Skip to content

Commit

Permalink
ci: add container scanning to default checks
Browse files Browse the repository at this point in the history 
Trivy is a cutting-edge security tool designed to enhance
the safety of containerized applications by conducting thorough
vulnerability assessments. Specifically developed for scanning
container images, ranging from low-severity issues to critical
threats. It employs an intelligent rating system to categorize
vulnerabilities based on their severity levels, ensuring that
high to critical vulnerabilities are given special attention.
Upon detecting vulnerabilities that fall within this elevated
range, Trivy will throw an error.

By integrating Trivy into our deployment pipeline, we can
proactively mitigate security risks and enhance the resilience
of our repository.

Fixes hyperledger#1876

Depends On: hyperledger#2865
Depends On: hyperledger#2864
Depends On: hyperledger#2863
Depends On: hyperledger#2862

Signed-off-by: zondervancalvez <[email protected]>
  • Loading branch information
@dependabot @zondervancalvez
dependabot[bot] authored and zondervancalvez committed Feb 28, 2024
1 parent f57ab70 commit 043d86c
Showing 1 changed file with 67 additions and 132 deletions.
199 changes: 67 additions & 132 deletions .github/workflows/ci.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
---
env:
NODEJS_VERSION: v18.18.2
RUN_TRIVY_SCAN: true
jobs:
ActionLint:
uses: ./.github/workflows/actionlint.yaml
Expand Down Expand Up @@ -1504,7 +1505,17 @@ jobs:
with:
node-version: ${{ env.NODEJS_VERSION }}
- uses: actions/[email protected]

- name: Build an image from Dockerfile
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-iroha/ -f ./packages/cactus-plugin-ledger-connector-iroha/Dockerfile -t cactus-connector-iroha
- name: Run Trivy vulnerability scan for cactus-plugin-ledger-connector-iroha
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-connector-iroha'
format: 'table'
exit-code: '1'
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
- id: yarn-cache
name: Restore Yarn Cache
uses: actions/[email protected]
Expand All @@ -1523,7 +1534,9 @@ jobs:
TAPE_TEST_PATTERN: >-
--files={./packages/cactus-plugin-ledger-connector-iroha/src/test/typescript/integration/iroha-iroha-transfer-example.test.ts,./packages/cactus-plugin-ledger-connector-iroha/src/test/typescript/integration/openapi/openapi-validation.test.ts,./packages/cactus-plugin-ledger-connector-iroha/src/test/typescript/integration/run-transaction-endpoint-v1.test.ts,./packages/cactus-plugin-ledger-connector-iroha/src/test/typescript/unit/iroha-test-ledger-parameters.test.ts,./packages/cactus-plugin-ledger-connector-iroha/src/test/typescript/unit/postgres-test-container-parameters.test.ts}
TAPE_TEST_RUNNER_DISABLED: false
needs: build-dev
needs:
- build-dev
if: ${{ env.RUN_TRIVY_SCAN }} == 'true'
runs-on: ubuntu-20.04
steps:
- name: Use Node.js ${{ env.NODEJS_VERSION }}
Expand Down Expand Up @@ -1559,7 +1572,17 @@ jobs:
with:
node-version: ${{ env.NODEJS_VERSION }}
- uses: actions/[email protected]

