babylonlabs-io · huynaism · Nov 8, 2024 · Nov 8, 2024 · Nov 8, 2024 · Nov 8, 2024
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -4,6 +4,7 @@ on:
   push:
     branches:
     - 'main'
+    - 'devops/add-docker-security-r3'
     tags:
     - '*'
 
@@ -19,7 +20,13 @@ jobs:
 
   docker_pipeline:
     needs: ["lint_test"]
-    uses: babylonlabs-io/.github/.github/workflows/[email protected]
+    uses: babylonlabs-io/.github/.github/workflows/[email protected]
+    permissions:
+      # required for all workflows
+      security-events: write
+      # required to fetch internal or private CodeQL packs
+      packages: read
     secrets: inherit
     with:
       publish: true
+      docker_scan: true
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,8 @@
+# LND < 0.17.0 issue, not fixing
+CVE-2024-27304
+GHSA-7jwh-3vrq-q3m8
+CVE-2024-27289
+CVE-2024-38359
+
+# Go-ethereum related
+CVE-2024-32972
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -37,6 +37,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 
 ### Improvements
 
+
+* [#92](https://github.com/babylonlabs-io/btc-staker/pull/92) CI: Enable Dockerfile and image scanning
 * [#99](https://github.com/babylonlabs-io/btc-staker/pull/99) Bump babylon version
 and adapt staker to the changes
 

diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,8 @@
 FROM golang:1.23.1 AS builder
 
 # Install cli tools for building and final image
-RUN apt-get update && apt-get install -y make git bash gcc curl jq
+# hadolint ignore=DL3008
+RUN apt-get update && apt-get install --no-install-recommends -y make git bash gcc curl jq && rm -rf /var/lib/apt/lists/*
 
 # Build
 WORKDIR /go/src/github.com/babylonlabs-io/btc-staker
@@ -18,17 +19,19 @@ RUN BUILD_TAGS=netgo \
 
 # FINAL IMAGE
 FROM debian:bookworm-slim AS run
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 RUN addgroup --gid 1138 --system btcstaker && adduser --uid 1138 --system --home /home/btcstaker btcstaker
-RUN apt-get update && apt-get install -y bash curl jq wget
+# hadolint ignore=DL3008
+RUN apt-get update && apt-get install --no-install-recommends -y ca-certificates bash curl jq wget && rm -rf /var/lib/apt/lists/*
 
 COPY --from=builder /go/src/github.com/babylonlabs-io/btc-staker/go.mod /tmp
 RUN WASMVM_VERSION=$(grep github.com/CosmWasm/wasmvm /tmp/go.mod | cut -d' ' -f2) && \
-    wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/libwasmvm.$(uname -m).so \
-        -O /lib/libwasmvm.$(uname -m).so && \
+    wget --progress=dot:giga https://github.com/CosmWasm/wasmvm/releases/download/"$WASMVM_VERSION"/libwasmvm."$(uname -m)".so \
+    -O /lib/libwasmvm."$(uname -m)".so && \
     # verify checksum
-    wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/checksums.txt -O /tmp/checksums.txt && \
-    sha256sum /lib/libwasmvm.$(uname -m).so | grep $(cat /tmp/checksums.txt | grep libwasmvm.$(uname -m) | cut -d ' ' -f 1)
+    wget --progress=dot:giga https://github.com/CosmWasm/wasmvm/releases/download/"$WASMVM_VERSION"/checksums.txt -O /tmp/checksums.txt && \
+    sha256sum /lib/libwasmvm."$(uname -m)".so | grep "$(cat /tmp/checksums.txt | grep libwasmvm."$(uname -m)" | cut -d ' ' -f 1)"
 RUN rm -f /tmp/go.mod
 
 COPY --from=builder /go/src/github.com/babylonlabs-io/btc-staker/build/stakerd /bin/stakerd