From a6bb8b41251d0ceb81d8427cb4f633925b83ef45 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 25 Oct 2023 22:32:36 +0000 Subject: [PATCH] ci: add container scanning to default checks Trivy is a cutting-edge security tool designed to enhance the safety of containerized applications by conducting thorough vulnerability assessments. Specifically developed for scanning container images, ranging from low-severity issues to critical threats. It employs an intelligent rating system to categorize vulnerabilities based on their severity levels, ensuring that high to critical vulnerabilities are given special attention. Upon detecting vulnerabilities that fall within this elevated range, Trivy will throw an error. By integrating Trivy into our deployment pipeline, we can proactively mitigate security risks and enhance the resilience of our repository. Fixes hyperledger#1876 Depends On: hyperledger#2865 Depends On: hyperledger#2864 Depends On: hyperledger#2863 Depends On: hyperledger#2862 Signed-off-by: zondervancalvez --- .github/workflows/ci.yaml | 204 ++++++++++++++------------------------ 1 file changed, 73 insertions(+), 131 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 0eb7698729..a93c26fe9e 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -16,6 +16,16 @@ jobs: - name: Get the output response run: echo "${{ steps.lint-git-repo.outputs.lint-git-repo-response }}" + check_trivy_condition: + name: Check Trivy Condition + runs-on: ubuntu-20.04 + outputs: + run_trivy_scan: ${{ steps.set_condition_trivy_scan.outputs.run_trivy_scan }} + steps: + - name: Set Trivy Condition + id: set_condition_trivy_scan + run: echo "::set-output name=run_trivy_scan::false" # Set your condition to run trivy scan here + compute_changed_packages: outputs: cmd-api-server-changed: ${{ steps.changes.outputs.cmd-api-server-changed }} @@ -1486,7 +1496,10 @@ jobs: TAPE_TEST_PATTERN: >- --files={./packages/cactus-plugin-ledger-connector-iroha/src/test/typescript/integration/iroha-iroha-transfer-example.test.ts,./packages/cactus-plugin-ledger-connector-iroha/src/test/typescript/integration/openapi/openapi-validation.test.ts,./packages/cactus-plugin-ledger-connector-iroha/src/test/typescript/integration/run-transaction-endpoint-v1.test.ts,./packages/cactus-plugin-ledger-connector-iroha/src/test/typescript/unit/iroha-test-ledger-parameters.test.ts,./packages/cactus-plugin-ledger-connector-iroha/src/test/typescript/unit/postgres-test-container-parameters.test.ts} TAPE_TEST_RUNNER_DISABLED: false - needs: build-dev + needs: + - build-dev + - check_trivy_condition + if: needs.check_trivy_condition.outputs.run_trivy_scan == 'true' runs-on: ubuntu-20.04 steps: - name: Use Node.js ${{ env.NODEJS_VERSION }} @@ -1494,7 +1507,17 @@ jobs: with: node-version: ${{ env.NODEJS_VERSION }} - uses: actions/checkout@v3.5.2 - + - name: Build an image from Dockerfile + run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-iroha/ -f ./packages/cactus-plugin-ledger-connector-iroha/Dockerfile -t cactus-connector-iroha + - name: Run Trivy vulnerability scan for cactus-plugin-ledger-connector-iroha + uses: aquasecurity/trivy-action@0.11.2 + with: + image-ref: 'cactus-connector-iroha' + format: 'table' + exit-code: '1' + ignore-unfixed: false + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' - id: yarn-cache name: Restore Yarn Cache uses: actions/cache@v3.3.1 @@ -1564,7 +1587,8 @@ jobs: needs: - build-dev - compute_changed_packages - if: needs.compute_changed_packages.outputs.plugin-ledger-connector-quorum-changed == 'true' + - check_trivy_condition + if: needs.compute_changed_packages.outputs.plugin-ledger-connector-quorum-changed == 'true' || needs.check_trivy_condition.outputs.run_trivy_scan == 'true' env: FULL_BUILD_DISABLED: true JEST_TEST_PATTERN: packages/cactus-plugin-ledger-connector-quorum/src/test/typescript/(unit|integration|benchmark)/.*/*.test.ts @@ -1579,7 +1603,17 @@ jobs: with: node-version: ${{ env.NODEJS_VERSION }} - uses: actions/checkout@v3.5.2 - + - name: Build an image from Dockerfile + run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-quorum/ -f ./packages/cactus-plugin-ledger-connector-quorum/Dockerfile -t cactus-connector-quorum + - name: Run Trivy vulnerability scan for cactus-plugin-ledger-connector-quorum + uses: aquasecurity/trivy-action@0.11.2 + with: + image-ref: 'cactus-connector-quorum' + format: 'table' + exit-code: '1' + ignore-unfixed: false + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' - id: yarn-cache name: Restore Yarn Cache uses: actions/cache@v3.3.1 @@ -2056,21 +2090,13 @@ jobs: steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-besu-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile -t cactus-besu-all-in-one - - name: Run Trivy vulnerability scan for cactus-besu-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-besu-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile ghcr-cmd-api-server: runs-on: ubuntu-20.04 needs: - compute_changed_packages - if: needs.compute_changed_packages.outputs.cmd-api-server-changed == 'true' + - check_trivy_condition + if: needs.compute_changed_packages.outputs.cmd-api-server-changed == 'true' || needs.check_trivy_condition.outputs.run_trivy_scan == 'true' steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-cmd-api-server @@ -2081,70 +2107,72 @@ jobs: image-ref: 'cactus-cmd-api-server' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-connector-besu: needs: - compute_changed_packages - if: needs.compute_changed_packages.outputs.plugin-ledger-connector-besu-changed == 'true' + - check_trivy_condition + if: needs.compute_changed_packages.outputs.plugin-ledger-connector-besu-changed == 'true' || needs.check_trivy_condition.outputs.run_trivy_scan == 'true' runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-connector-besu run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-besu/ -f ./packages/cactus-plugin-ledger-connector-besu/Dockerfile -t cactus-connector-besu - - name: Run Trivy vulnerability scan for cactus-connector-besu + - name: Run Trivy vulnerability scan for cactus-connector-plugin-ledger-besu uses: aquasecurity/trivy-action@0.11.2 with: image-ref: 'cactus-connector-besu' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-connector-corda-server: runs-on: ubuntu-20.04 needs: - compute_changed_packages - if: needs.compute_changed_packages.outputs.plugin-ledger-connector-corda-changed == 'true' - + - check_trivy_condition + if: needs.compute_changed_packages.outputs.plugin-ledger-connector-corda-changed == 'true' || needs.check_trivy_condition.outputs.run_trivy_scan == 'true' steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-connector-corda-server run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-corda/src/main-server/ -f ./packages/cactus-plugin-ledger-connector-corda/src/main-server/Dockerfile -t cactus-connector-corda-server - - name: Run Trivy vulnerability scan for cactus-connector-corda-server + - name: Run Trivy vulnerability scan for plugin-ledger-connector-corda uses: aquasecurity/trivy-action@0.11.2 with: image-ref: 'cactus-connector-corda-server' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-connector-fabric: runs-on: ubuntu-20.04 needs: - compute_changed_packages - if: needs.compute_changed_packages.outputs.plugin-ledger-connector-fabric-changed == 'true' - + - check_trivy_condition + if: needs.compute_changed_packages.outputs.plugin-ledger-connector-fabric-changed == 'true' || needs.check_trivy_condition.outputs.run_trivy_scan == 'true' steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-connector-fabric run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-fabric/ -f ./packages/cactus-plugin-ledger-connector-fabric/Dockerfile -t cactus-connector-fabric - - name: Run Trivy vulnerability scan for cactus-connector-fabric + - name: Run Trivy vulnerability scan for cactus-plugin-ledger-connector-fabric uses: aquasecurity/trivy-action@0.11.2 with: image-ref: 'cactus-connector-fabric' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-corda-all-in-one: runs-on: ubuntu-20.04 needs: - compute_changed_packages - if: needs.compute_changed_packages.outputs.ghcr-corda-all-in-one-changed == 'true' + - check_trivy_condition + if: needs.compute_changed_packages.outputs.ghcr-corda-all-in-one-changed == 'true' || needs.check_trivy_condition.outputs.run_trivy_scan == 'true' steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-corda-all-in-one @@ -2155,7 +2183,7 @@ jobs: image-ref: 'cactus-corda-all-in-one' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-corda-all-in-one-flowdb: @@ -2172,16 +2200,7 @@ jobs: steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-corda-all-in-one-obligation - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/corda-v4_8/Dockerfile -t cactus-corda-all-in-one-obligation - - name: Run Trivy vulnerability scan for cactus-corda-all-in-one-obligation - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-corda-all-in-one-obligation' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/corda-v4_8/Dockerfile ghcr-dev-container-vscode: runs-on: ubuntu-20.04 needs: @@ -2204,18 +2223,11 @@ jobs: steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-example-carbon-accounting - run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting - - name: Run Trivy vulnerability scan for cactus-example-carbon-accounting - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-example-carbon-accounting' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile ghcr-example-supply-chain-app: runs-on: ubuntu-20.04 + needs: check_trivy_condition + if: needs.check_trivy_condition.outputs.run_trivy_scan == 'true' steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-example-supply-chain-app @@ -2234,59 +2246,34 @@ jobs: steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-fabric-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v1.4.x -t cactus-fabric-all-in-one - - name: Run Trivy vulnerability scan for cactus-fabric-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-fabric-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v1.4.x ghcr-fabric2-all-in-one: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-fabric2-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v2.x -t cactus-fabric2-all-in-one - - name: Run Trivy vulnerability scan for cactus-fabric2-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-fabric2-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v2.x ghcr-iroha-all-in-one: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-iroha-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/iroha-all-in-one/ -f ./tools/docker/iroha-all-in-one/Dockerfile -t cactus-iroha-all-in-one - - name: Run Trivy vulnerability scan for cactus-iroha-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-iroha-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/iroha-all-in-one/ -f ./tools/docker/iroha-all-in-one/Dockerfile ghcr-keychain-vault-server: runs-on: ubuntu-20.04 + needs: check_trivy_condition + if: needs.check_trivy_condition.outputs.run_trivy_scan == 'true' steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-keychain-vault-server run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/ -f ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile -t cactus-keychain-vault-server - - name: Run Trivy vulnerability scan for cactus-keychain-vault-server + - name: Run Trivy vulnerability scan for cactus-plugin-keychain-vault-server uses: aquasecurity/trivy-action@0.11.2 with: image-ref: 'cactus-keychain-vault-server' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-quorum-all-in-one: @@ -2294,76 +2281,31 @@ jobs: steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-quorum-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-all-in-one/ -f ./tools/docker/quorum-all-in-one/Dockerfile -t cactus-quorum-all-in-one - - name: Run Trivy vulnerability scan for cactus-quorum-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-quorum-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-all-in-one/ -f ./tools/docker/quorum-all-in-one/Dockerfile ghcr-quorum-multi-party-all-in-one: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-quorum-multi-party-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-multi-party-all-in-one/ -f ./tools/docker/quorum-multi-party-all-in-one/Dockerfile -t cactus-quorum-multi-party-all-in-one - - name: Run Trivy vulnerability scan for cactus-quorum-multi-party-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-quorum-multi-party-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-multi-party-all-in-one/ -f ./tools/docker/quorum-multi-party-all-in-one/Dockerfile ghcr-rust-compiler: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-rust-compiler - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/rust-compiler/ -f ./tools/docker/rust-compiler/Dockerfile -t cactus-rust-compiler - - name: Run Trivy vulnerability scan for cactus-rust-compiler - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-rust-compiler' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/rust-compiler/ -f ./tools/docker/rust-compiler/Dockerfile ghcr-test-npm-registry: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-test-npm-registry - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/test-npm-registry/ -f ./tools/docker/test-npm-registry/Dockerfile -t cactus-test-npm-registry - - name: Run Trivy vulnerability scan for cactus-test-npm-registry - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-test-npm-registry' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/test-npm-registry/ -f ./tools/docker/test-npm-registry/Dockerfile ghcr-whitepaper: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-whitepaper - run: DOCKER_BUILDKIT=1 docker build ./whitepaper/ -f ./whitepaper/Dockerfile -t cactus-whitepaper - - name: Run Trivy vulnerability scan for cactus-whitepaper - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-whitepaper' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./whitepaper/ -f ./whitepaper/Dockerfile name: Cactus_CI 'on': pull_request: