Skip to content

Commit

Permalink
ci: add container scanning to default checks
Browse files Browse the repository at this point in the history 
Fixes hyperledger-cacti#1876

Depends On: hyperledger-cacti#2121
Depends On: hyperledger-cacti#2135

Signed-off-by: zondervancalvez <[email protected]>
  • Loading branch information
@zondervancalvez
zondervancalvez committed Aug 7, 2023
1 parent 2aeecb2 commit 01ea551
Showing 1 changed file with 110 additions and 0 deletions.
110 changes: 110 additions & 0 deletions .github/workflows/trivy-container-scan.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
name: trivy-container-image-scan

on:
push:
pull_request:
# Publish `main` as Docker `latest` image.
branches:
- main

# Publish `v1.2.3` tags as releases.
tags:
- v*


jobs:

build:
name: Scan cactus-corda-4-7-all-in-one-obligation image
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: |
DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/Dockerfile -t cactus-corda-4-7-all-in-one-obligation
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-corda-4-7-all-in-one-obligation'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

build2:
name: Scan cactus-example-carbon-accounting image
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: |
DOCKER_BUILDKIT=1 docker build ./ -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-example-carbon-accounting'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

build3:
name: Scan cactus-rust-compiler image
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: |
DOCKER_BUILDKIT=1 docker build ./tools/docker/rust-compiler/ -f ./tools/docker/rust-compiler/Dockerfile -t cactus-rust-compiler
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-rust-compiler'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

build4:
name: Scan cactus-corda-4-8-all-in-one-obligation image
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: |
DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/corda-v4_8/Dockerfile -t cactus-corda-4-8-all-in-one-obligation
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-corda-4-8-all-in-one-obligation'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

build5:
name: Scan cactus-keychain-vault-server image
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: |
DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/ -f ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile -t cactus-keychain-vault-server
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-keychain-vault-server'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

0 comments on commit 01ea551

Please sign in to comment.