Skip to content

Commit

Permalink
carbon accounting trivy scan
Browse files Browse the repository at this point in the history
  • Loading branch information
aldousalvarez committed Sep 20, 2023
1 parent b8e8388 commit 46730b0
Show file tree
Hide file tree
Showing 9 changed files with 107 additions and 17 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/.dast-nuclei-cmd-api-server.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,7 @@ jobs:
with:
build: yarn --version
start: yarn start:api-server
command: "nuclei --config=.nuclei-config.yaml --list=urls.txt --sarif-export ~/nuclei.sarif --output nuclei.log"
command: "nuclei -config=.nuclei-config.yaml --list=urls.txt --sarif-export ~/nuclei.sarif --output nuclei.log"
wait-on: "https://localhost:4000/api/v1/api-server/healthcheck"
# wait for 10 minutes for the server to respond
wait-on-timeout: 120
Expand Down
38 changes: 38 additions & 0 deletions .github/workflows/azure-container-scan.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
name: azure-container-image-scan

on:
push:
pull_request:
# Publish `main` as Docker `latest` image.
branches:
- main

# Publish `v1.2.3` tags as releases.
tags:
- v*


jobs:
build-secure-and-push:
name: Scan cactus-example-carbon-accounting image
runs-on: ubuntu-20.04
steps:
- uses: actions/[email protected]
env:
# (Required) The token to use to make API calls to GitHub.
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

- uses: actions/checkout@v1
- name: Login to DockerHub Registry
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin


- name: Build Images from Dockerfile
run: DOCKER_BUILDKIT=1 docker build -f ./examples/carbon-accounting/Dockerfile . -t cactus-example-carbon-accounting

- uses: Azure/[email protected]
name: Scan image for vulnerabilities
id: container-scan
continue-on-error: true
with:
image-name: cactus-example-carbon-accounting
52 changes: 52 additions & 0 deletions .github/workflows/trivy-container-scan.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
name: trivy-container-image-scan

on:
push:
pull_request:
# Publish `main` as Docker `latest` image.
branches:
- main

# Publish `v1.2.3` tags as releases.
tags:
- v*


jobs:

build:
name: Scan cactus-example-carbon-accounting table image
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
- name: Run Trivy vulnerability scan for cactus-example-carbon-accounting
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-example-carbon-accounting'
format: 'table'
exit-code: '0'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

build2:
name: Scan cactus-example-carbon-accounting json image
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: |
DOCKER_BUILDKIT=1 docker build ./ -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-example-carbon-accounting'
format: 'json'
exit-code: '0'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
2 changes: 1 addition & 1 deletion examples/carbon-accounting/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | b
RUN source ~/.bashrc && \
nvm install 16.15.1 && \
npm install -g yarn && \
yarn add @hyperledger/cactus-example-carbon-accounting-backend@0.9.1-ci-942.cbb849c6.35 --ignore-engines --production
yarn add @hyperledger/cactus-example-carbon-accounting-backend@2.0.0-alpha.1 --ignore-engines --production

SHELL ["/bin/bash", "--login", "-c"]

Expand Down
2 changes: 1 addition & 1 deletion examples/carbon-accounting/supervisord.conf
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ stderr_logfile=/usr/src/app/log/dockerd.err.log
stdout_logfile=/usr/src/app/log/dockerd.out.log

[program:carbon-accounting-app]
command=/home/appuser/.nvm/versions/node/v16.3.0/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
command=/home/appuser/.nvm/versions/node/v16.15.1/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
autostart=true
autorestart=unexpected
exitcodes=0
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ import { registerWebServiceEndpoint } from "@hyperledger/cactus-core";
import { PluginKeychainAzureKv } from "../plugin-keychain-azure-kv";

import OAS from "../../json/openapi.json";
import { GetKeychainEntryRequest } from "../generated/openapi/typescript-axios";
import { GetKeychainEntryRequestV1 } from "../generated/openapi/typescript-axios";

export interface IGetKeychainEntryEndpointOptions {
logLevel?: LogLevelDesc;
Expand Down Expand Up @@ -87,7 +87,7 @@ export class GetKeychainEntryEndpoint implements IWebServiceEndpoint {
public async handleRequest(req: Request, res: Response): Promise<void> {
const reqTag = `${this.getVerbLowerCase()} - ${this.getPath()}`;
this.log.debug(reqTag);
const { key } = req.body as GetKeychainEntryRequest;
const { key } = req.body as GetKeychainEntryRequestV1;
try {
const value = await this.options.connector.get(key);
res.json({
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ import { registerWebServiceEndpoint } from "@hyperledger/cactus-core";
import { PluginKeychainAzureKv } from "../plugin-keychain-azure-kv";

