diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 0eb76987296..a93c26fe9e7 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -16,6 +16,16 @@ jobs: - name: Get the output response run: echo "${{ steps.lint-git-repo.outputs.lint-git-repo-response }}" + check_trivy_condition: + name: Check Trivy Condition + runs-on: ubuntu-20.04 + outputs: + run_trivy_scan: ${{ steps.set_condition_trivy_scan.outputs.run_trivy_scan }} + steps: + - name: Set Trivy Condition + id: set_condition_trivy_scan + run: echo "::set-output name=run_trivy_scan::false" # Set your condition to run trivy scan here + compute_changed_packages: outputs: cmd-api-server-changed: ${{ steps.changes.outputs.cmd-api-server-changed }} @@ -1486,7 +1496,10 @@ jobs: TAPE_TEST_PATTERN: >- --files={./packages/cactus-plugin-ledger-connector-iroha/src/test/typescript/integration/iroha-iroha-transfer-example.test.ts,./packages/cactus-plugin-ledger-connector-iroha/src/test/typescript/integration/openapi/openapi-validation.test.ts,./packages/cactus-plugin-ledger-connector-iroha/src/test/typescript/integration/run-transaction-endpoint-v1.test.ts,./packages/cactus-plugin-ledger-connector-iroha/src/test/typescript/unit/iroha-test-ledger-parameters.test.ts,./packages/cactus-plugin-ledger-connector-iroha/src/test/typescript/unit/postgres-test-container-parameters.test.ts} TAPE_TEST_RUNNER_DISABLED: false - needs: build-dev + needs: + - build-dev + - check_trivy_condition + if: needs.check_trivy_condition.outputs.run_trivy_scan == 'true' runs-on: ubuntu-20.04 steps: - name: Use Node.js ${{ env.NODEJS_VERSION }} @@ -1494,7 +1507,17 @@ jobs: with: node-version: ${{ env.NODEJS_VERSION }} - uses: actions/checkout@v3.5.2 - + - name: Build an image from Dockerfile + run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-iroha/ -f ./packages/cactus-plugin-ledger-connector-iroha/Dockerfile -t cactus-connector-iroha + - name: Run Trivy vulnerability scan for cactus-plugin-ledger-connector-iroha + uses: aquasecurity/trivy-action@0.11.2 + with: + image-ref: 'cactus-connector-iroha' + format: 'table' + exit-code: '1' + ignore-unfixed: false + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' - id: yarn-cache name: Restore Yarn Cache uses: actions/cache@v3.3.1 @@ -1564,7 +1587,8 @@ jobs: needs: - build-dev - compute_changed_packages - if: needs.compute_changed_packages.outputs.plugin-ledger-connector-quorum-changed == 'true' + - check_trivy_condition + if: needs.compute_changed_packages.outputs.plugin-ledger-connector-quorum-changed == 'true' || needs.check_trivy_condition.outputs.run_trivy_scan == 'true' env: FULL_BUILD_DISABLED: true JEST_TEST_PATTERN: packages/cactus-plugin-ledger-connector-quorum/src/test/typescript/(unit|integration|benchmark)/.*/*.test.ts @@ -1579,7 +1603,17 @@ jobs: with: node-version: ${{ env.NODEJS_VERSION }} - uses: actions/checkout@v3.5.2 - + - name: Build an image from Dockerfile + run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-quorum/ -f ./packages/cactus-plugin-ledger-connector-quorum/Dockerfile -t cactus-connector-quorum + - name: Run Trivy vulnerability scan for cactus-plugin-ledger-connector-quorum + uses: aquasecurity/trivy-action@0.11.2 + with: + image-ref: 'cactus-connector-quorum' + format: 'table' + exit-code: '1' + ignore-unfixed: false + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' - id: yarn-cache name: Restore Yarn Cache uses: actions/cache@v3.3.1 @@ -2056,21 +2090,13 @@ jobs: steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-besu-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile -t cactus-besu-all-in-one - - name: Run Trivy vulnerability scan for cactus-besu-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-besu-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile ghcr-cmd-api-server: runs-on: ubuntu-20.04 needs: - compute_changed_packages - if: needs.compute_changed_packages.outputs.cmd-api-server-changed == 'true' + - check_trivy_condition + if: needs.compute_changed_packages.outputs.cmd-api-server-changed == 'true' || needs.check_trivy_condition.outputs.run_trivy_scan == 'true' steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-cmd-api-server @@ -2081,70 +2107,72 @@ jobs: image-ref: 'cactus-cmd-api-server' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-connector-besu: needs: - compute_changed_packages - if: