diff --git a/.github/workflows/docker-vulnerabilities.yaml b/.github/workflows/docker-vulnerabilities.yaml new file mode 100644 index 0000000..fdd5c69 --- /dev/null +++ b/.github/workflows/docker-vulnerabilities.yaml @@ -0,0 +1,85 @@ +name: DockerVulnerabilities +on: + push: + branches: + - main + pull_request: + schedule: + # At the end of every day + - cron: "0 0 * * *" + +jobs: + docker-analysis: + name: Trivy analysis for Docker image + runs-on: ubuntu-latest + + steps: + - uses: step-security/harden-runner@v2 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + auth.docker.io:443 + dl-cdn.alpinelinux.org:443 + files.pythonhosted.org:443 + ghcr.io:443 + github.com:443 + objects.githubusercontent.com:443 + production.cloudflare.docker.com:443 + pypi.org:443 + registry-1.docker.io:443 + + - uses: actions/checkout@v4 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + id: buildx + + - name: Cache Docker layers + uses: actions/cache@v3 + with: + path: /tmp/.buildx-cache + key: ${{ runner.os }}-buildx-v1.0-ethereum-contracts-${{ github.sha }} + restore-keys: | + ${{ runner.os }}-buildx-v1.0-ethereum-contracts + + - name: Build and load + run: | + docker buildx bake \ + --set "*.cache-from=type=local,src=/tmp/.buildx-cache" \ + --set "*.cache-to=type=local,dest=/tmp/.buildx-cache-new" \ + --set "*.platform=linux/amd64" \ + --builder ${{ steps.buildx.outputs.name }} \ + -f docker-compose.yml \ + --load \ + cli + env: + DOCKER_TAG: analysis-latest + + - name: Scan vulnerabilities ethereum node image + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 + with: + image-ref: 'pantosio/client-cli:analysis-latest' + format: 'sarif' + output: 'trivy-pantos-client-cli-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results for ethereum node to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + category: 'pantos-client-cli' + sarif_file: 'trivy-pantos-client-cli-results.sarif' + + - name: Move cache + if: always() + run: | + rm -rf /tmp/.buildx-cache + mv /tmp/.buildx-cache-new /tmp/.buildx-cache + + + \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..398c169 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,16 @@ +name: cli + +services: + cli: + image: pantosio/client-cli:latest + build: + context: . + dockerfile: Dockerfile + target: production + x-bake: + tags: + - ${DOCKER_REGISTRY-pantosio}/client-cli:${DOCKER_TAG-local} + - ${DOCKER_REGISTRY-pantosio}/client-cli:${EXTRA_TAG-local} + environment: + - environment=testnet + command: ["--help"] \ No newline at end of file