import OAS from "../../json/openapi.json";
import { SetKeychainEntryRequest } from "../generated/openapi/typescript-axios";
import { SetKeychainEntryRequestV1 } from "../generated/openapi/typescript-axios";

export interface ISetKeychainEntryEndpointOptions {
logLevel?: LogLevelDesc;
Expand Down Expand Up @@ -88,7 +88,7 @@ export class SetKeychainEntryEndpoint implements IWebServiceEndpoint {
const reqTag = `${this.getVerbLowerCase()} - ${this.getPath()}`;
this.log.debug(reqTag);
try {
const { key, value } = req.body as SetKeychainEntryRequest;
const { key, value } = req.body as SetKeychainEntryRequestV1;
const resBody = await this.options.connector.set(key, value);
res.json(resBody);
} catch (ex) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ import { registerWebServiceEndpoint } from "@hyperledger/cactus-core";

import OAS from "../../json/openapi.json";
import { PluginKeychainVault } from "../plugin-keychain-vault";
import { GetKeychainEntryResponse } from "../generated/openapi/typescript-axios";
import { GetKeychainEntryResponseV1 } from "../generated/openapi/typescript-axios";

export interface IGetKeychainEntryEndpointV1Options {
logLevel?: LogLevelDesc;
Expand Down Expand Up @@ -50,7 +50,7 @@ export class GetKeychainEntryEndpointV1 implements IWebServiceEndpoint {
this.log.debug(`Instantiated ${this.className} OK`);
}

public get oasPath(): typeof OAS.paths["/api/v1/plugins/@hyperledger/cactus-plugin-keychain-vault/get-keychain-entry"] {
public get oasPath(): (typeof OAS.paths)["/api/v1/plugins/@hyperledger/cactus-plugin-keychain-vault/get-keychain-entry"] {
return OAS.paths[
"/api/v1/plugins/@hyperledger/cactus-plugin-keychain-vault/get-keychain-entry"
];
Expand Down Expand Up @@ -94,7 +94,7 @@ export class GetKeychainEntryEndpointV1 implements IWebServiceEndpoint {
try {
this.log.debug(`${tag} %o`, req.body);
const value = await this.plugin.get(req.body.key);
const resBody: GetKeychainEntryResponse = {
const resBody: GetKeychainEntryResponseV1 = {
key: req.body.key,
value: value as string,
};
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,11 @@ import {
import {
Configuration,
DeleteKeychainEntryRequestV1,
GetKeychainEntryRequest,
GetKeychainEntryRequestV1,
HasKeychainEntryRequestV1,
IPluginKeychainVaultOptions,
PluginKeychainVault,
SetKeychainEntryRequest,
SetKeychainEntryRequestV1,
} from "../../../../main/typescript/public-api";

import { DefaultApi as KeychainVaultApi } from "../../../../main/typescript/public-api";
Expand Down Expand Up @@ -138,7 +138,7 @@ test(`${testCase}`, async (t: Test) => {
try {
await apiClient.setKeychainEntryV1({
value: value1,
} as SetKeychainEntryRequest);
} as SetKeychainEntryRequestV1);
} catch (err) {
const e = err as AxiosError<{ path: string }[]>;
t2.equal(
Expand Down Expand Up @@ -174,7 +174,7 @@ test(`${testCase}`, async (t: Test) => {

test(`${testCase} - ${fGet} - ${cWithoutParams}`, async (t2: Test) => {
try {
await apiClient.getKeychainEntryV1({} as GetKeychainEntryRequest);
await apiClient.getKeychainEntryV1({} as GetKeychainEntryRequestV1);
} catch (err) {
const e = err as AxiosError<{ path: string }[]>;
t2.equal(
Expand Down Expand Up @@ -214,7 +214,7 @@ test(`${testCase}`, async (t: Test) => {
key: key1,
value: value1,
fake: 4,
} as SetKeychainEntryRequest);
} as SetKeychainEntryRequestV1);
} catch (err) {
const e = err as AxiosError<{ path: string }[]>;
t2.equal(
Expand Down Expand Up @@ -262,7 +262,7 @@ test(`${testCase}`, async (t: Test) => {
await apiClient.getKeychainEntryV1({
key: key1,
fake: 4,
} as GetKeychainEntryRequest);
} as GetKeychainEntryRequestV1);
} catch (err) {
const e = err as AxiosError<{ path: string }[]>;
t2.equal(
Expand All @@ -286,7 +286,7 @@ test(`${testCase}`, async (t: Test) => {
await apiClient.deleteKeychainEntryV1({
key: key1,
fake: 4,
} as GetKeychainEntryRequest);
} as GetKeychainEntryRequestV1);
} catch (err) {
const e = err as AxiosError;
t2.equal(
Expand Down

0 comments on commit 46730b0

Please sign in to comment.