chore: disable scans

mojaloop · Oct 1, 2021 · 5a3cd91 · 5a3cd91
1 parent af02994
commit 5a3cd91
Show file tree

Hide file tree

Showing 2 changed files with 95 additions and 92 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -247,75 +247,75 @@ jobs:
           webhook: "$SLACK_WEBHOOK_ANNOUNCEMENT_CI_CD"
           failure_message: 'Publishing docker image failed for: \`"${DOCKER_ORG}/${CIRCLE_PROJECT_REPONAME}:${CIRCLE_TAG}"\`'
 
-  license-scan:
-    executor: default-machine
-    steps:
-      - attach_workspace:
-          at: /tmp
-      - run:
-          name: Load the pre-built docker image from workspace
-          command: docker load -i /tmp/docker-image.tar
-      - run:
-          <<: *defaults_license_scanner
-      - run:
-          name: Run the license-scanner
-          command: cd /tmp/license-scanner && mode=docker dockerImages=$DOCKER_ORG/$CIRCLE_PROJECT_REPONAME:local make run
-      - store_artifacts:
-          path: /tmp/license-scanner/results
-          prefix: licenses
+  #license-scan:
+  #  executor: default-machine
+  #  steps:
+  #    - attach_workspace:
+  #        at: /tmp
+  #    - run:
+  #        name: Load the pre-built docker image from workspace
+  #        command: docker load -i /tmp/docker-image.tar
+  #    - run:
+  #        <<: *defaults_license_scanner
+  #    - run:
+  #        name: Run the license-scanner
+  #        command: cd /tmp/license-scanner && mode=docker dockerImages=$DOCKER_ORG/$CIRCLE_PROJECT_REPONAME:local make run
+  #    - store_artifacts:
+  #        path: /tmp/license-scanner/results
+  #        prefix: licenses
 