- name: Build an image from Dockerfile
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-quorum/ -f ./packages/cactus-plugin-ledger-connector-quorum/Dockerfile -t cactus-connector-quorum
- name: Run Trivy vulnerability scan for cactus-plugin-ledger-connector-quorum
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-connector-quorum'
format: 'table'
exit-code: '1'
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
- id: yarn-cache
name: Restore Yarn Cache
uses: actions/[email protected]
Expand Down Expand Up @@ -1600,8 +1623,9 @@ jobs:
continue-on-error: false
needs:
- build-dev
- compute_changed_packages
if: needs.compute_changed_packages.outputs.plugin-ledger-connector-quorum-changed == 'true'
if: |
needs.compute_changed_packages.outputs.plugin-ledger-connector-quorum-changed == 'true'
&& ${{ env.RUN_TRIVY_SCAN }} == 'true'
env:
FULL_BUILD_DISABLED: true
JEST_TEST_PATTERN: packages/cactus-plugin-ledger-connector-quorum/src/test/typescript/(unit|integration|benchmark)/.*/*.test.ts
Expand Down Expand Up @@ -2093,21 +2117,14 @@ jobs:
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-besu-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile -t cactus-besu-all-in-one
- name: Run Trivy vulnerability scan for cactus-besu-all-in-one
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-besu-all-in-one'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile
ghcr-cmd-api-server:
runs-on: ubuntu-20.04
needs:
- compute_changed_packages
if: needs.compute_changed_packages.outputs.cmd-api-server-changed == 'true'
if: |
needs.compute_changed_packages.outputs.cmd-api-server-changed == 'true'
&& ${{ env.RUN_TRIVY_SCAN }} == 'true'
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-cmd-api-server
Expand All @@ -2118,70 +2135,76 @@ jobs:
image-ref: 'cactus-cmd-api-server'
format: 'table'
exit-code: '1'
ignore-unfixed: true
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-connector-besu:
needs:
- compute_changed_packages
if: needs.compute_changed_packages.outputs.plugin-ledger-connector-besu-changed == 'true'
if: |
needs.compute_changed_packages.outputs.plugin-ledger-connector-besu-changed == 'true'
&& ${{ env.RUN_TRIVY_SCAN }} == 'true'
runs-on: ubuntu-20.04
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-connector-besu
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-besu/ -f ./packages/cactus-plugin-ledger-connector-besu/Dockerfile -t cactus-connector-besu
- name: Run Trivy vulnerability scan for cactus-connector-besu
- name: Run Trivy vulnerability scan for cactus-connector-plugin-ledger-besu
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-connector-besu'
format: 'table'
exit-code: '1'
ignore-unfixed: true
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-connector-corda-server:
runs-on: ubuntu-20.04
needs:
- compute_changed_packages
if: needs.compute_changed_packages.outputs.plugin-ledger-connector-corda-changed == 'true'

if: |
needs.compute_changed_packages.outputs.plugin-ledger-connector-corda-changed == 'true'
&& ${{ env.RUN_TRIVY_SCAN }} == 'true'
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-connector-corda-server
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-corda/src/main-server/ -f ./packages/cactus-plugin-ledger-connector-corda/src/main-server/Dockerfile -t cactus-connector-corda-server
- name: Run Trivy vulnerability scan for cactus-connector-corda-server
- name: Run Trivy vulnerability scan for plugin-ledger-connector-corda
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-connector-corda-server'
format: 'table'
exit-code: '1'
ignore-unfixed: true
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-connector-fabric:
runs-on: ubuntu-20.04
needs:
- compute_changed_packages
if: needs.compute_changed_packages.outputs.plugin-ledger-connector-fabric-changed == 'true'

