ci: add container scanning to default checks

Fixes hyperledger-cacti#1876 Signed-off-by: zondervancalvez <[email protected]>
zondervancalvez · May 6, 2022 · 67b509e · 67b509e
1 parent 276f02e
commit 67b509e
Show file tree

Hide file tree

Showing 2 changed files with 143 additions and 0 deletions.
diff --git a/.github/containerscan/allowedlist.yaml b/.github/containerscan/allowedlist.yaml
@@ -0,0 +1,24 @@
+general:
+  vulnerabilities:
+    - CVE-2003-1307
+    - CVE-2007-0086
+    - CVE-2019-3462
+    - CVE-2011-3374
+    - CVE-2022-24771
+    - CVE-2022-24772
+    - CVE-2021-32803
+    - CVE-2021-32804
+    - CVE-2021-37701
+    - CVE-2021-37712
+    - CVE-2021-37713
+    - CVE-2019-10773
+    - CVE-2020-8131
+    - CVE-2021-43138 
+  bestPracticeViolations:
+    - DKL-LI-0003
+    - CIS-DI-0006
+    - DKL-DI-0006
+    - CIS-DI-0010 
+    - CIS-DI-0001
+    - DKL-DI-0005
+    - CIS-DI-0008 
diff --git a/.github/workflows/azure-container-scan.yaml b/.github/workflows/azure-container-scan.yaml
@@ -0,0 +1,119 @@
+name: azure-container-image-scan
+
+on:
+  push:
+    # Publish `main` as Docker `latest` image.
+    branches:
+      - main
+
+    # Publish `v1.2.3` tags as releases.
+    tags:
+      - v*
+
+jobs:
+ build-secure-and-push:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@master
+      env:
+          # (Required) The token to use to make API calls to GitHub.
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+    - uses: actions/checkout@v1
+    - name: Login to DockerHub Registry
+      run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    # - uses: Azure/[email protected]
+    #   with:
+    #     image-name: cactus-besu-all-in-one
+    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    # - uses: Azure/[email protected]
+    #   with:
+    #     image-name: cactus-whitepaper
+    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    - uses: Azure/[email protected]
+      with:
+        image-name: cactus-cmd-api-server
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    # - uses: Azure/[email protected]
+    #   with:
+    #     image-name: cactus-connector-fabric
+    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    # - uses: Azure/[email protected]
+    #   with:
+    #     image-name: cactus-connector-corda-server
+    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    # - uses: Azure/[email protected]
+    #   with:
+    #     image-name: cactus-connector-besu
+    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    # - uses: Azure/[email protected]
+    #   with:
+    #     image-name: corda-4-6-all-in-one-obligation
+    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    # - uses: Azure/[email protected]
+    #   with:
+    #     image-name: cactus-corda-4-7-all-in-one-obligation
+    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    # - uses: Azure/[email protected]
+    #   with:
+    #     image-name: corda-4-8-all-in-one-obligation-publish
+    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    # - uses: Azure/[email protected]
+    #   with:
+    #     image-name: cactus-dev-container-vscode
+    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    # - uses: Azure/[email protected]
+    #   with:
+    #     image-name: cactus-example-carbon-accounting
+    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    # - uses: Azure/[email protected]
+    #   with:
+    #     image-name: cactus-example-supply-chain-app
+    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    # - uses: Azure/[email protected]
+    #   with:
+    #     image-name: cactus-fabric-all-in-one
+    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    # - uses: Azure/[email protected]
+    #   with:
+    #     image-name: cactus-fabric2-all-in-one
+    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    # - uses: Azure/[email protected]
+    #   with:
+    #     image-name: cactus-iroha-all-in-one
+    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    # - uses: Azure/[email protected]
+    #   with:
+    #     image-name: cactus-keychain-vault-server
+    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    # - uses: Azure/[email protected]
+    #   with:
+    #     image-name: cactus-quorum-all-in-one
+    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    # - uses: Azure/[email protected]
+    #   with:
+    #     image-name: cactus-rust-compiler
+    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    # - uses: Azure/[email protected]
+    #   with:
+    #     image-name: cactus-test-npm-registry
+    #     run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin