diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 10eb5ab64d..a54ececb70 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -12,6 +12,7 @@ --- env: NODEJS_VERSION: v18.18.2 + RUN_TRIVY_SCAN: true jobs: ActionLint: uses: ./.github/workflows/actionlint.yaml @@ -1635,7 +1636,7 @@ jobs: with: node-version: ${{ env.NODEJS_VERSION }} - uses: actions/checkout@v4.1.1 - + - id: yarn-cache name: Restore Yarn Cache uses: actions/cache@v4.0.1 @@ -1645,6 +1646,19 @@ jobs: restore-keys: | ${{ runner.os }}-yarn-${{ hashFiles('./yarn.lock') }} - run: ./tools/ci.sh + + - name: Build an image from Dockerfile + run: DOCKER_BUILDKIT=1 docker build . -f ./packages/cactus-plugin-ledger-connector-quorum/Dockerfile -t plugin-ledger-connector-quorum + - if: ${{ env.RUN_TRIVY_SCAN == 'true' }} + name: Run Trivy vulnerability scan for plugin-ledger-connector-quorum + uses: aquasecurity/trivy-action@0.19.0 + with: + image-ref: 'plugin-ledger-connector-quorum' + format: 'table' + exit-code: '1' + ignore-unfixed: false + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' cplc-sawtooth: continue-on-error: false env: @@ -1984,7 +1998,7 @@ jobs: with: node-version: ${{ env.NODEJS_VERSION }} - uses: actions/checkout@v4.1.1 - + - id: yarn-cache name: Restore Yarn Cache uses: actions/cache@v4.0.1 @@ -2109,16 +2123,7 @@ jobs: steps: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-besu-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile -t cactus-besu-all-in-one - - name: Run Trivy vulnerability scan for cactus-besu-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-besu-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile ghcr-cmd-api-server: runs-on: ubuntu-22.04 needs: @@ -2128,13 +2133,14 @@ jobs: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-cmd-api-server run: DOCKER_BUILDKIT=1 docker build . -f ./packages/cactus-cmd-api-server/Dockerfile -t cactus-cmd-api-server - - name: Run Trivy vulnerability scan for cactus-cmd-api-server - uses: aquasecurity/trivy-action@0.11.2 + - if: ${{ env.RUN_TRIVY_SCAN == 'true' }} + name: Run Trivy vulnerability scan for cactus-cmd-api-server + uses: aquasecurity/trivy-action@0.19.0 with: image-ref: 'cactus-cmd-api-server' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-connector-besu: @@ -2146,13 +2152,14 @@ jobs: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-connector-besu run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-besu/ -f ./packages/cactus-plugin-ledger-connector-besu/Dockerfile -t cactus-connector-besu - - name: Run Trivy vulnerability scan for cactus-connector-besu - uses: aquasecurity/trivy-action@0.11.2 + - if: ${{ env.RUN_TRIVY_SCAN == 'true' }} + name: Run Trivy vulnerability scan for cactus-connector-besu + uses: aquasecurity/trivy-action@0.19.0 with: image-ref: 'cactus-connector-besu' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-connector-corda-server: @@ -2165,13 +2172,14 @@ jobs: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-connector-corda-server run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-corda/src/main-server/ -f ./packages/cactus-plugin-ledger-connector-corda/src/main-server/Dockerfile -t cactus-connector-corda-server - - name: Run Trivy vulnerability scan for cactus-connector-corda-server - uses: aquasecurity/trivy-action@0.11.2 + - if: ${{ env.RUN_TRIVY_SCAN == 'true' }} + name: Run Trivy vulnerability scan for cactus-connector-corda-server + uses: aquasecurity/trivy-action@0.19.0 with: image-ref: 'cactus-connector-corda-server' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-connector-fabric: @@ -2184,13 +2192,14 @@ jobs: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-connector-fabric run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-fabric/ -f ./packages/cactus-plugin-ledger-connector-fabric/Dockerfile -t cactus-connector-fabric - - name: Run Trivy vulnerability scan for cactus-connector-fabric - uses: aquasecurity/trivy-action@0.11.2 + - if: ${{ env.RUN_TRIVY_SCAN == 'true' }} + name: Run Trivy vulnerability scan for cactus-connector-fabric + uses: aquasecurity/trivy-action@0.19.0 with: image-ref: 'cactus-connector-fabric' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-corda-all-in-one: @@ -2201,16 +2210,8 @@ jobs: steps: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-corda-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/Dockerfile -t cactus-corda-all-in-one - - name: Run Trivy vulnerability scan for cactus-corda-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-corda-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/Dockerfile + ghcr-corda-all-in-one-flowdb: runs-on: ubuntu-22.04 steps: @@ -2226,15 +2227,7 @@ jobs: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-corda-all-in-one-obligation run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/corda-v4_8/Dockerfile -t cactus-corda-all-in-one-obligation - - name: Run Trivy vulnerability scan for cactus-corda-all-in-one-obligation - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-corda-all-in-one-obligation' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + ghcr-dev-container-vscode: runs-on: ubuntu-22.04 needs: @@ -2257,74 +2250,43 @@ jobs: steps: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-example-carbon-accounting - run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting - - name: Run Trivy vulnerability scan for cactus-example-carbon-accounting - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-example-carbon-accounting' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile + ghcr-example-supply-chain-app: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-example-supply-chain-app run: DOCKER_BUILDKIT=1 docker build . -f ./examples/cactus-example-supply-chain-backend/Dockerfile -t cactus-example-supply-chain-app - - name: Run Trivy vulnerability scan for cactus-example-supply-chain-app - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-example-supply-chain-app' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + ghcr-fabric-all-in-one: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-fabric-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v1.4.x -t cactus-fabric-all-in-one - - name: Run Trivy vulnerability scan for cactus-fabric-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-fabric-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v1.4.x + ghcr-fabric2-all-in-one: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-fabric2-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v2.x -t cactus-fabric2-all-in-one - - name: Run Trivy vulnerability scan for cactus-fabric2-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-fabric2-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v2.x + ghcr-keychain-vault-server: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-keychain-vault-server run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/ -f ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile -t cactus-keychain-vault-server - - name: Run Trivy vulnerability scan for cactus-keychain-vault-server - uses: aquasecurity/trivy-action@0.11.2 + - if: ${{ env.RUN_TRIVY_SCAN == 'true' }} + name: Run Trivy vulnerability scan for cactus-keychain-vault-server + uses: aquasecurity/trivy-action@0.19.0 with: image-ref: 'cactus-keychain-vault-server' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-quorum-all-in-one: @@ -2332,31 +2294,15 @@ jobs: steps: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-quorum-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-all-in-one/ -f ./tools/docker/quorum-all-in-one/Dockerfile -t cactus-quorum-all-in-one - - name: Run Trivy vulnerability scan for cactus-quorum-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-quorum-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-all-in-one/ -f ./tools/docker/quorum-all-in-one/Dockerfile + ghcr-quorum-multi-party-all-in-one: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-quorum-multi-party-all-in-one run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-multi-party-all-in-one/ -f ./tools/docker/quorum-multi-party-all-in-one/Dockerfile -t cactus-quorum-multi-party-all-in-one - - name: Run Trivy vulnerability scan for cactus-quorum-multi-party-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-quorum-multi-party-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + name: Cactus_CI 'on': pull_request: @@ -2367,4 +2313,4 @@ name: Cactus_CI push: branches: - main - - dev + - dev \ No newline at end of file