Merge branch 'RedHatInsights:master' into update-postgresql-rds-image

.github/workflows/security-scanning.yml

@@ -0,0 +1,49 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# The default values used in the docker build commands are the root
+# directory '.' and the dockerfile name of 'Dockerfile'. If there is 
+# a need to change these do so in your local workflow template (this file) and
+# change them there. HINT: Look at the bottom of this file.
+
+# This workflow checks out code, builds an image, performs a container image
+# vulnerability scan with Anchore's Grype tool, and generates an
+# SBOM via Anchore's Syft tool
+
+# For more information on Anchore's container image scanning tool Grype, see
+# https://github.com/anchore/grype
+
+# For more information about the Anchore SBOM tool, Syft, see
+# https://github.com/anchore/syft
+
+name: ConsoleDot Platform Security Scan
+
+on:
+  push:
+    branches: [ "main", "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main", "master" ]
+
+jobs:
+  PlatSec-Security-Workflow:
+    uses: RedHatInsights/platform-security-gh-workflow/.github/workflows/platsec-security-scan-reusable-workflow.yml@master
+    ## The optional parameters below are used if you are using something other than the
+    ## the defaults of root '.' for the path and 'Dockerfile' for the Dockerfile name.
+    ## Additionally, if you have a Dockerfile you use as your BASE_IMG or you need to
+    ## use '--build-arg', those can be define below as well.
+
+    with:
+    #   dockerbuild_path: './buildtest'
+      dockerfile_path: './build'
+      dockerfile_name: 'Dockerfile'
+    #   base_image_build: true
+    #   base_dockerbuild_path: './testbuild.base'
+    #   base_dockerfile_path: './test'
+    #   base_dockerfile_name: 'Dockerfile.base'
+    #   build_arg: '--build-arg BASE_IMAGE="localbuild/baseimage:latest"'
+    #   only_fixed: true
+    #   fail_on_vulns: true
+    #   severity_fail_cutoff: high

.gitignore

@@ -4,3 +4,4 @@ node_modules
 sonar-scanner.properties
 .scannerwork/
 artifacts
+.npm

build/Dockerfile

@@ -1,27 +1,37 @@
-
 #----------------------- base -----------------------
 
-FROM registry.access.redhat.com/ubi8/ubi-minimal:8.9-1137 AS base
-
-WORKDIR /opt/app-root/src
+FROM registry.access.redhat.com/ubi8/ubi-minimal:8.10-1018 AS base
 
-RUN microdnf module enable nodejs:16 && \
+RUN microdnf module enable nodejs:20 && \
     microdnf install -y nodejs --nodocs && \
     microdnf clean all
 
-#--------------------- packages ---------------------
+ENV APP_ROOT=/opt/app-root/src
+WORKDIR $APP_ROOT
+RUN mkdir -p $APP_ROOT/.npm/{_logs,_cacache} && chgrp -R 0 $APP_ROOT && chmod -R ug+rwX $APP_ROOT
+
+RUN npm install -g [email protected]
+
+USER 1001
+
+# make npm happy....
+ENV HOME=$APP_ROOT
+
+#-------------------- packages ----------------------
 
 FROM base AS packages
 
-COPY package.json package-lock.json ./
+COPY ./test ./test
+COPY package.json package-lock.json knexfile.js ./
 
 #----------------------- test -----------------------
 
 FROM packages AS test
 
-RUN npm ci
+COPY jest.config.js tsconfig.json ./
+COPY ./src ./src
 
-COPY . .
+RUN npm ci
 
 RUN npm run compile
 
@@ -31,12 +41,10 @@ ENV NODE_ENV=test
 
 FROM packages AS dist
 
-RUN npm ci --omit=dev
+COPY --from=test $APP_ROOT/dist ./dist
 
-COPY --from=test /opt/app-root/src/dist/package.json ./dist/
-COPY --from=test /opt/app-root/src/dist/src ./dist/src
+RUN npm ci --omit=dev && npm cache clean --force
 
-USER 1001
 EXPOSE 9006
 
 ENV NODE_ENV=production

build/docker-compose-unit_test.yml

@@ -6,11 +6,10 @@ services:
       context: ../
       dockerfile: build/Dockerfile
       target: test
-    command: sh -c "npm run test:ci && chmod -fR 777 artifacts"
-    volumes:
-      - ../artifacts:/opt/app-root/src/artifacts
-    links:
-      - db
+    command: sh -c "npm run test:ci"
+    depends_on:
+      db:
+        condition: service_healthy
     ports:
       - "9006:9006"
     environment:
@@ -28,8 +27,9 @@ services:
       - POSTGRESQL_PASSWORD=remediations
       - POSTGRESQL_DATABASE=remediations
     healthcheck:
-      test: "psql -c 'SELECT datname FROM pg_database;'"
-      start_period: 3s
+      test: [ "CMD-SHELL", "pg_isready" ]
       interval: 10s
+      timeout: 5s
+      start_period: 15s
       retries: 6
 

build/docker-compose.yml

@@ -1,41 +1,48 @@
 version: '3.4'
+
 services:
   remediations-consumer:
-#    image: quay.io/cloudservices/remediations-consumer:pr-157-2dfb8b2
     build:
       context: ../
       dockerfile: build/Dockerfile
-      target: test
-    command: sh -c "echo 'Waiting 10s for dependencies to start' && sleep 10 && npm run db:ims && npm start"
-    links:
+      target: dist
+    command: sh -c "echo 'Waiting 10s for dependencies to start' && sleep 10 && npm run db:ims && node dist/src/app.js"
+    depends_on:
       - db
+      - kafka
     ports:
       - "9006:9006"
     environment:
-      - NODE_ENV=development
-      - LOG_LEVEL=trace
-      - DB_HOST=db
-      - KAFKA_HOST=kafka:9092
-      - KAFKA_AUTOCOMMIT=true
-      - INVENTORY_TOPIC_ENABLED="true"
+      NODE_ENV: production
+      NODE_OPTIONS: --enable-source-maps
+      LOG_LEVEL: trace
+      DB_HOST: db
+      KAFKA_BROKERS: kafka:9092
+      KAFKA_AUTOCOMMIT: true
+      INVENTORY_TOPIC_ENABLED: "true"
     restart: "no"
 
   zookeeper:
     image: confluentinc/cp-zookeeper
     environment:
       - ZOOKEEPER_CLIENT_PORT=2181
       - ZOOKEEPER_SERVER_ID=1
+    ports:
+      - "2181:2181"
 
   kafka:
-    image: wurstmeister/kafka
+    image: confluentinc/cp-kafka
+    depends_on:
+      - zookeeper
     ports:
       - "29092:29092"
     environment:
       KAFKA_LISTENERS: INTERNAL://kafka:9092,EXTERNAL://kafka:29092
       KAFKA_ADVERTISED_LISTENERS: INTERNAL://kafka:9092,EXTERNAL://localhost:29092
       KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: INTERNAL:PLAINTEXT,EXTERNAL:PLAINTEXT
       KAFKA_INTER_BROKER_LISTENER_NAME: INTERNAL
-#      KAFKA_CREATE_TOPICS: "platform.inventory.events:3:1"
+      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
+      KAFKA_CREATE_TOPICS: "platform.inventory.events:3:1"
       KAFKA_ADVERTISED_HOST_NAME: 172.17.0.1
       KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
 

knexfile.js

@@ -7,10 +7,10 @@ const options = {
     ...buildConfiguration(config),
     migrations: {
         tableName: 'knex_migrations',
-        directory: 'dist/test/migrations'
+        directory: './dist/test/migrations'
     },
     seeds: {
-        directory: 'dist/test/seeds'
+        directory: './dist/test/seeds'
     }
 };