search

hyperledger / besu

An enterprise-grade Java-based, Apache 2.0 licensed Ethereum client https://wiki.hyperledger.org/display/besu
https://www.hyperledger.org/projects/besu
Apache License 2.0
1.43k stars 759 forks source link

GHA workflow for dockerscan #7154

Closed macfarla closed 3 weeks ago

macfarla commented 1 month ago

currently still running in CI https://app.circleci.com/pipelines/github/hyperledger/besu/27763/workflows/fc96d628-5928-4bb0-ae50-b37b96b7ce57

from config.yml

  dockerScan:
    executor: trivy_executor
    steps:
      - checkout
      - restore_gradle_cache
      - setup_remote_docker:
          docker_layer_caching: true
      - run:
          name: Install trivy
          command: |
            apk add --update-cache --upgrade curl bash
            curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
      - run:
          name: Scan with trivy
          shell: /bin/sh
          command: |
            for FILE in $(ls docker)
            do
              if [[ $FILE == "test.sh" || $FILE == "tests" ]]; then
                continue
              fi
              docker pull -q "hyperledger/besu:develop-$FILE"
              trivy -q image --exit-code 1 --no-progress --severity HIGH,CRITICAL "hyperledger/besu:develop-$FILE"
            done