diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml index bde4348a0e..55b03afd60 100644 --- a/.github/workflows/docker_job.yml +++ b/.github/workflows/docker_job.yml @@ -36,18 +36,22 @@ jobs: - ecr_repository: modernising-lpa/app name: app path: ./docker/mlpa/Dockerfile + trivyignores: ./docker/mlpa/.trivyignore.yaml platforms: linux/amd64 - ecr_repository: modernising-lpa/create-s3-batch-replication-job name: create-s3-batch-replication-job path: ./lambda/create_s3_replication_job/Dockerfile + trivyignores: ./lambda/create_s3_replication_job/.trivyignore.yaml platforms: linux/amd64 - ecr_repository: modernising-lpa/event-received name: event-received path: ./docker/event-received/Dockerfile + trivyignores: ./docker/event-received/.trivyignore.yaml platforms: linux/amd64 - ecr_repository: modernising-lpa/mock-pay name: mock-pay path: ./docker/mock-pay/Dockerfile + trivyignores: ./docker/mock-pay/.trivyignore.yaml platforms: linux/amd64 runs-on: ubuntu-latest @@ -88,6 +92,21 @@ jobs: mask-password: true registries: 311462405659 + - name: Trivy Dockerfile Configuration Scanner for ${{ matrix.ecr_repository }} + id: trivy_dockerfile_misconfiguration_scan + uses: aquasecurity/trivy-action@0.26.0 + env: + TRIVY_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-db:2 + TRIVY_JAVA_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-java-db:1 + TRIVY_IGNOREFILE: ${{ matrix.trivyignores }} + with: + scan-type: fs + scan-ref: ${{ matrix.path }} + severity: 'HIGH,CRITICAL' + scanners: 'misconfig' + version: v0.56.2 + exit-code: 1 + - name: Build ${{ matrix.ecr_repository }} Image uses: docker/build-push-action@v6.9.0 with: @@ -110,6 +129,7 @@ jobs: env: TRIVY_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-java-db:1 + TRIVY_IGNOREFILE: ${{ matrix.trivyignores }} with: image-ref: ${{ matrix.ecr_repository }}:${{ inputs.tag }} severity: 'HIGH,CRITICAL' @@ -125,6 +145,10 @@ jobs: - name: Trivy Image SBOM Generator for ${{ matrix.ecr_repository }} and submit results to Dependency Graph id: trivy_sbom uses: aquasecurity/trivy-action@0.26.0 + env: + TRIVY_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-db:2 + TRIVY_JAVA_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-java-db:1 + TRIVY_IGNOREFILE: ${{ matrix.trivyignores }} with: scan-type: 'image' image-ref: ${{ matrix.ecr_repository }}:${{ inputs.tag }} diff --git a/docker/event-received/.trivyignore.yaml b/docker/event-received/.trivyignore.yaml new file mode 100644 index 0000000000..f9ce7c43ab --- /dev/null +++ b/docker/event-received/.trivyignore.yaml @@ -0,0 +1,3 @@ +misconfigurations: + - id: AVD-DS-0002 + statement: Lambda creates a docker USER with least-privilege permissions. diff --git a/docker/event-received/Dockerfile b/docker/event-received/Dockerfile index f36338c876..cc211ede3c 100644 --- a/docker/event-received/Dockerfile +++ b/docker/event-received/Dockerfile @@ -10,7 +10,7 @@ COPY --link internal ./internal RUN GOOS=linux GOOS=${TARGETOS} GOARCH=${TARGETARCH} CGO_ENABLED=0 go build -tags lambda.norpc -o event-received ./cmd/event-received -FROM public.ecr.aws/lambda/provided:al2 AS dev +FROM public.ecr.aws/lambda/provided:al2023.2024.10.14.12 AS dev WORKDIR /app @@ -20,12 +20,11 @@ COPY --link docker/event-received/aws-lambda-rie ./aws-lambda-rie ENTRYPOINT ["./event-received"] -FROM public.ecr.aws/lambda/provided:al2 AS production +FROM public.ecr.aws/lambda/provided:al2023.2024.10.14.12 AS production WORKDIR /app COPY --link docker/event-received/install_lambda_insights.sh /app/ - RUN chmod +x /app/install_lambda_insights.sh \ && /app/install_lambda_insights.sh "${TARGETPLATFORM}" diff --git a/docker/mlpa/.trivyignore.yaml b/docker/mlpa/.trivyignore.yaml new file mode 100644 index 0000000000..34b4c0887e --- /dev/null +++ b/docker/mlpa/.trivyignore.yaml @@ -0,0 +1 @@ +misconfigurations: diff --git a/docker/mock-pay/.trivyignore.yaml b/docker/mock-pay/.trivyignore.yaml new file mode 100644 index 0000000000..34b4c0887e --- /dev/null +++ b/docker/mock-pay/.trivyignore.yaml @@ -0,0 +1 @@ +misconfigurations: diff --git a/docker/mock-pay/Dockerfile b/docker/mock-pay/Dockerfile index e5f8e4e1c7..daef3782ad 100644 --- a/docker/mock-pay/Dockerfile +++ b/docker/mock-pay/Dockerfile @@ -1,2 +1,5 @@ FROM outofcoffee/imposter:4.0.5 + COPY ./docker/mock-pay /opt/imposter/config/ + +USER imposter diff --git a/lambda/create_s3_replication_job/.trivyignore.yaml b/lambda/create_s3_replication_job/.trivyignore.yaml new file mode 100644 index 0000000000..f9ce7c43ab --- /dev/null +++ b/lambda/create_s3_replication_job/.trivyignore.yaml @@ -0,0 +1,3 @@ +misconfigurations: + - id: AVD-DS-0002 + statement: Lambda creates a docker USER with least-privilege permissions.