docs(devcontainer): add trivy and its VSCode Extension

Primary Changes 1) updated trivy version in the .devcontainer file and included AquaSecurityOfficial.trivy-vulnerability-scanner vs-code extension 2) updated trivy version in ci.yaml 3) included AquaSecurityOfficial.trivy-vulnerability-scanner vs-code extension in the .vscode/extensions.json file Fixes #2650 Signed-off-by: ashnashahgrover <as19@williams.edu>
hyperledger-cacti · Jul 22, 2024 · 86a0c08 · 86a0c08
1 parent 603ff0e
commit 86a0c08
Show file tree

Hide file tree

Showing 3 changed files with 101 additions and 6 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -42,7 +42,7 @@
 			"version": "v3.20.3"
 		},
 		"ghcr.io/dhoeric/features/trivy:1.0.0": {
-			"version": "0.49.1"
+			"version": "0.52.1"
 		}
 	},
 	"customizations": {
@@ -62,7 +62,8 @@
 				"eamodio.gitlens",
 				"streetsidesoftware.code-spell-checker",
 				"github.vscode-pull-request-github",
-				"codeandstuff.package-json-upgrade"
+				"codeandstuff.package-json-upgrade",
+				"AquaSecurityOfficial.trivy-vulnerability-scanner"
 			]
 		}
 	},	

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -1975,7 +1975,32 @@ jobs:
         uses: actions/upload-artifact@v4.3.3
         with:
           name: coverage-reports-31
-          path: ./code-coverage-ts/**/
+          path: ./code-coverage-ts/**/ 
+          node-version: ${{ env.NODEJS_VERSION }}
+      - uses: actions/checkout@v4.1.1
+
+      - id: yarn-cache
+        name: Restore Yarn Cache
+        uses: actions/cache@v4.0.1
+        with:
+          key: ${{ runner.os }}-yarn-${{ hashFiles('./yarn.lock') }}
+          path: ./.yarn/
+          restore-keys: |
+            ${{ runner.os }}-yarn-${{ hashFiles('./yarn.lock') }}
+      - run: ./tools/ci.sh
+
+      - name: Build an image from Dockerfile
+        run: DOCKER_BUILDKIT=1 docker build . -f ./packages/cactus-plugin-ledger-connector-quorum/Dockerfile -t plugin-ledger-connector-quorum
+      - if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
+        name: Run Trivy vulnerability scan for plugin-ledger-connector-quorum
+        uses: aquasecurity/trivy-action@0.52.1
+        with:
+          image-ref: 'plugin-ledger-connector-quorum'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: false
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
   cplc-sawtooth:
     continue-on-error: false
     env:
@@ -2565,6 +2590,44 @@ jobs:
       - uses: actions/checkout@v4.1.1
       - name: ghcr.io/hyperledger/cactus-besu-all-in-one
         run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile
+  ghcr-cmd-api-server:
+    runs-on: ubuntu-22.04
+    needs:
+      - compute_changed_packages
+    if: needs.compute_changed_packages.outputs.cmd-api-server-changed == 'true'
+    steps:
+      - uses: actions/checkout@v4.1.1
+      - name: ghcr.io/hyperledger/cactus-cmd-api-server
+        run: DOCKER_BUILDKIT=1 docker build . -f ./packages/cactus-cmd-api-server/Dockerfile -t cactus-cmd-api-server
+      - if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
+        name: Run Trivy vulnerability scan for cactus-cmd-api-server
+        uses: aquasecurity/trivy-action@0.52.1
+        with:
+          image-ref: 'cactus-cmd-api-server'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: false
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+  ghcr-connector-besu:
+    needs:
+      - compute_changed_packages
+    if: needs.compute_changed_packages.outputs.plugin-ledger-connector-besu-changed == 'true'
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4.1.1
+      - name: ghcr.io/hyperledger/cactus-connector-besu
+        run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-besu/ -f ./packages/cactus-plugin-ledger-connector-besu/Dockerfile -t cactus-connector-besu
+      - if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
+        name: Run Trivy vulnerability scan for cactus-connector-besu
+        uses: aquasecurity/trivy-action@0.52.1
+        with:
+          image-ref: 'cactus-connector-besu'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: false
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
   ghcr-connector-corda-server:
     runs-on: ubuntu-22.04
     needs:
@@ -2577,14 +2640,44 @@ jobs:
         run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-corda/src/main-server/ -f ./packages/cactus-plugin-ledger-connector-corda/src/main-server/Dockerfile -t cactus-connector-corda-server
       - if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
         name: Run Trivy vulnerability scan for cactus-connector-corda-server
-        uses: aquasecurity/trivy-action@0.19.0
+        uses: aquasecurity/trivy-action@0.52.1
         with:
           image-ref: 'cactus-connector-corda-server'
           format: 'table'
           exit-code: '1'
           ignore-unfixed: false
           vuln-type: 'os,library'
           severity: 'CRITICAL,HIGH'
+  ghcr-connector-fabric:
+    runs-on: ubuntu-22.04
+    needs:
+      - compute_changed_packages
+    if: needs.compute_changed_packages.outputs.plugin-ledger-connector-fabric-changed == 'true'
+
+    steps:
+      - uses: actions/checkout@v4.1.1
+      - name: ghcr.io/hyperledger/cactus-connector-fabric
+        run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-fabric/ -f ./packages/cactus-plugin-ledger-connector-fabric/Dockerfile -t cactus-connector-fabric
+      - if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
+        name: Run Trivy vulnerability scan for cactus-connector-fabric
+        uses: aquasecurity/trivy-action@0.52.1
+        with:
+          image-ref: 'cactus-connector-fabric'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: false
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+  ghcr-corda-all-in-one:
+    runs-on: ubuntu-22.04
+    needs:
+      - compute_changed_packages
+    if: needs.compute_changed_packages.outputs.ghcr-corda-all-in-one-changed == 'true'
+    steps:
+      - uses: actions/checkout@v4.1.1
+      - name: ghcr.io/hyperledger/cactus-corda-all-in-one
+        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/Dockerfile
+
   ghcr-corda-all-in-one-flowdb:
     runs-on: ubuntu-22.04
     steps:
@@ -2638,7 +2731,7 @@ jobs:
         run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/ -f ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile -t cactus-keychain-vault-server
       - if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
         name: Run Trivy vulnerability scan for cactus-keychain-vault-server
-        uses: aquasecurity/trivy-action@0.19.0
+        uses: aquasecurity/trivy-action@0.52.1
         with:
           image-ref: 'cactus-keychain-vault-server'
           format: 'table'

diff --git a/.vscode/extensions.json b/.vscode/extensions.json
@@ -14,6 +14,7 @@
       "eamodio.gitlens",
       "streetsidesoftware.code-spell-checker",
       "github.vscode-pull-request-github",
-      "codeandstuff.package-json-upgrade"
+      "codeandstuff.package-json-upgrade",
+      "AquaSecurityOfficial.trivy-vulnerability-scanner"
     ]
   }