Skip to content

Commit

Permalink
docs(devcontainer): add trivy and its VSCode Extension
Browse files Browse the repository at this point in the history
Primary Changes
1) updated trivy version in the .devcontainer file and
included AquaSecurityOfficial.trivy-vulnerability-scanner vs-code extension
2) updated trivy version in ci.yaml
3) included AquaSecurityOfficial.trivy-vulnerability-scanner
vs-code extension in the .vscode/extensions.json file

Fixes #2650

Signed-off-by: ashnashahgrover <[email protected]>
  • Loading branch information
ashnashahgrover committed Jul 22, 2024
1 parent 603ff0e commit 86a0c08
Show file tree
Hide file tree
Showing 3 changed files with 101 additions and 6 deletions.
5 changes: 3 additions & 2 deletions .devcontainer/devcontainer.json
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@
"version": "v3.20.3"
},
"ghcr.io/dhoeric/features/trivy:1.0.0": {
"version": "0.49.1"
"version": "0.52.1"
}
},
"customizations": {
Expand All @@ -62,7 +62,8 @@
"eamodio.gitlens",
"streetsidesoftware.code-spell-checker",
"github.vscode-pull-request-github",
"codeandstuff.package-json-upgrade"
"codeandstuff.package-json-upgrade",
"AquaSecurityOfficial.trivy-vulnerability-scanner"
]
}
},
Expand Down
99 changes: 96 additions & 3 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1975,7 +1975,32 @@ jobs:
uses: actions/[email protected]
with:
name: coverage-reports-31
path: ./code-coverage-ts/**/
path: ./code-coverage-ts/**/
node-version: ${{ env.NODEJS_VERSION }}
- uses: actions/[email protected]

- id: yarn-cache
name: Restore Yarn Cache
uses: actions/[email protected]
with:
key: ${{ runner.os }}-yarn-${{ hashFiles('./yarn.lock') }}
path: ./.yarn/
restore-keys: |
${{ runner.os }}-yarn-${{ hashFiles('./yarn.lock') }}
- run: ./tools/ci.sh

- name: Build an image from Dockerfile
run: DOCKER_BUILDKIT=1 docker build . -f ./packages/cactus-plugin-ledger-connector-quorum/Dockerfile -t plugin-ledger-connector-quorum
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for plugin-ledger-connector-quorum
uses: aquasecurity/[email protected]
with:
image-ref: 'plugin-ledger-connector-quorum'
format: 'table'
exit-code: '1'
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
cplc-sawtooth:
continue-on-error: false
env:
Expand Down Expand Up @@ -2565,6 +2590,44 @@ jobs:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-besu-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile
ghcr-cmd-api-server:
runs-on: ubuntu-22.04
needs:
- compute_changed_packages
if: needs.compute_changed_packages.outputs.cmd-api-server-changed == 'true'
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-cmd-api-server
run: DOCKER_BUILDKIT=1 docker build . -f ./packages/cactus-cmd-api-server/Dockerfile -t cactus-cmd-api-server
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for cactus-cmd-api-server
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-cmd-api-server'
format: 'table'
exit-code: '1'
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-connector-besu:
needs:
- compute_changed_packages
if: needs.compute_changed_packages.outputs.plugin-ledger-connector-besu-changed == 'true'
runs-on: ubuntu-22.04
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-connector-besu
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-besu/ -f ./packages/cactus-plugin-ledger-connector-besu/Dockerfile -t cactus-connector-besu
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for cactus-connector-besu
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-connector-besu'
format: 'table'
exit-code: '1'
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-connector-corda-server:
runs-on: ubuntu-22.04
needs:
Expand All @@ -2577,14 +2640,44 @@ jobs:
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-corda/src/main-server/ -f ./packages/cactus-plugin-ledger-connector-corda/src/main-server/Dockerfile -t cactus-connector-corda-server
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for cactus-connector-corda-server
uses: aquasecurity/trivy-action@0.19.0
uses: aquasecurity/trivy-action@0.52.1
with:
image-ref: 'cactus-connector-corda-server'
format: 'table'
exit-code: '1'
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-connector-fabric:
runs-on: ubuntu-22.04
needs:
- compute_changed_packages
if: needs.compute_changed_packages.outputs.plugin-ledger-connector-fabric-changed == 'true'

steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-connector-fabric
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-fabric/ -f ./packages/cactus-plugin-ledger-connector-fabric/Dockerfile -t cactus-connector-fabric
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for cactus-connector-fabric
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-connector-fabric'
format: 'table'
exit-code: '1'
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-corda-all-in-one:
runs-on: ubuntu-22.04
needs:
- compute_changed_packages
if: needs.compute_changed_packages.outputs.ghcr-corda-all-in-one-changed == 'true'
steps:
- uses: actions/[email protected]
- name: ghcr.io/hyperledger/cactus-corda-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/Dockerfile

ghcr-corda-all-in-one-flowdb:
runs-on: ubuntu-22.04
steps:
Expand Down Expand Up @@ -2638,7 +2731,7 @@ jobs:
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/ -f ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile -t cactus-keychain-vault-server
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for cactus-keychain-vault-server
uses: aquasecurity/trivy-action@0.19.0
uses: aquasecurity/trivy-action@0.52.1
with:
image-ref: 'cactus-keychain-vault-server'
format: 'table'
Expand Down
3 changes: 2 additions & 1 deletion .vscode/extensions.json
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
"eamodio.gitlens",
"streetsidesoftware.code-spell-checker",
"github.vscode-pull-request-github",
"codeandstuff.package-json-upgrade"
"codeandstuff.package-json-upgrade",
"AquaSecurityOfficial.trivy-vulnerability-scanner"
]
}

0 comments on commit 86a0c08

Please sign in to comment.