Skip to content

Commit

Permalink
docs(devcontainer): add trivy and its VSCode Extension
Browse files Browse the repository at this point in the history 
Primary Changes
1) updated trivy version in the .devcontainer file and included trivy vs-code extension
2) updated trivy version in ci.yaml

Changes required to incorporate 1)
3) included trivy vs-code extension in the .vscode/extensions.json file

Fixes #2650

Signed-off-by: ashnashahgrover <as19@williams.edu>
  • Loading branch information
@ashnashahgrover
ashnashahgrover committed Aug 5, 2024
1 parent fdce6b3 commit bbca40d
Show file tree
Hide file tree
Showing 3 changed files with 90 additions and 6 deletions.
5 changes: 3 additions & 2 deletions .devcontainer/devcontainer.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@
"version": "v3.20.3"
},
"ghcr.io/dhoeric/features/trivy:1.0.0": {
"version": "0.49.1"
"version": "0.52.1"
}
},
"customizations": {
Expand All @@ -62,7 +62,8 @@
"eamodio.gitlens",
"streetsidesoftware.code-spell-checker",
"github.vscode-pull-request-github",
"codeandstuff.package-json-upgrade"
"codeandstuff.package-json-upgrade",
"AquaSecurityOfficial.trivy-vulnerability-scanner"
]
}
},
Expand Down
88 changes: 85 additions & 3 deletions .github/workflows/ci.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1974,7 +1974,21 @@ jobs:
uses: actions/upload-artifact@v4.3.3
with:
name: coverage-reports-31
path: ./code-coverage-ts/**/
path: ./code-coverage-ts/**/
node-version: ${{ env.NODEJS_VERSION }}
- uses: actions/checkout@v4.1.1
- name: Build an image from Dockerfile
run: DOCKER_BUILDKIT=1 docker build . -f ./packages/cactus-plugin-ledger-connector-quorum/Dockerfile -t plugin-ledger-connector-quorum
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for plugin-ledger-connector-quorum
uses: aquasecurity/trivy-action@0.52.1
with:
image-ref: 'plugin-ledger-connector-quorum'
format: 'table'
exit-code: '1'
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
cplc-sawtooth:
continue-on-error: false
env:
Expand Down Expand Up @@ -2564,6 +2578,44 @@ jobs:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-besu-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile
ghcr-cmd-api-server:
runs-on: ubuntu-22.04
needs:
- compute_changed_packages
if: needs.compute_changed_packages.outputs.cmd-api-server-changed == 'true'
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-cmd-api-server
run: DOCKER_BUILDKIT=1 docker build . -f ./packages/cactus-cmd-api-server/Dockerfile -t cactus-cmd-api-server
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for cactus-cmd-api-server
uses: aquasecurity/trivy-action@0.52.1
with:
image-ref: 'cactus-cmd-api-server'
format: 'table'
exit-code: '1'
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-connector-besu:
needs:
- compute_changed_packages
if: needs.compute_changed_packages.outputs.plugin-ledger-connector-besu-changed == 'true'
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-connector-besu
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-besu/ -f ./packages/cactus-plugin-ledger-connector-besu/Dockerfile -t cactus-connector-besu
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for cactus-connector-besu
uses: aquasecurity/trivy-action@0.52.1
with:
image-ref: 'cactus-connector-besu'
format: 'table'
exit-code: '1'
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-connector-corda-server:
runs-on: ubuntu-22.04
needs:
Expand All @@ -2576,14 +2628,44 @@ jobs:
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-corda/src/main-server/ -f ./packages/cactus-plugin-ledger-connector-corda/src/main-server/Dockerfile -t cactus-connector-corda-server
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for cactus-connector-corda-server
uses: aquasecurity/trivy-action@0.19.0
uses: aquasecurity/trivy-action@0.52.1
with:
image-ref: 'cactus-connector-corda-server'
format: 'table'
exit-code: '1'
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-connector-fabric:
runs-on: ubuntu-22.04
needs:
- compute_changed_packages
if: needs.compute_changed_packages.outputs.plugin-ledger-connector-fabric-changed == 'true'

steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-connector-fabric
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-fabric/ -f ./packages/cactus-plugin-ledger-connector-fabric/Dockerfile -t cactus-connector-fabric
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for cactus-connector-fabric
uses: aquasecurity/trivy-action@0.52.1
with:
image-ref: 'cactus-connector-fabric'
format: 'table'
exit-code: '1'
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ghcr-corda-all-in-one:
runs-on: ubuntu-22.04
needs:
- compute_changed_packages
if: needs.compute_changed_packages.outputs.ghcr-corda-all-in-one-changed == 'true'

Check failure on line 2663 in .github/workflows/ci.yaml

View workflow job for this annotation

GitHub Actions / ActionLint / Lint_GitHub_Actions 

property "ghcr-corda-all-in-one-changed" is not defined in object type {cmd-api-server-changed: string; ghcr-dev-container-vscode-changed: string; plugin-htlc-coordinator-besu-changed: string; plugin-ledger-connector-aries-changed: string; plugin-ledger-connector-besu-changed: string; plugin-ledger-connector-corda-changed: string; plugin-ledger-connector-ethereum-changed: string; plugin-ledger-connector-fabric-changed: string; plugin-ledger-connector-iroha2-changed: string; plugin-ledger-connector-polkadot-changed: string; plugin-ledger-connector-stellar-changed: string; test-tooling-changed: string}
steps:
- uses: actions/checkout@v4.1.1
- name: ghcr.io/hyperledger/cactus-corda-all-in-one
run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/Dockerfile

ghcr-corda-all-in-one-flowdb:
runs-on: ubuntu-22.04
steps:
Expand Down Expand Up @@ -2637,7 +2719,7 @@ jobs:
run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/ -f ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile -t cactus-keychain-vault-server
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
name: Run Trivy vulnerability scan for cactus-keychain-vault-server
uses: aquasecurity/trivy-action@0.19.0
uses: aquasecurity/trivy-action@0.52.1
with:
image-ref: 'cactus-keychain-vault-server'
format: 'table'
Expand Down
3 changes: 2 additions & 1 deletion .vscode/extensions.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
"eamodio.gitlens",
"streetsidesoftware.code-spell-checker",
"github.vscode-pull-request-github",
"codeandstuff.package-json-upgrade"
"codeandstuff.package-json-upgrade",
"AquaSecurityOfficial.trivy-vulnerability-scanner"
]
}

0 comments on commit bbca40d

Please sign in to comment.