diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index d2aa1f1808b..f240cf6def5 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,6 +1,7 @@ --- env: NODEJS_VERSION: v18.18.2 + RUN_TRIVY_SCAN: false jobs: ActionLint: uses: ./.github/workflows/actionlint.yaml @@ -1533,7 +1534,7 @@ jobs: with: node-version: ${{ env.NODEJS_VERSION }} - uses: actions/checkout@v4.1.1 - + - id: yarn-cache name: Restore Yarn Cache uses: actions/cache@v4.0.1 @@ -1543,6 +1544,19 @@ jobs: restore-keys: | ${{ runner.os }}-yarn-${{ hashFiles('./yarn.lock') }} - run: ./tools/ci.sh + + - name: Build an image from Dockerfile + run: DOCKER_BUILDKIT=1 docker build . -f ./packages/cactus-plugin-ledger-connector-iroha/Dockerfile -t plugin-ledger-connector-iroha + - if: ${{ env.RUN_TRIVY_SCAN == 'true' }} + name: Run Trivy vulnerability scan for plugin-ledger-connector-iroha + uses: aquasecurity/trivy-action@master + with: + image-ref: 'plugin-ledger-connector-iroha' + format: 'table' + exit-code: '1' + ignore-unfixed: false + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' cactus-plugin-ledger-connector-iroha2: continue-on-error: false needs: @@ -1618,7 +1632,7 @@ jobs: with: node-version: ${{ env.NODEJS_VERSION }} - uses: actions/checkout@v4.1.1 - + - id: yarn-cache name: Restore Yarn Cache uses: actions/cache@v4.0.1 @@ -1628,6 +1642,19 @@ jobs: restore-keys: | ${{ runner.os }}-yarn-${{ hashFiles('./yarn.lock') }} - run: ./tools/ci.sh + + - name: Build an image from Dockerfile + run: DOCKER_BUILDKIT=1 docker build . -f ./packages/cactus-plugin-ledger-connector-quorum/Dockerfile -t plugin-ledger-connector-quorum + - if: ${{ env.RUN_TRIVY_SCAN == 'true' }} + name: Run Trivy vulnerability scan for plugin-ledger-connector-quorum + uses: aquasecurity/trivy-action@master + with: + image-ref: 'plugin-ledger-connector-quorum' + format: 'table' + exit-code: '1' + ignore-unfixed: false + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' cactus-plugin-ledger-connector-sawtooth: continue-on-error: false env: @@ -1970,7 +1997,7 @@ jobs: with: node-version: ${{ env.NODEJS_VERSION }} - uses: actions/checkout@v4.1.1 - + - id: yarn-cache name: Restore Yarn Cache uses: actions/cache@v4.0.1 @@ -2095,16 +2122,7 @@ jobs: steps: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-besu-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile -t cactus-besu-all-in-one - - name: Run Trivy vulnerability scan for cactus-besu-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-besu-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile ghcr-cmd-api-server: runs-on: ubuntu-22.04 needs: @@ -2114,13 +2132,14 @@ jobs: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-cmd-api-server run: DOCKER_BUILDKIT=1 docker build . -f ./packages/cactus-cmd-api-server/Dockerfile -t cactus-cmd-api-server - - name: Run Trivy vulnerability scan for cactus-cmd-api-server - uses: aquasecurity/trivy-action@0.11.2 + - if: ${{ env.RUN_TRIVY_SCAN == 'true' }} + name: Run Trivy vulnerability scan for cactus-cmd-api-server + uses: aquasecurity/trivy-action@master with: image-ref: 'cactus-cmd-api-server' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-connector-besu: @@ -2132,13 +2151,14 @@ jobs: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-connector-besu run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-besu/ -f ./packages/cactus-plugin-ledger-connector-besu/Dockerfile -t cactus-connector-besu - - name: Run Trivy vulnerability scan for cactus-connector-besu - uses: aquasecurity/trivy-action@0.11.2 + - if: ${{ env.RUN_TRIVY_SCAN == 'true' }} + name: Run Trivy vulnerability scan for cactus-connector-besu + uses: aquasecurity/trivy-action@master with: image-ref: 'cactus-connector-besu' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-connector-corda-server: @@ -2151,13 +2171,14 @@ jobs: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-connector-corda-server run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-corda/src/main-server/ -f ./packages/cactus-plugin-ledger-connector-corda/src/main-server/Dockerfile -t cactus-connector-corda-server - - name: Run Trivy vulnerability scan for cactus-connector-corda-server - uses: aquasecurity/trivy-action@0.11.2 + - if: ${{ env.RUN_TRIVY_SCAN == 'true' }} + name: Run Trivy vulnerability scan for cactus-connector-corda-server + uses: aquasecurity/trivy-action@master with: image-ref: 'cactus-connector-corda-server' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-connector-fabric: @@ -2170,13 +2191,14 @@ jobs: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-connector-fabric run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-fabric/ -f ./packages/cactus-plugin-ledger-connector-fabric/Dockerfile -t cactus-connector-fabric - - name: Run Trivy vulnerability scan for cactus-connector-fabric - uses: aquasecurity/trivy-action@0.11.2 + - if: ${{ env.RUN_TRIVY_SCAN == 'true' }} + name: Run Trivy vulnerability scan