilities:
+    - CVE-2003-1307
+    - CVE-2007-0086
+    - CVE-2019-3462
+    - CVE-2011-3374
+    - CVE-2022-24771
+    - CVE-2022-24772
+    - CVE-2021-32803
+    - CVE-2021-32804
+    - CVE-2021-37701
+    - CVE-2021-37712
+    - CVE-2021-37713
+    - CVE-2019-10773
+    - CVE-2020-8131
+    - CVE-2021-43138
+    - CVE-2022-22143  
+  bestPracticeViolations:
+    - DKL-LI-0003
+    - CIS-DI-0006
+    - DKL-DI-0006
+    - CIS-DI-0010 
+    - CIS-DI-0001
+    - DKL-DI-0005
+    - CIS-DI-0008 
diff --git a/.github/workflows/azure-container-scan.yaml b/.github/workflows/azure-container-scan.yaml
@@ -0,0 +1,82 @@
+name: azure-container-image-scan
+
+on:
+  push:
+  pull_request:
+    # Publish `main` as Docker `latest` image.
+    branches:
+      - main
+
+    # Publish `v1.2.3` tags as releases.
+    tags:
+      - v*
+
+jobs:
+ build-secure-and-push:
+    name: My first job
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@master
+      env:
+          # (Required) The token to use to make API calls to GitHub.
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+    - uses: actions/checkout@v1
+    - name: Login to DockerHub Registry
+      run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+
+    - name: Build Images from Dockerfile
+      run: DOCKER_BUILDKIT=1 docker build -f ./whitepaper/Dockerfile -t cactus-whitepaper .
+
+    - uses: Azure/container-scan@v0.1
+      name: Scan image for vulnerabilities
+      id: container-scan
+      continue-on-error: true
+      with:
+       image-name: cactus-cmd-api-server
+
+ build-secure-and-push-2:
+    name: My second job
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@master
+      env:
+          # (Required) The token to use to make API calls to GitHub.
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+    - uses: actions/checkout@v1
+    - name: Login to DockerHub Registry
+      run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+
+    - name: Build Images from Dockerfile
+      run: DOCKER_BUILDKIT=1 docker build -f ./whitepaper/Dockerfile -t cactus-whitepaper .
+
+    - uses: Azure/container-scan@v0.1
+      name: Scan image for vulnerabilities
+      id: container-scan
+      continue-on-error: true
+      with:
+       image-name: cactus-whitepaper
+
+
+   # - name: Run Trivy vulnerability scanner
+  #    uses: aquasecurity/trivy-action@master
+  #    with:
+ #         image-name: ./cactus-cmd-api-server
+     #     ignore-unfixed: true;  
+
+
+    # - name: Run Trivy vulnerability scanner
+    #   uses: aquasecurity/trivy-action@master
+    #   with:
+    #     scan-ref: '.github/workflows/*-publish.yaml'
+    #     ignore-unfixed: true
+
+    # run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin export
+
+    # - uses: Azure/container-scan@v0.1
+    #   with:
+    #     image-name: cactus-test-npm-registry
+    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin