chore: add trivy check on docker images #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & Test (CI) | ||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| node-version: | ||
| description: 'Node.js version to use' | ||
| type: string | ||
| default: '22.1.0' | ||
| jobs: | ||
| commit-lint: | ||
| name: Commit Lint | ||
| runs-on: ubuntu-latest | ||
| if: github.event_name == 'pull_request' | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: ${{ inputs.node-version }} | ||
| cache: 'npm' | ||
| - name: Cache dependencies | ||
| uses: actions/cache@v3 | ||
| id: node-modules-cache | ||
| with: | ||
| path: '**/node_modules' | ||
| key: ${{ runner.os }}-modules-${{ hashFiles('**/package-lock.json') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-modules- | ||
| - name: Install dependencies | ||
| if: steps.node-modules-cache.outputs.cache-hit != 'true' | ||
| run: npm ci | ||
| - name: Validate PR commits with commitlint | ||
| run: npx commitlint --from ${{ github.event.pull_request.base.sha }} --to ${{ github.event.pull_request.head.sha }} --verbose | ||
| build: | ||
| name: Build | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: ${{ inputs.node-version }} | ||
| cache: 'npm' | ||
| - name: Cache dependencies | ||
| uses: actions/cache@v3 | ||
| id: node-modules-cache | ||
| with: | ||
| path: '**/node_modules' | ||
| key: ${{ runner.os }}-modules-${{ hashFiles('**/package-lock.json') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-modules- | ||
| - name: Install dependencies | ||
| if: steps.node-modules-cache.outputs.cache-hit != 'true' | ||
| run: npm ci | ||
| - name: Build | ||
| run: npm run build | ||
| lint: | ||
| name: Run lint | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: ${{ inputs.node-version }} | ||
| cache: 'npm' | ||
| - name: Cache dependencies | ||
| uses: actions/cache@v3 | ||
| id: node-modules-cache | ||
| with: | ||
| path: '**/node_modules' | ||
| key: ${{ runner.os }}-modules-${{ hashFiles('**/package-lock.json') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-modules- | ||
| - name: Install dependencies | ||
| if: steps.node-modules-cache.outputs.cache-hit != 'true' | ||
| run: npm ci | ||
| - name: Lint | ||
| run: npm run lint | ||
| trivy-scan: | ||
| name: Security - Trivy Scan | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: ${{ inputs.node-version }} | ||
| cache: 'npm' | ||
| - name: Cache dependencies | ||
| uses: actions/cache@v3 | ||
| id: node-modules-cache | ||
| with: | ||
| path: '**/node_modules' | ||
| key: ${{ runner.os }}-modules-${{ hashFiles('**/package-lock.json') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-modules- | ||
| - name: Install dependencies | ||
| if: steps.node-modules-cache.outputs.cache-hit != 'true' | ||
| run: npm ci | ||
| - name: Run Trivy vulnerability scanner (Filesystem) | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| scan-type: 'fs' | ||
| scan-ref: '.' | ||
| format: 'table' | ||
| severity: 'CRITICAL,HIGH' | ||
| exit-code: '1' | ||
| ignore-unfixed: true | ||
| scanners: 'vuln' # Only scan for vulnerabilities, not secrets | ||
| trivy-image-scan: | ||
| name: Security - Docker Image Scan | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
| - name: Build Docker image | ||
| uses: docker/build-push-action@v5 | ||
| with: | ||
| context: . | ||
| push: false | ||
| load: true | ||
| tags: advanced-wallet-manager:pr-${{ github.event.pull_request.number || 'test' }} | ||
| cache-from: type=gha | ||
| cache-to: type=gha,mode=max | ||
| - name: Run Trivy vulnerability scanner (Docker Image) | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| image-ref: 'advanced-wallet-manager:pr-${{ github.event.pull_request.number || 'test' }}' | ||
| format: 'table' | ||
| severity: 'CRITICAL,HIGH' | ||
| exit-code: '1' | ||
| ignore-unfixed: true | ||
| scanners: 'vuln' # Only scan for vulnerabilities, not secrets | ||
| test: | ||
| name: Test | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: ${{ inputs.node-version }} | ||
| cache: 'npm' | ||
| - name: Cache dependencies | ||
| uses: actions/cache@v3 | ||
| id: node-modules-cache | ||
| with: | ||
| path: '**/node_modules' | ||
| key: ${{ runner.os }}-modules-${{ hashFiles('**/package-lock.json') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-modules- | ||
| - name: Install dependencies | ||
| if: steps.node-modules-cache.outputs.cache-hit != 'true' | ||
| run: npm ci | ||
| - name: Generate test SSL certificates | ||
| run: npm run generate-test-ssl | ||
| - name: Test | ||
| run: npm test | ||
| env: | ||
| NODE_OPTIONS: '--max-old-space-size=4096' | ||
| MASTER_BITGO_EXPRESS_KEYPATH: ./demo.key | ||
| MASTER_BITGO_EXPRESS_CRTPATH: ./demo.crt | ||
| MTLS_ENABLED: true | ||
| MTLS_REQUEST_CERT: true | ||
| MTLS_REJECT_UNAUTHORIZED: false | ||
| KMS_URL: 'https://localhost:3000/' | ||
