diff --git a/.github/containerscan/allowedlist.yaml b/.github/containerscan/allowedlist.yaml deleted file mode 100644 index 41ad38e58a..0000000000 --- a/.github/containerscan/allowedlist.yaml +++ /dev/null @@ -1,25 +0,0 @@ -general: - vulnerabilities: - - CVE-2003-1307 - - CVE-2007-0086 - - CVE-2019-3462 - - CVE-2011-3374 - - CVE-2022-24771 - - CVE-2022-24772 - - CVE-2021-32803 - - CVE-2021-32804 - - CVE-2021-37701 - - CVE-2021-37712 - - CVE-2021-37713 - - CVE-2019-10773 - - CVE-2020-8131 - - CVE-2021-43138 - - CVE-2022-22143 - bestPracticeViolations: - - DKL-LI-0003 - - CIS-DI-0006 - - DKL-DI-0006 - - CIS-DI-0010 - - CIS-DI-0001 - - DKL-DI-0005 - - CIS-DI-0008 \ No newline at end of file diff --git a/.github/workflows/azure-container-scan.yaml b/.github/workflows/azure-container-scan.yaml index ce25853456..427eeeb056 100644 --- a/.github/workflows/azure-container-scan.yaml +++ b/.github/workflows/azure-container-scan.yaml @@ -11,120 +11,60 @@ on: tags: - v* +env: + IMAGE_NAME_1: cactus-whitepaper + IMAGE_NAME_2: cactus-cmd-api-server + jobs: build-secure-and-push: + name: cactus-whitepaper job runs-on: ubuntu-latest steps: - uses: actions/checkout@master env: # (Required) The token to use to make API calls to GitHub. GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + DOCKER_BUILDKIT: 1 + DOCKERFILE_PATH: ./whitepaper/Dockerfile - uses: actions/checkout@v1 - name: Login to DockerHub Registry run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - - name: Build Images from Dockerfile - run: | - DOCKER_BUILDKIT=1 docker build -f ./packages/cactus-cmd-api-server/Dockerfile -t cactus-cmd-api-server . - DOCKER_BUILDKIT=1 docker build -f ./whitepaper/Dockerfile -t cactus-whitepaper . - - - # - uses: Azure/container-scan@v0.1 - # with: - # image-name: cactus-besu-all-in-one - # run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - - # - uses: Azure/container-scan@v0.1 - # with: - # image-name: cactus-whitepaper - # run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin + - name: Build Image from Dockerfile + run: docker build -f $DOCKERFILE_PATH -t $IMAGE_NAME_1 . - uses: Azure/container-scan@v0.1 + name: Scan image for vulnerabilities + id: container-scan + continue-on-error: true with: - images: | - cactus-cmd-api-server - cactus-whitepaper - exit-code: '1' - ignore-unfixed: true - - # - uses: Azure/container-scan@v0.1 - # with: - # image-name: cactus-connector-fabric - # run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - - # - uses: Azure/container-scan@v0.1 - # with: - # image-name: cactus-connector-corda-server - # run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - - # - uses: Azure/container-scan@v0.1 - # with: - # image-name: cactus-connector-besu - # run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - - # - uses: Azure/container-scan@v0.1 - # with: - # image-name: corda-4-6-all-in-one-obligation - # run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - - # - uses: Azure/container-scan@v0.1 - # with: - # image-name: cactus-corda-4-7-all-in-one-obligation - # run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - - # - uses: Azure/container-scan@v0.1 - # with: - # image-name: corda-4-8-all-in-one-obligation-publish - # run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - - # - uses: Azure/container-scan@v0.1 - # with: - # image-name: cactus-dev-container-vscode - # run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - - # - uses: Azure/container-scan@v0.1 - # with: - # image-name: cactus-example-carbon-accounting - # run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - - # - uses: Azure/container-scan@v0.1 - # with: - # image-name: cactus-example-supply-chain-app - # run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - - # - uses: Azure/container-scan@v0.1 - # with: - # image-name: cactus-fabric-all-in-one - # run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin + image-name: $IMAGE_NAME_1 - # - uses: Azure/container-scan@v0.1 - # with: - # image-name: cactus-fabric2-all-in-one - # run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - # - uses: Azure/container-scan@v0.1 - # with: - # image-name: cactus-iroha-all-in-one - # run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin + build-secure-and-push-2: + name: cactus-cmd-api-server job + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + env: + # (Required) The token to use to make API calls to GitHub. + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + DOCKER_BUILDKIT: 1 + DOCKERFILE_PATH: ./whitepaper/Dockerfile - # - uses: Azure/container-scan@v0.1 - # with: - # image-name: cactus-keychain-vault-server - # run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin + - uses: actions/checkout@v1 + - name: Login to DockerHub Registry + run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - # - uses: Azure/container-scan@v0.1 - # with: - # image-name: cactus-quorum-all-in-one - # run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - # - uses: Azure/container-scan@v0.1 - # with: - # image-name: cactus-rust-compiler - # run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin + - name: Build Images from Dockerfile + run: docker build -f $DOCKERFILE_PATH -t $IMAGE_NAME_2 . - # - uses: Azure/container-scan@v0.1 - # with: - # image-name: cactus-test-npm-registry - # run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin \ No newline at end of file + - uses: Azure/container-scan@v0.1 + name: Scan image for vulnerabilities + id: container-scan + continue-on-error: true + with: + image-name: $IMAGE_NAME_2 \ No newline at end of file diff --git a/.github/workflows/azure-scan.yml b/.github/workflows/azure-scan.yml deleted file mode 100644 index bbc114ff10..0000000000 --- a/.github/workflows/azure-scan.yml +++ /dev/null @@ -1,101 +0,0 @@ -name: azure-container-image-scan - -on: - push: - # Publish `main` as Docker `latest` image. - branches: - - main - - # Publish `v1.2.3` tags as releases. - tags: - - v* - -jobs: - # Push image to GitHub Packages. - # See also https://docs.docker.com/docker-hub/builds/ - build-tag-push-container: - runs-on: ubuntu-20.04 - env: - DOCKER_BUILDKIT: 1 - DOCKERFILE_PATH: ./packages/cactus-plugin-ledger-connector-fabric/Dockerfile - DOCKER_BUILD_DIR: ./packages/cactus-plugin-ledger-connector-fabric/ - permissions: - packages: write - contents: read - - steps: - - uses: Azure/container-scan@v0.1 - with: - image-name: cactus-besu-all-in-one - - - uses: Azure/container-scan@v0.1 - with: - image-name: cactus-whitepaper - - - uses: Azure/container-scan@v0.1 - with: - image-name: cactus-cmd-api-server - - - uses: Azure/container-scan@v0.1 - with: - image-name: cactus-connector-fabric - - - uses: Azure/container-scan@v0.1 - with: - image-name: cactus-connector-corda-server - - - uses: Azure/container-scan@v0.1 - with: - image-name: cactus-connector-besu - - - uses: Azure/container-scan@v0.1 - with: - image-name: corda-4-6-all-in-one-obligation - - - uses: Azure/container-scan@v0.1 - with: - image-name: cactus-corda-4-7-all-in-one-obligation - - - uses: Azure/container-scan@v0.1 - with: - image-name: corda-4-8-all-in-one-obligation-publish - - - uses: Azure/container-scan@v0.1 - with: - image-name: cactus-dev-container-vscode - - - uses: Azure/container-scan@v0.1 - with: - image-name: cactus-example-carbon-accounting - - - uses: Azure/container-scan@v0.1 - with: - image-name: cactus-example-supply-chain-app - - - uses: Azure/container-scan@v0.1 - with: - image-name: cactus-fabric-all-in-one - - - uses: Azure/container-scan@v0.1 - with: - image-name: cactus-fabric2-all-in-one - - - uses: Azure/container-scan@v0.1 - with: - image-name: cactus-iroha-all-in-one - - - uses: Azure/container-scan@v0.1 - with: - image-name: cactus-keychain-vault-server - - - uses: Azure/container-scan@v0.1 - with: - image-name: cactus-quorum-all-in-one - - - uses: Azure/container-scan@v0.1 - with: - image-name: cactus-rust-compiler - - - uses: Azure/container-scan@v0.1 - with: - image-name: cactus-test-npm-registry