for cactus-connector-fabric + uses: aquasecurity/trivy-action@master with: image-ref: 'cactus-connector-fabric' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-corda-all-in-one: @@ -2187,16 +2209,8 @@ jobs: steps: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-corda-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/Dockerfile -t cactus-corda-all-in-one - - name: Run Trivy vulnerability scan for cactus-corda-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-corda-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/Dockerfile + ghcr-corda-all-in-one-flowdb: runs-on: ubuntu-22.04 steps: @@ -2212,15 +2226,7 @@ jobs: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-corda-all-in-one-obligation run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/corda-v4_8/Dockerfile -t cactus-corda-all-in-one-obligation - - name: Run Trivy vulnerability scan for cactus-corda-all-in-one-obligation - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-corda-all-in-one-obligation' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + ghcr-dev-container-vscode: runs-on: ubuntu-22.04 needs: @@ -2243,89 +2249,50 @@ jobs: steps: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-example-carbon-accounting - run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting - - name: Run Trivy vulnerability scan for cactus-example-carbon-accounting - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-example-carbon-accounting' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile + ghcr-example-supply-chain-app: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-example-supply-chain-app run: DOCKER_BUILDKIT=1 docker build . -f ./examples/cactus-example-supply-chain-backend/Dockerfile -t cactus-example-supply-chain-app - - name: Run Trivy vulnerability scan for cactus-example-supply-chain-app - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-example-supply-chain-app' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + ghcr-fabric-all-in-one: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-fabric-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v1.4.x -t cactus-fabric-all-in-one - - name: Run Trivy vulnerability scan for cactus-fabric-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-fabric-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v1.4.x + ghcr-fabric2-all-in-one: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-fabric2-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v2.x -t cactus-fabric2-all-in-one - - name: Run Trivy vulnerability scan for cactus-fabric2-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-fabric2-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v2.x + ghcr-iroha-all-in-one: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-iroha-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/iroha-all-in-one/ -f ./tools/docker/iroha-all-in-one/Dockerfile -t cactus-iroha-all-in-one - - name: Run Trivy vulnerability scan for cactus-iroha-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-iroha-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/iroha-all-in-one/ -f ./tools/docker/iroha-all-in-one/Dockerfile + ghcr-keychain-vault-server: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-keychain-vault-server run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/ -f ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile -t cactus-keychain-vault-server - - name: Run Trivy vulnerability scan for cactus-keychain-vault-server - uses: aquasecurity/trivy-action@0.11.2 + - if: ${{ env.RUN_TRIVY_SCAN == 'true' }} + name: Run Trivy vulnerability scan for cactus-keychain-vault-server + uses: aquasecurity/trivy-action@master with: image-ref: 'cactus-keychain-vault-server' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-quorum-all-in-one: @@ -2333,31 +2300,15 @@ jobs: steps: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-quorum-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-all-in-one/ -f ./tools/docker/quorum-all-in-one/Dockerfile -t cactus-quorum-all-in-one - - name: Run Trivy vulnerability scan for cactus-quorum-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-quorum-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-all-in-one/ -f ./tools/docker/quorum-all-in-one/Dockerfile + ghcr-quorum-multi-party-all-in-one: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4.1.1 - name: ghcr.io/hyperledger/cactus-quorum-multi-party-all-in-one run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-multi-party-all-in-one/ -f ./tools/docker/quorum-multi-party-all-in-one/Dockerfile -t cactus-quorum-multi-party-all-in-one - - name: Run Trivy vulnerability scan for cactus-quorum-multi-party-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-quorum-multi-party-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + name: Cactus_CI 'on': pull_request: @@ -2368,4 +2319,4 @@ name: Cactus_CI push: branches: - main - - dev + - dev \ No newline at end of file