From 86a0c0899c1da3e75ab382db4b5a02282cb8de00 Mon Sep 17 00:00:00 2001 From: ashnashahgrover Date: Thu, 13 Jun 2024 17:10:20 +0530 Subject: [PATCH] docs(devcontainer): add trivy and its VSCode Extension Primary Changes 1) updated trivy version in the .devcontainer file and included AquaSecurityOfficial.trivy-vulnerability-scanner vs-code extension 2) updated trivy version in ci.yaml 3) included AquaSecurityOfficial.trivy-vulnerability-scanner vs-code extension in the .vscode/extensions.json file Fixes #2650 Signed-off-by: ashnashahgrover --- .devcontainer/devcontainer.json | 5 +- .github/workflows/ci.yaml | 99 ++++++++++++++++++++++++++++++++- .vscode/extensions.json | 3 +- 3 files changed, 101 insertions(+), 6 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index b0e6cd76ee0..700d3477187 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -42,7 +42,7 @@ "version": "v3.20.3" }, "ghcr.io/dhoeric/features/trivy:1.0.0": { - "version": "0.49.1" + "version": "0.52.1" } }, "customizations": { @@ -62,7 +62,8 @@ "eamodio.gitlens", "streetsidesoftware.code-spell-checker", "github.vscode-pull-request-github", - "codeandstuff.package-json-upgrade" + "codeandstuff.package-json-upgrade", + "AquaSecurityOfficial.trivy-vulnerability-scanner" ] } }, diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index bb09b75514e..353e4f66f9b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1975,7 +1975,32 @@ jobs: uses: actions/upload-artifact@v4.3.3 with: name: coverage-reports-31 - path: ./code-coverage-ts/**/ + path: ./code-coverage-ts/**/ + node-version: ${{ env.NODEJS_VERSION }} + - uses: actions/checkout@v4.1.1 + + - id: yarn-cache + name: Restore Yarn Cache + uses: actions/cache@v4.0.1 + with: + key: ${{ runner.os }}-yarn-${{ hashFiles('./yarn.lock') }} + path: ./.yarn/ + restore-keys: | + ${{ runner.os }}-yarn-${{ hashFiles('./yarn.lock') }} + - run: ./tools/ci.sh + + - name: Build an image from Dockerfile + run: DOCKER_BUILDKIT=1 docker build . -f ./packages/cactus-plugin-ledger-connector-quorum/Dockerfile -t plugin-ledger-connector-quorum + - if: ${{ env.RUN_TRIVY_SCAN == 'true' }} + name: Run Trivy vulnerability scan for plugin-ledger-connector-quorum + uses: aquasecurity/trivy-action@0.52.1 + with: + image-ref: 'plugin-ledger-connector-quorum' + format: 'table' + exit-code: '1' + ignore-unfixed: false + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' cplc-sawtooth: continue-on-error: false env: @@ -2565,6 +2590,44 @@ jobs: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-besu-all-in-one run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile + ghcr-cmd-api-server: + runs-on: ubuntu-22.04 + needs: + - compute_changed_packages + if: needs.compute_changed_packages.outputs.cmd-api-server-changed == 'true' + steps: + - uses: actions/checkout@v4.1.1 + - name: ghcr.io/hyperledger/cactus-cmd-api-server + run: DOCKER_BUILDKIT=1 docker build . -f ./packages/cactus-cmd-api-server/Dockerfile -t cactus-cmd-api-server + - if: ${{ env.RUN_TRIVY_SCAN == 'true' }} + name: Run Trivy vulnerability scan for cactus-cmd-api-server + uses: aquasecurity/trivy-action@0.52.1 + with: + image-ref: 'cactus-cmd-api-server' + format: 'table' + exit-code: '1' + ignore-unfixed: false + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + ghcr-connector-besu: + needs: + - compute_changed_packages + if: needs.compute_changed_packages.outputs.plugin-ledger-connector-besu-changed == 'true' + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v4.1.1 + - name: ghcr.io/hyperledger/cactus-connector-besu + run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-besu/ -f ./packages/cactus-plugin-ledger-connector-besu/Dockerfile -t cactus-connector-besu + - if: ${{ env.RUN_TRIVY_SCAN == 'true' }} + name: Run Trivy vulnerability scan for cactus-connector-besu + uses: aquasecurity/trivy-action@0.52.1 + with: + image-ref: 'cactus-connector-besu' + format: 'table' + exit-code: '1' + ignore-unfixed: false + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' ghcr-connector-corda-server: runs-on: ubuntu-22.04 needs: @@ -2577,7 +2640,7 @@ jobs: run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-corda/src/main-server/ -f ./packages/cactus-plugin-ledger-connector-corda/src/main-server/Dockerfile -t cactus-connector-corda-server - if: ${{ env.RUN_TRIVY_SCAN == 'true' }} name: Run Trivy vulnerability scan for cactus-connector-corda-server - uses: aquasecurity/trivy-action@0.19.0 + uses: aquasecurity/trivy-action@0.52.1 with: image-ref: 'cactus-connector-corda-server' format: 'table' @@ -2585,6 +2648,36 @@ jobs: ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' + ghcr-connector-fabric: + runs-on: ubuntu-22.04 + needs: + - compute_changed_packages + if: needs.compute_changed_packages.outputs.plugin-ledger-connector-fabric-changed == 'true' + + steps: + - uses: actions/checkout@v4.1.1 + - name: ghcr.io/hyperledger/cactus-connector-fabric + run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-fabric/ -f ./packages/cactus-plugin-ledger-connector-fabric/Dockerfile -t cactus-connector-fabric + - if: ${{ env.RUN_TRIVY_SCAN == 'true' }} + name: Run Trivy vulnerability scan for cactus-connector-fabric + uses: aquasecurity/trivy-action@0.52.1 + with: + image-ref: 'cactus-connector-fabric' + format: 'table' + exit-code: '1' + ignore-unfixed: false + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + ghcr-corda-all-in-one: + runs-on: ubuntu-22.04 + needs: + - compute_changed_packages + if: needs.compute_changed_packages.outputs.ghcr-corda-all-in-one-changed == 'true' + steps: + - uses: actions/checkout@v4.1.1 + - name: ghcr.io/hyperledger/cactus-corda-all-in-one + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/Dockerfile + ghcr-corda-all-in-one-flowdb: runs-on: ubuntu-22.04 steps: @@ -2638,7 +2731,7 @@ jobs: run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/ -f ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile -t cactus-keychain-vault-server - if: ${{ env.RUN_TRIVY_SCAN == 'true' }} name: Run Trivy vulnerability scan for cactus-keychain-vault-server - uses: aquasecurity/trivy-action@0.19.0 + uses: aquasecurity/trivy-action@0.52.1 with: image-ref: 'cactus-keychain-vault-server' format: 'table' diff --git a/.vscode/extensions.json b/.vscode/extensions.json index 86f6098895b..6c66f1bb57c 100644 --- a/.vscode/extensions.json +++ b/.vscode/extensions.json @@ -14,6 +14,7 @@ "eamodio.gitlens", "streetsidesoftware.code-spell-checker", "github.vscode-pull-request-github", - "codeandstuff.package-json-upgrade" + "codeandstuff.package-json-upgrade", + "AquaSecurityOfficial.trivy-vulnerability-scanner" ] }