-  image-scan:
-    executor: anchore/anchore_engine
-    steps:
-      - setup_remote_docker
-      - checkout
-      - run:
-          name: Install docker dependencies for anchore
-          command: |
-            apk add --update python3 py3-pip docker python3-dev libffi-dev openssl-dev gcc libc-dev make jq npm
-      - run:
-          name: Install AWS CLI dependencies
-          command: *defaults_awsCliDependencies
-      - attach_workspace:
-          at: /tmp
-      - run:
-          name: Load the pre-built docker image from workspace
-          command: docker load -i /tmp/docker-image.tar
-      - run:
-          name: Download the mojaloop/ci-config repo
-          command: |
-            git clone https://github.com/mojaloop/ci-config /tmp/ci-config
-            # Generate the mojaloop anchore-policy
-            cd /tmp/ci-config/container-scanning && ./mojaloop-policy-generator.js /tmp/mojaloop-policy.json
-      - run:
-          name: Pull base image locally
-          command: |
-            docker pull node:12.16.1-alpine
-      # Analyze the base and derived image
-      # Note: It seems images are scanned in parallel, so preloading the base image result doesn't give us any real performance gain
-      - anchore/analyze_local_image:
-          # Force the older version, version 0.7.0 was just published, and is broken
-          anchore_version: v0.6.1
-          image_name: "docker.io/node:12.16.1-alpine $DOCKER_ORG/$CIRCLE_PROJECT_REPONAME:local"
-          policy_failure: false
-          timeout: '1000'
-          # Note: if the generated policy is invalid, this will fallback to the default policy, which we don't want!
-          policy_bundle_file_path: /tmp/mojaloop-policy.json
-      - run:
-          name: Upload Anchore reports to s3
-          command: |
-            aws s3 cp anchore-reports ${AWS_S3_DIR_ANCHORE_REPORTS}/${CIRCLE_PROJECT_REPONAME}/ --recursive
-            aws s3 rm ${AWS_S3_DIR_ANCHORE_REPORTS}/latest/ --recursive --exclude "*" --include "${CIRCLE_PROJECT_REPONAME}*"
-            aws s3 cp anchore-reports ${AWS_S3_DIR_ANCHORE_REPORTS}/latest/ --recursive
-      - run:
-          name: Evaluate failures
-          command: /tmp/ci-config/container-scanning/anchore-result-diff.js anchore-reports/node_12.16.1-alpine-policy.json anchore-reports/${CIRCLE_PROJECT_REPONAME}*-policy.json
-      - slack/status:
-          fail_only: true
-          webhook: "$SLACK_WEBHOOK_ANNOUNCEMENT_CI_CD"
-          failure_message: 'Anchore Image Scan failed  for: \`"${DOCKER_ORG}/${CIRCLE_PROJECT_REPONAME}:${CIRCLE_TAG}"\`'
-      - store_artifacts:
-          path: anchore-reports
+  #image-scan:
+  #  executor: anchore/anchore_engine
+  #  steps:
+  #    - setup_remote_docker
+  #    - checkout
+  #    - run:
+  #        name: Install docker dependencies for anchore
+  #        command: |
+  #          apk add --update python3 py3-pip docker python3-dev libffi-dev openssl-dev gcc libc-dev make jq npm
+  #    - run:
+  #        name: Install AWS CLI dependencies
+  #        command: *defaults_awsCliDependencies
+  #    - attach_workspace:
+  #        at: /tmp
+  #    - run:
+  #        name: Load the pre-built docker image from workspace
+  #        command: docker load -i /tmp/docker-image.tar
+  #    - run:
+  #        name: Download the mojaloop/ci-config repo
+  #        command: |
+  #          git clone https://github.com/mojaloop/ci-config /tmp/ci-config
+  #          # Generate the mojaloop anchore-policy
+  #          cd /tmp/ci-config/container-scanning && ./mojaloop-policy-generator.js /tmp/mojaloop-policy.json
+  #    - run:
+  #        name: Pull base image locally
+  #        command: |
+  #          docker pull node:12.16.1-alpine
+  #    # Analyze the base and derived image
+  #    # Note: It seems images are scanned in parallel, so preloading the base image result doesn't give us any real performance gain
+  #    - anchore/analyze_local_image:
+  #        # Force the older version, version 0.7.0 was just published, and is broken
+  #        anchore_version: v0.6.1
+  #        image_name: "docker.io/node:12.16.1-alpine $DOCKER_ORG/$CIRCLE_PROJECT_REPONAME:local"
+  #        policy_failure: false
+  #        timeout: '1000'
+  #        # Note: if the generated policy is invalid, this will fallback to the default policy, which we don't want!
+  #        policy_bundle_file_path: /tmp/mojaloop-policy.json
+  #    - run:
+  #        name: Upload Anchore reports to s3
+  #        command: |
+  #          aws s3 cp anchore-reports ${AWS_S3_DIR_ANCHORE_REPORTS}/${CIRCLE_PROJECT_REPONAME}/ --recursive
+  #          aws s3 rm ${AWS_S3_DIR_ANCHORE_REPORTS}/latest/ --recursive --exclude "*" --include "${CIRCLE_PROJECT_REPONAME}*"
+  #          aws s3 cp anchore-reports ${AWS_S3_DIR_ANCHORE_REPORTS}/latest/ --recursive
+  #    - run:
+  #        name: Evaluate failures
+  #        command: /tmp/ci-config/container-scanning/anchore-result-diff.js anchore-reports/node_12.16.1-alpine-policy.json anchore-reports/${CIRCLE_PROJECT_REPONAME}*-policy.json
+  #    - slack/status:
+  #        fail_only: true
+  #        webhook: "$SLACK_WEBHOOK_ANNOUNCEMENT_CI_CD"
+  #        failure_message: 'Anchore Image Scan failed  for: \`"${DOCKER_ORG}/${CIRCLE_PROJECT_REPONAME}:${CIRCLE_TAG}"\`'
+  #    - store_artifacts:
+  #        path: anchore-reports
 
 ##
 # Workflows
@@ -366,27 +366,27 @@ workflows:
             tags:
               only: /.*/
 
-      - license-scan:
-          context: org-global
-          requires:
-            - build-local
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              only:
-                - master
+      #- license-scan:
+      #    context: org-global
+      #    requires:
+      #      - build-local
+      #    filters:
+      #      tags:
+      #        only: /.*/
+      #      branches:
+      #        only:
+      #          - master
 
-      - image-scan:
-          context: org-global
-          requires:
-            - build-local
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              only:
-                - master
+      #- image-scan:
+      #    context: org-global
+      #    requires:
+      #      - build-local
+      #    filters:
+      #      tags:
+      #        only: /.*/
+      #      branches:
+      #        only:
+      #          - master
 
       # New commits to master release automatically
       - release:
@@ -395,8 +395,8 @@ workflows:
             - test-unit
             #- audit-licenses
             - linting-check
-            - image-scan
-            - license-scan
+            #- image-scan
+            #- license-scan
           filters:
             branches:
               only:
@@ -419,8 +419,8 @@ workflows:
             - test-unit
             #- audit-licenses
             - linting-check
-            - image-scan
-            - license-scan
+            #- image-scan
+            #- license-scan
           filters:
             tags:
               only: /.*/

diff --git a/Dockerfile b/Dockerfile
@@ -57,3 +57,6 @@ EXPOSE 8080
 ENTRYPOINT ["/entrypoint.sh"]
 
 CMD ["caddy", "run", "--watch"]
+# TODO: Need to add 8080 to image-scan whitelist
+#       Need to switch user away from root
+#       Investigate Feed data unavailable, cannot perform CVE scan for distro: alpine:3.14.2