Skip to content

Commit

Permalink
carbon accounting trivy scan
Browse files Browse the repository at this point in the history
  • Loading branch information
aldousalvarez committed Mar 26, 2024
1 parent e87e577 commit aef71f9
Show file tree
Hide file tree
Showing 6 changed files with 118 additions and 9 deletions.
38 changes: 38 additions & 0 deletions .github/workflows/azure-container-scan.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
name: azure-container-image-scan

on:
push:
pull_request:
# Publish `main` as Docker `latest` image.
branches:
- main

# Publish `v1.2.3` tags as releases.
tags:
- v*


jobs:
build-secure-and-push:
name: Scan cactus-example-carbon-accounting image
runs-on: ubuntu-20.04
steps:
- uses: actions/[email protected]
env:
# (Required) The token to use to make API calls to GitHub.
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

- uses: actions/checkout@v1
- name: Login to DockerHub Registry
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin


- name: Build Images from Dockerfile
run: DOCKER_BUILDKIT=1 docker build -f ./examples/carbon-accounting/Dockerfile . -t cactus-example-carbon-accounting

- uses: Azure/[email protected]
name: Scan image for vulnerabilities
id: container-scan
continue-on-error: true
with:
image-name: cactus-example-carbon-accounting
52 changes: 52 additions & 0 deletions .github/workflows/trivy-container-scan.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
name: trivy-container-image-scan

on:
push:
pull_request:
# Publish `main` as Docker `latest` image.
branches:
- main

# Publish `v1.2.3` tags as releases.
tags:
- v*


jobs:

build:
name: Scan cactus-example-carbon-accounting table image
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
- name: Run Trivy vulnerability scan for cactus-example-carbon-accounting
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-example-carbon-accounting'
format: 'table'
exit-code: '0'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

build2:
name: Scan cactus-example-carbon-accounting json image
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: |
DOCKER_BUILDKIT=1 docker build ./ -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-example-carbon-accounting'
format: 'json'
exit-code: '0'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
Original file line number Diff line number Diff line change
Expand Up @@ -77,12 +77,14 @@
"@types/express": "4.17.19",
"@types/fs-extra": "9.0.13",
"@types/json-stable-stringify": "1.0.34",
"@types/qs": "^6",
"@types/uuid": "9.0.8",
"express-jwt": "8.4.1",
"hardhat": "2.17.2",
"http-status-codes": "2.1.4",
"jose": "4.15.5",
"json-stable-stringify": "1.0.2"
"json-stable-stringify": "1.0.2",
"qs": "6.7.3"
},
"engines": {
"node": ">=18",
Expand Down
15 changes: 8 additions & 7 deletions examples/carbon-accounting/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM cruizba/ubuntu-dind:19.03.11 as runner
FROM cruizba/ubuntu-dind:20.10.18 as runner

USER root

Expand Down Expand Up @@ -33,15 +33,16 @@ WORKDIR ${APP}

SHELL ["/bin/bash", "--login", "-i", "-c"]
# Installing Node Version Manager (nvm)
RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash
RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash
ARG NPM_PKG_VERSION="latest"
RUN source ~/.bashrc && \
nvm install 16.15.1 && \
npm install -g yarn && \
yarn add @hyperledger/cactus-example-carbon-accounting-backend@0.9.1-ci-942.cbb849c6.35 --ignore-engines --production

nvm install 20.11.1 && \
npm install --location=global yarn && \
yarn set version 4.1.0 && \
yarn config set nodeLinker node-modules && \
yarn add @hyperledger/cactus-example-carbon-accounting-backend@${NPM_PKG_VERSION} --exact
SHELL ["/bin/bash", "--login", "-c"]


COPY --chown=${APP_USER}:${APP_USER} ./examples/carbon-accounting/healthcheck.sh /

ENV AUTHORIZATION_CONFIG_JSON="{}"
Expand Down
2 changes: 1 addition & 1 deletion examples/carbon-accounting/supervisord.conf
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ stderr_logfile=/usr/src/app/log/dockerd.err.log
stdout_logfile=/usr/src/app/log/dockerd.out.log

[program:carbon-accounting-app]
command=/home/appuser/.nvm/versions/node/v16.3.0/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
command=/home/appuser/.nvm/versions/node/v16.15.1/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
autostart=true
autorestart=unexpected
exitcodes=0
Expand Down
16 changes: 16 additions & 0 deletions yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -7739,6 +7739,7 @@ __metadata:
"@types/express": "npm:4.17.19"
"@types/fs-extra": "npm:9.0.13"
"@types/json-stable-stringify": "npm:1.0.34"
"@types/qs": "npm:^6"
"@types/uuid": "npm:9.0.8"
async-exit-hook: "npm:2.0.1"
express-jwt: "npm:8.4.1"
Expand All @@ -7749,6 +7750,7 @@ __metadata:
jose: "npm:4.15.5"
json-stable-stringify: "npm:1.0.2"
openapi-types: "npm:12.1.3"
qs: "npm:6.7.3"
typescript-optional: "npm:2.0.1"
uuid: "npm:9.0.1"
web3-core: "npm:1.6.1"
Expand Down Expand Up @@ -15450,6 +15452,13 @@ __metadata:
languageName: node
linkType: hard

"@types/qs@npm:^6":
version: 6.9.10
resolution: "@types/qs@npm:6.9.10"
checksum: 10/3e479ee056bd2b60894baa119d12ecd33f20a25231b836af04654e784c886f28a356477630430152a86fba253da65d7ecd18acffbc2a8877a336e75aa0272c67
languageName: node
linkType: hard

"@types/range-parser@npm:*":
version: 1.2.4
resolution: "@types/range-parser@npm:1.2.4"
Expand Down Expand Up @@ -42533,6 +42542,13 @@ __metadata:
languageName: node
linkType: hard

"qs@npm:6.7.3":
version: 6.7.3
resolution: "qs@npm:6.7.3"
checksum: 10/b299d27f4ac4e47511dc15ff5650bd7a1c07cfbe514190a479b0b3a0d5b401198ff6910371b473e70fbde8e114f1bcba9c64ea52a147053e3b0b554aeb5a41ad
languageName: node
linkType: hard

"qs@npm:^6.11.0, qs@npm:^6.9.4":
version: 6.11.2
resolution: "qs@npm:6.11.2"
Expand Down

0 comments on commit aef71f9

Please sign in to comment.