if: |
needs.compute_changed_packages.outputs.plugin-ledger-connector-fabric-changed == 'true'
&& ${{ env.RUN_TRIVY_SCAN }} == 'true'
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-connector-fabric
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-fabric/ -f ./packages/cactus-plugin-ledger-connector-fabric/Dockerfile -t cactus-connector-fabric
- name: Run Trivy vulnerability scan for cactus-connector-fabric
- name: Run Trivy vulnerability scan for cactus-plugin-ledger-connector-fabric
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-connector-fabric'
format: 'table'
exit-code: '1'
ignore-unfixed: true
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-corda-all-in-one:
runs-on: ubuntu-20.04
needs:
- compute_changed_packages
if: needs.compute_changed_packages.outputs.ghcr-corda-all-in-one-changed == 'true'
if: |
needs.compute_changed_packages.outputs.ghcr-corda-all-in-one-changed == 'true'
&& ${{ env.RUN_TRIVY_SCAN }} == 'true'
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-corda-all-in-one
Expand All @@ -2192,7 +2215,7 @@ jobs:
image-ref: 'cactus-corda-all-in-one'
format: 'table'
exit-code: '1'
ignore-unfixed: true
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-corda-all-in-one-flowdb:
Expand All @@ -2209,16 +2232,7 @@ jobs:
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-corda-all-in-one-obligation
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/corda-v4_8/Dockerfile -t cactus-corda-all-in-one-obligation
- name: Run Trivy vulnerability scan for cactus-corda-all-in-one-obligation
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-corda-all-in-one-obligation'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/corda-v4_8/Dockerfile
ghcr-dev-container-vscode:
runs-on: ubuntu-20.04
needs:
Expand All @@ -2241,18 +2255,10 @@ jobs:
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-example-carbon-accounting
run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
- name: Run Trivy vulnerability scan for cactus-example-carbon-accounting
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-example-carbon-accounting'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile
ghcr-example-supply-chain-app:
runs-on: ubuntu-20.04
if: ${{ env.RUN_TRIVY_SCAN }} == 'true'
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-example-supply-chain-app
Expand All @@ -2271,136 +2277,65 @@ jobs:
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-fabric-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v1.4.x -t cactus-fabric-all-in-one
- name: Run Trivy vulnerability scan for cactus-fabric-all-in-one
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-fabric-all-in-one'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v1.4.x
ghcr-fabric2-all-in-one:
runs-on: ubuntu-20.04
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-fabric2-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v2.x -t cactus-fabric2-all-in-one
- name: Run Trivy vulnerability scan for cactus-fabric2-all-in-one
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-fabric2-all-in-one'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v2.x
ghcr-iroha-all-in-one:
runs-on: ubuntu-20.04
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-iroha-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/iroha-all-in-one/ -f ./tools/docker/iroha-all-in-one/Dockerfile -t cactus-iroha-all-in-one
- name: Run Trivy vulnerability scan for cactus-iroha-all-in-one
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-iroha-all-in-one'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/iroha-all-in-one/ -f ./tools/docker/iroha-all-in-one/Dockerfile
ghcr-keychain-vault-server:
runs-on: ubuntu-20.04
if: ${{ env.RUN_TRIVY_SCAN }} == 'true'
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-keychain-vault-server
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/ -f ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile -t cactus-keychain-vault-server
- name: Run Trivy vulnerability scan for cactus-keychain-vault-server
- name: Run Trivy vulnerability scan for cactus-plugin-keychain-vault-server
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-keychain-vault-server'
format: 'table'
exit-code: '1'
ignore-unfixed: true
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-quorum-all-in-one:
runs-on: ubuntu-20.04
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-quorum-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-all-in-one/ -f ./tools/docker/quorum-all-in-one/Dockerfile -t cactus-quorum-all-in-one
- name: Run Trivy vulnerability scan for cactus-quorum-all-in-one
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-quorum-all-in-one'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-all-in-one/ -f ./tools/docker/quorum-all-in-one/Dockerfile
ghcr-quorum-multi-party-all-in-one:
runs-on: ubuntu-20.04
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-quorum-multi-party-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-multi-party-all-in-one/ -f ./tools/docker/quorum-multi-party-all-in-one/Dockerfile -t cactus-quorum-multi-party-all-in-one
- name: Run Trivy vulnerability scan for cactus-quorum-multi-party-all-in-one
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-quorum-multi-party-all-in-one'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-multi-party-all-in-one/ -f ./tools/docker/quorum-multi-party-all-in-one/Dockerfile
ghcr-rust-compiler:
runs-on: ubuntu-20.04
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-rust-compiler
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/rust-compiler/ -f ./tools/docker/rust-compiler/Dockerfile -t cactus-rust-compiler
- name: Run Trivy vulnerability scan for cactus-rust-compiler
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-rust-compiler'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/rust-compiler/ -f ./tools/docker/rust-compiler/Dockerfile
ghcr-test-npm-registry:
runs-on: ubuntu-20.04
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-test-npm-registry
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/test-npm-registry/ -f ./tools/docker/test-npm-registry/Dockerfile -t cactus-test-npm-registry
- name: Run Trivy vulnerability scan for cactus-test-npm-registry
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-test-npm-registry'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/test-npm-registry/ -f ./tools/docker/test-npm-registry/Dockerfile
ghcr-whitepaper:
runs-on: ubuntu-20.04
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-whitepaper
run: DOCKER_BUILDKIT=1 docker build ./whitepaper/ -f ./whitepaper/Dockerfile -t cactus-whitepaper
- name: Run Trivy vulnerability scan for cactus-whitepaper
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-whitepaper'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
run: DOCKER_BUILDKIT=1 docker build ./whitepaper/ -f ./whitepaper/Dockerfile
name: Cactus_CI
'on':
pull_request:
Expand Down

0 comments on commit 043d86c

Please sign in to comment.