ci: add container scanning to default checks

Fixes hyperledger#1876 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
zondervancalvez · May 6, 2022 · 8742ac7 · 8742ac7
1 parent 1030e6b
commit 8742ac7
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 220 deletions.
diff --git a/.github/containerscan/allowedlist.yaml b/.github/containerscan/allowedlist.yaml
diff --git a/.github/workflows/azure-container-scan.yaml b/.github/workflows/azure-container-scan.yaml
@@ -11,120 +11,60 @@ on:
     tags:
       - v*
 
+env:
+  IMAGE_NAME_1: cactus-whitepaper
+  IMAGE_NAME_2: cactus-cmd-api-server
+
 jobs:
  build-secure-and-push:
+    name: cactus-whitepaper job
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@master
       env:
           # (Required) The token to use to make API calls to GitHub.
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          DOCKER_BUILDKIT: 1
+          DOCKERFILE_PATH: ./whitepaper/Dockerfile
 
     - uses: actions/checkout@v1
     - name: Login to DockerHub Registry
       run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
 
 
-    - name: Build Images from Dockerfile
-      run: |
-        DOCKER_BUILDKIT=1 docker build -f ./packages/cactus-cmd-api-server/Dockerfile -t cactus-cmd-api-server .
-        DOCKER_BUILDKIT=1 docker build -f ./whitepaper/Dockerfile -t cactus-whitepaper .
-    
-
-    # - uses: Azure/container-scan@v0.1
-    #   with:
-    #     image-name: cactus-besu-all-in-one
-    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-
-    # - uses: Azure/container-scan@v0.1
-    #   with:
-    #     image-name: cactus-whitepaper
-    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+    - name: Build Image from Dockerfile
+      run:  docker build -f $DOCKERFILE_PATH -t $IMAGE_NAME_1 .
 
     - uses: Azure/container-scan@v0.1
+      name: Scan image for vulnerabilities
+      id: container-scan
+      continue-on-error: true
       with:
-        images: | 
-          cactus-cmd-api-server
-          cactus-whitepaper
-        exit-code: '1'
-        ignore-unfixed: true
-
-    # - uses: Azure/container-scan@v0.1
-    #   with:
-    #     image-name: cactus-connector-fabric
-    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-
-    # - uses: Azure/container-scan@v0.1
-    #   with:
-    #     image-name: cactus-connector-corda-server
-    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-
-    # - uses: Azure/container-scan@v0.1
-    #   with:
-    #     image-name: cactus-connector-besu
-    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-
-    # - uses: Azure/container-scan@v0.1
-    #   with:
-    #     image-name: corda-4-6-all-in-one-obligation
-    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-
-    # - uses: Azure/container-scan@v0.1
-    #   with:
-    #     image-name: cactus-corda-4-7-all-in-one-obligation
-    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-
-    # - uses: Azure/container-scan@v0.1
-    #   with:
-    #     image-name: corda-4-8-all-in-one-obligation-publish
-    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-
-    # - uses: Azure/container-scan@v0.1
-    #   with:
-    #     image-name: cactus-dev-container-vscode
-    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-
-    # - uses: Azure/container-scan@v0.1
-    #   with:
-    #     image-name: cactus-example-carbon-accounting
-    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-
-    # - uses: Azure/container-scan@v0.1
-    #   with:
-    #     image-name: cactus-example-supply-chain-app
-    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-
-    # - uses: Azure/container-scan@v0.1
-    #   with:
-    #     image-name: cactus-fabric-all-in-one
-    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+        image-name: $IMAGE_NAME_1
 
-    # - uses: Azure/container-scan@v0.1
-    #   with:
-    #     image-name: cactus-fabric2-all-in-one
-    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
 
-    # - uses: Azure/container-scan@v0.1
-    #   with:
-    #     image-name: cactus-iroha-all-in-one
-    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+ build-secure-and-push-2:
+    name: cactus-cmd-api-server job
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@master
+      env:
+          # (Required) The token to use to make API calls to GitHub.
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          DOCKER_BUILDKIT: 1
+          DOCKERFILE_PATH: ./whitepaper/Dockerfile
 
-    # - uses: Azure/container-scan@v0.1
-    #   with:
-    #     image-name: cactus-keychain-vault-server
-    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+    - uses: actions/checkout@v1
+    - name: Login to DockerHub Registry
+      run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
 
-    # - uses: Azure/container-scan@v0.1
-    #   with:
-    #     image-name: cactus-quorum-all-in-one
-    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
 
-    # - uses: Azure/container-scan@v0.1
-    #   with:
-    #     image-name: cactus-rust-compiler
-    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+    - name: Build Images from Dockerfile
+      run:  docker build -f $DOCKERFILE_PATH -t $IMAGE_NAME_2 .
 
-    # - uses: Azure/container-scan@v0.1
-    #   with:
-    #     image-name: cactus-test-npm-registry
-    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+    - uses: Azure/container-scan@v0.1
+      name: Scan image for vulnerabilities
+      id: container-scan
+      continue-on-error: true
+      with:
+       image-name: $IMAGE_NAME_2
diff --git a/.github/workflows/azure-scan.yml b/.github/workflows/azure-scan.yml