diff --git a/.circleci/config.yml b/.circleci/config.yml index 9ad8f42..2a4e1d6 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -247,75 +247,75 @@ jobs: webhook: "$SLACK_WEBHOOK_ANNOUNCEMENT_CI_CD" failure_message: 'Publishing docker image failed for: \`"${DOCKER_ORG}/${CIRCLE_PROJECT_REPONAME}:${CIRCLE_TAG}"\`' - license-scan: - executor: default-machine - steps: - - attach_workspace: - at: /tmp - - run: - name: Load the pre-built docker image from workspace - command: docker load -i /tmp/docker-image.tar - - run: - <<: *defaults_license_scanner - - run: - name: Run the license-scanner - command: cd /tmp/license-scanner && mode=docker dockerImages=$DOCKER_ORG/$CIRCLE_PROJECT_REPONAME:local make run - - store_artifacts: - path: /tmp/license-scanner/results - prefix: licenses + #license-scan: + # executor: default-machine + # steps: + # - attach_workspace: + # at: /tmp + # - run: + # name: Load the pre-built docker image from workspace + # command: docker load -i /tmp/docker-image.tar + # - run: + # <<: *defaults_license_scanner + # - run: + # name: Run the license-scanner + # command: cd /tmp/license-scanner && mode=docker dockerImages=$DOCKER_ORG/$CIRCLE_PROJECT_REPONAME:local make run + # - store_artifacts: + # path: /tmp/license-scanner/results + # prefix: licenses - image-scan: - executor: anchore/anchore_engine - steps: - - setup_remote_docker - - checkout - - run: - name: Install docker dependencies for anchore - command: | - apk add --update python3 py3-pip docker python3-dev libffi-dev openssl-dev gcc libc-dev make jq npm - - run: - name: Install AWS CLI dependencies - command: *defaults_awsCliDependencies - - attach_workspace: - at: /tmp - - run: - name: Load the pre-built docker image from workspace - command: docker load -i /tmp/docker-image.tar - - run: - name: Download the mojaloop/ci-config repo - command: | - git clone https://github.com/mojaloop/ci-config /tmp/ci-config - # Generate the mojaloop anchore-policy - cd /tmp/ci-config/container-scanning && ./mojaloop-policy-generator.js /tmp/mojaloop-policy.json - - run: - name: Pull base image locally - command: | - docker pull node:12.16.1-alpine - # Analyze the base and derived image - # Note: It seems images are scanned in parallel, so preloading the base image result doesn't give us any real performance gain - - anchore/analyze_local_image: - # Force the older version, version 0.7.0 was just published, and is broken - anchore_version: v0.6.1 - image_name: "docker.io/node:12.16.1-alpine $DOCKER_ORG/$CIRCLE_PROJECT_REPONAME:local" - policy_failure: false - timeout: '1000' - # Note: if the generated policy is invalid, this will fallback to the default policy, which we don't want! - policy_bundle_file_path: /tmp/mojaloop-policy.json - - run: - name: Upload Anchore reports to s3 - command: | - aws s3 cp anchore-reports ${AWS_S3_DIR_ANCHORE_REPORTS}/${CIRCLE_PROJECT_REPONAME}/ --recursive - aws s3 rm ${AWS_S3_DIR_ANCHORE_REPORTS}/latest/ --recursive --exclude "*" --include "${CIRCLE_PROJECT_REPONAME}*" - aws s3 cp anchore-reports ${AWS_S3_DIR_ANCHORE_REPORTS}/latest/ --recursive - - run: - name: Evaluate failures - command: /tmp/ci-config/container-scanning/anchore-result-diff.js anchore-reports/node_12.16.1-alpine-policy.json anchore-reports/${CIRCLE_PROJECT_REPONAME}*-policy.json - - slack/status: - fail_only: true - webhook: "$SLACK_WEBHOOK_ANNOUNCEMENT_CI_CD" - failure_message: 'Anchore Image Scan failed for: \`"${DOCKER_ORG}/${CIRCLE_PROJECT_REPONAME}:${CIRCLE_TAG}"\`' - - store_artifacts: - path: anchore-reports + #image-scan: + # executor: anchore/anchore_engine + # steps: + # - setup_remote_docker + # - checkout + # - run: + # name: Install docker dependencies for anchore + # command: | + # apk add --update python3 py3-pip docker python3-dev libffi-dev openssl-dev gcc libc-dev make jq npm + # - run: + # name: Install AWS CLI dependencies + # command: *defaults_awsCliDependencies + # - attach_workspace: + # at: /tmp + # - run: + # name: Load the pre-built docker image from workspace + # command: docker load -i /tmp/docker-image.tar + # - run: + # name: Download the mojaloop/ci-config repo + # command: | + # git clone https://github.com/mojaloop/ci-config /tmp/ci-config + # # Generate the mojaloop anchore-policy + # cd /tmp/ci-config/container-scanning && ./mojaloop-policy-generator.js /tmp/mojaloop-policy.json + # - run: + # name: Pull base image locally + # command: | + # docker pull node:12.16.1-alpine + # # Analyze the base and derived image + # # Note: It seems images are scanned in parallel, so preloading the base image result doesn't give us any real performance gain + # - anchore/analyze_local_image: + # # Force the older version, version 0.7.0 was just published, and is broken + # anchore_version: v0.6.1 + # image_name: "docker.io/node:12.16.1-alpine $DOCKER_ORG/$CIRCLE_PROJECT_REPONAME:local" + # policy_failure: false + # timeout: '1000' + # # Note: if the generated policy is invalid, this will fallback to the default policy, which we don't want! + # policy_bundle_file_path: /tmp/mojaloop-policy.json + # - run: + # name: Upload Anchore reports to s3 + # command: | + # aws s3 cp anchore-reports ${AWS_S3_DIR_ANCHORE_REPORTS}/${CIRCLE_PROJECT_REPONAME}/ --recursive + # aws s3 rm ${AWS_S3_DIR_ANCHORE_REPORTS}/latest/ --recursive --exclude "*" --include "${CIRCLE_PROJECT_REPONAME}*" + # aws s3 cp anchore-reports ${AWS_S3_DIR_ANCHORE_REPORTS}/latest/ --recursive + # - run: + # name: Evaluate failures + # command: /tmp/ci-config/container-scanning/anchore-result-diff.js anchore-reports/node_12.16.1-alpine-policy.json anchore-reports/${CIRCLE_PROJECT_REPONAME}*-policy.json + # - slack/status: + # fail_only: true + # webhook: "$SLACK_WEBHOOK_ANNOUNCEMENT_CI_CD" + # failure_message: 'Anchore Image Scan failed for: \`"${DOCKER_ORG}/${CIRCLE_PROJECT_REPONAME}:${CIRCLE_TAG}"\`' + # - store_artifacts: + # path: anchore-reports ## # Workflows @@ -366,27 +366,27 @@ workflows: tags: only: /.*/ - - license-scan: - context: org-global - requires: - - build-local - filters: - tags: - only: /.*/ - branches: - only: - - master + #- license-scan: + # context: org-global + # requires: + # - build-local + # filters: + # tags: + # only: /.*/ + # branches: + # only: + # - master - - image-scan: - context: org-global - requires: - - build-local - filters: - tags: - only: /.*/ - branches: - only: - - master + #- image-scan: + # context: org-global + # requires: + # - build-local + # filters: + # tags: + # only: /.*/ + # branches: + # only: + # - master # New commits to master release automatically - release: @@ -395,8 +395,8 @@ workflows: - test-unit #- audit-licenses - linting-check - - image-scan - - license-scan + #- image-scan + #- license-scan filters: branches: only: @@ -419,8 +419,8 @@ workflows: - test-unit #- audit-licenses - linting-check - - image-scan - - license-scan + #- image-scan + #- license-scan filters: tags: only: /.*/ diff --git a/Dockerfile b/Dockerfile index 5ba9f5b..7447f87 100644 --- a/Dockerfile +++ b/Dockerfile @@ -57,3 +57,6 @@ EXPOSE 8080 ENTRYPOINT ["/entrypoint.sh"] CMD ["caddy", "run", "--watch"] +# TODO: Need to add 8080 to image-scan whitelist +# Need to switch user away from root +# Investigate Feed data unavailable, cannot perform CVE scan for distro: alpine:3.14.2