Skip to content

Commit

Permalink
Merge pull request #123 from kaleido-io/vuln-check
Browse files Browse the repository at this point in the history
adding high/critical severity vuln checks
  • Loading branch information
peterbroadhurst authored May 13, 2024
2 parents 9578869 + e99567b commit 65de030
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 0 deletions.
3 changes: 3 additions & 0 deletions .trivyignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# not relevant to the way grpc is used in fabconnect
# see https://github.com/hyperledger/firefly-fabconnect/pull/123#discussion_r1543748524
GHSA-m425-mq94-257g
9 changes: 9 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,19 @@ RUN mkdir /.cache \
&& chmod -R g+rwX /.cache
RUN make

FROM alpine:3.19 AS SBOM
WORKDIR /
COPY . /SBOM
RUN apk add --no-cache curl
RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.48.3
RUN trivy fs --format spdx-json --output /sbom.spdx.json /SBOM
RUN trivy sbom /sbom.spdx.json --severity UNKNOWN,HIGH,CRITICAL --exit-code 1 --ignorefile /SBOM/.trivyignore

FROM alpine:3.19
RUN apk add curl
WORKDIR /fabconnect
COPY --from=fabconnect-builder /fabconnect/fabconnect ./
ADD ./openapi ./openapi/
RUN ln -s /fabconnect/fabconnect /usr/bin/fabconnect
COPY --from=SBOM /sbom.spdx.json /sbom.spdx.json
ENTRYPOINT [ "fabconnect" ]

0 comments on commit 65de030

Please sign in to comment.