needs.compute_changed_packages.outputs.plugin-ledger-connector-besu-changed == 'true' + - check_trivy_condition + if: needs.compute_changed_packages.outputs.plugin-ledger-connector-besu-changed == 'true' || needs.check_trivy_condition.outputs.run_trivy_scan == 'true' runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-connector-besu run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-besu/ -f ./packages/cactus-plugin-ledger-connector-besu/Dockerfile -t cactus-connector-besu - - name: Run Trivy vulnerability scan for cactus-connector-besu + - name: Run Trivy vulnerability scan for cactus-connector-plugin-ledger-besu uses: aquasecurity/trivy-action@0.11.2 with: image-ref: 'cactus-connector-besu' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-connector-corda-server: runs-on: ubuntu-20.04 needs: - compute_changed_packages - if: needs.compute_changed_packages.outputs.plugin-ledger-connector-corda-changed == 'true' - + - check_trivy_condition + if: needs.compute_changed_packages.outputs.plugin-ledger-connector-corda-changed == 'true' || needs.check_trivy_condition.outputs.run_trivy_scan == 'true' steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-connector-corda-server run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-corda/src/main-server/ -f ./packages/cactus-plugin-ledger-connector-corda/src/main-server/Dockerfile -t cactus-connector-corda-server - - name: Run Trivy vulnerability scan for cactus-connector-corda-server + - name: Run Trivy vulnerability scan for plugin-ledger-connector-corda uses: aquasecurity/trivy-action@0.11.2 with: image-ref: 'cactus-connector-corda-server' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-connector-fabric: runs-on: ubuntu-20.04 needs: - compute_changed_packages - if: needs.compute_changed_packages.outputs.plugin-ledger-connector-fabric-changed == 'true' - + - check_trivy_condition + if: needs.compute_changed_packages.outputs.plugin-ledger-connector-fabric-changed == 'true' || needs.check_trivy_condition.outputs.run_trivy_scan == 'true' steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-connector-fabric run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-fabric/ -f ./packages/cactus-plugin-ledger-connector-fabric/Dockerfile -t cactus-connector-fabric - - name: Run Trivy vulnerability scan for cactus-connector-fabric + - name: Run Trivy vulnerability scan for cactus-plugin-ledger-connector-fabric uses: aquasecurity/trivy-action@0.11.2 with: image-ref: 'cactus-connector-fabric' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-corda-all-in-one: runs-on: ubuntu-20.04 needs: - compute_changed_packages - if: needs.compute_changed_packages.outputs.ghcr-corda-all-in-one-changed == 'true' + - check_trivy_condition + if: needs.compute_changed_packages.outputs.ghcr-corda-all-in-one-changed == 'true' || needs.check_trivy_condition.outputs.run_trivy_scan == 'true' steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-corda-all-in-one @@ -2155,7 +2183,7 @@ jobs: image-ref: 'cactus-corda-all-in-one' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-corda-all-in-one-flowdb: @@ -2172,16 +2200,7 @@ jobs: steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-corda-all-in-one-obligation - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/corda-v4_8/Dockerfile -t cactus-corda-all-in-one-obligation - - name: Run Trivy vulnerability scan for cactus-corda-all-in-one-obligation - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-corda-all-in-one-obligation' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/corda-v4_8/Dockerfile ghcr-dev-container-vscode: runs-on: ubuntu-20.04 needs: @@ -2204,18 +2223,11 @@ jobs: steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-example-carbon-accounting - run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting - - name: Run Trivy vulnerability scan for cactus-example-carbon-accounting - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-example-carbon-accounting' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile ghcr-example-supply-chain-app: runs-on: ubuntu-20.04 + needs: check_trivy_condition + if: needs.check_trivy_condition.outputs.run_trivy_scan == 'true' steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-example-supply-chain-app @@ -2234,59 +2246,34 @@ jobs: steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-fabric-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v1.4.x -t cactus-fabric-all-in-one - - name: Run Trivy vulnerability scan for cactus-fabric-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-fabric-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v1.4.x ghcr-fabric2-all-in-one: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-fabric2-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v2.x -t cactus-fabric2-all-in-one - - name: Run Trivy vulnerability scan for cactus-fabric2-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-fabric2-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v2.x ghcr-iroha-all-in-one: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-iroha-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/iroha-all-in-one/ -f ./tools/docker/iroha-all-in-one/Dockerfile -t cactus-iroha-all-in-one - - name: Run Trivy vulnerability scan for cactus-iroha-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-iroha-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/iroha-all-in-one/ -f ./tools/docker/iroha-all-in-one/Dockerfile ghcr-keychain-vault-server: runs-on: ubuntu-20.04 + needs: check_trivy_condition + if: needs.check_trivy_condition.outputs.run_trivy_scan == 'true' steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-keychain-vault-server run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/ -f ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile -t cactus-keychain-vault-server - - name: Run Trivy vulnerability scan for cactus-keychain-vault-server + - name: Run Trivy vulnerability scan for cactus-plugin-keychain-vault-server uses: aquasecurity/trivy-action@0.11.2 with: image-ref: 'cactus-keychain-vault-server' format: 'table' exit-code: '1' - ignore-unfixed: true + ignore-unfixed: false vuln-type: 'os,library' severity: 'CRITICAL,HIGH' ghcr-quorum-all-in-one: @@ -2294,76 +2281,31 @@ jobs: steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-quorum-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-all-in-one/ -f ./tools/docker/quorum-all-in-one/Dockerfile -t cactus-quorum-all-in-one - - name: Run Trivy vulnerability scan for cactus-quorum-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-quorum-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-all-in-one/ -f ./tools/docker/quorum-all-in-one/Dockerfile ghcr-quorum-multi-party-all-in-one: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-quorum-multi-party-all-in-one - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-multi-party-all-in-one/ -f ./tools/docker/quorum-multi-party-all-in-one/Dockerfile -t cactus-quorum-multi-party-all-in-one - - name: Run Trivy vulnerability scan for cactus-quorum-multi-party-all-in-one - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-quorum-multi-party-all-in-one' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-multi-party-all-in-one/ -f ./tools/docker/quorum-multi-party-all-in-one/Dockerfile ghcr-rust-compiler: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-rust-compiler - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/rust-compiler/ -f ./tools/docker/rust-compiler/Dockerfile -t cactus-rust-compiler - - name: Run Trivy vulnerability scan for cactus-rust-compiler - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-rust-compiler' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/rust-compiler/ -f ./tools/docker/rust-compiler/Dockerfile ghcr-test-npm-registry: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-test-npm-registry - run: DOCKER_BUILDKIT=1 docker build ./tools/docker/test-npm-registry/ -f ./tools/docker/test-npm-registry/Dockerfile -t cactus-test-npm-registry - - name: Run Trivy vulnerability scan for cactus-test-npm-registry - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-test-npm-registry' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./tools/docker/test-npm-registry/ -f ./tools/docker/test-npm-registry/Dockerfile ghcr-whitepaper: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v3.5.2 - name: ghcr.io/hyperledger/cactus-whitepaper - run: DOCKER_BUILDKIT=1 docker build ./whitepaper/ -f ./whitepaper/Dockerfile -t cactus-whitepaper - - name: Run Trivy vulnerability scan for cactus-whitepaper - uses: aquasecurity/trivy-action@0.11.2 - with: - image-ref: 'cactus-whitepaper' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + run: DOCKER_BUILDKIT=1 docker build ./whitepaper/ -f ./whitepaper/Dockerfile name: Cactus_CI 'on': pull_request: