diff --git a/.envrc b/.envrc index c642786..54889e9 100644 --- a/.envrc +++ b/.envrc @@ -1,6 +1,8 @@ -# If your on windows use wsl / git bash / cygwin / msys2 with direnv +# If your on windows please use wsl2 with git bash / cygwin / msys2 with direnv -export CFG_PRESET=testnet-02 +if [ -z "$CFG_PRESET" ]; then + export CFG_PRESET=testnet-02 +fi source ./.envrc.${CFG_PRESET} @@ -41,7 +43,7 @@ export APPEND_ARGS="--allow-private-ip --pool-limit 10 --trie-cache-size 0 --pro # Validator Values: if [ ! -f node.privatekey ]; then # generate node key like this: - DOCKER_DEFAULT_PLATFORM=linux/amd64 docker run --rm -it docker.io/parity/subkey:latest generate-node-key | sed -n '2p' > midnight-node.privatekey + DOCKER_DEFAULT_PLATFORM=linux/amd64 docker run --rm -i docker.io/parity/subkey:latest generate-node-key | sed -n '2p' > midnight-node.privatekey # Use the second line of output for NODE_KEY (that's what sed -n '2p' does) fi export NODE_KEY="$(cat ./midnight-node.privatekey)" diff --git a/.github/scan.sh b/.github/scan.sh new file mode 100755 index 0000000..f0826c8 --- /dev/null +++ b/.github/scan.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash + +source "./.envrc" + +docker compose -f ./compose.yml -f ./compose-partner-chains.yml build + +scan_image() { + local image SAFE_NAME SARIF_FILE + image="$1" + echo "Scanning $image..." + SAFE_NAME=$(echo "$image" | sed 's/[\/:]/-/g') + SARIF_FILE="${SAFE_NAME}.sarif" + + time docker run --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v trivy-cache:/root/.cache \ + -v "$(pwd):/output" \ + aquasec/trivy:0.67.2 image \ + --format sarif \ + --ignore-unfixed \ + --no-progress \ + --output "/output/$SARIF_FILE" \ + "$image" + jq --arg image "$image" \ + '.runs[0].automationDetails = { + id: "trivy/\($image)", + description: {text: "Trivy scan for \($image)"} + }' "$SARIF_FILE" > "./scan_reports/${SARIF_FILE}" + echo "Completed $SARIF_FILE" +} +export -f scan_image + +mkdir scan_reports + +docker compose -f ./compose.yml -f ./compose-partner-chains.yml config --images | \ + xargs -I {} bash -c 'scan_image "$@"' _ {} diff --git a/.github/workflows/checkmarx.yaml b/.github/workflows/checkmarx.yaml deleted file mode 100644 index 51c9d66..0000000 --- a/.github/workflows/checkmarx.yaml +++ /dev/null @@ -1,39 +0,0 @@ -name: Checkmarx One Scan (Fork-Friendly) - -# use only job-level permissions -permissions: {} - -on: - pull_request_target: # Changed from pull_request to pull_request_target - types: [opened, synchronize, reopened] - branches: [ '**' ] - push: - branches: [ 'main' ] - workflow_dispatch: {} # so you can still run it manually - schedule: - - cron: "0 0 * * *" # run daily at midnight UTC -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref }} - cancel-in-progress: true -jobs: - build: - permissions: - contents: read - pull-requests: write - security-events: write - actions: read # to query workflows/runs - - runs-on: ubuntu-latest - - steps: - # CRITICAL: DO NOT CHECKOUT THE PR CODE - # This is what makes it safe with pull_request_target - - - name: Checkmarx Full Scan - uses: midnightntwrk/upload-sarif-github-action/checkmarx-scan-public@53cdf3148dbbd85518ecc5e8f1ec485852c99c36 - with: - cx-client-id: ${{ secrets.CX_CLIENT_ID }} - cx-client-secret: ${{ secrets.CX_CLIENT_SECRET_EU }} - cx-tenant: ${{ secrets.CX_TENANT }} - scs-repo-token: ${{ secrets.MIDNIGHTCI_REPO }} - upload-to-github: 'true' diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml new file mode 100644 index 0000000..94cc7bb --- /dev/null +++ b/.github/workflows/scan.yaml @@ -0,0 +1,70 @@ +name: Scan + +permissions: {} + +# Run on pushes to any branch and pull requests +on: + push: + branches: ['main'] + pull_request: + branches: ['**'] + +jobs: + scan-fs: + name: Fs scan code + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + statuses: write + steps: + - name: Check out code + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 + with: + fetch-depth: 0 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + with: + version: 'v0.67.2' + scan-type: 'fs' + scanners: 'vuln,secret,misconfig' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH,MEDIUM' + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a + if: success() || failure() + with: + sarif_file: trivy-results.sarif + category: 'trivy-fs' + + scan-images: + name: Build and scan code + runs-on: ubuntu-latest + strategy: + matrix: + cfg_preset: ['testnet-02', 'qanet'] + permissions: + actions: read + contents: read + security-events: write + statuses: write + steps: + - name: Check out code + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 + with: + fetch-depth: 0 + + - name: Scan images + env: + CFG_PRESET: ${{ matrix.cfg_preset }} + run: ./.github/scan.sh + + - name: Upload to GitHub Security + uses: github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a #CodeQL Bundle v2.23.6 + with: + sarif_file: 'scan_reports' + category: 'trivy-images' diff --git a/.gitignore b/.gitignore index 2cbdf12..f831a4b 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,7 @@ /data *.privatekey *.password +*.secret +*.sarif +/scan_reports ogmios_client.log diff --git a/CODEOWNERS b/CODEOWNERS index 9f17db6..159a095 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,7 +1,7 @@ * @midnightntwrk/mn-codeowners-node-docker /.github/ISSUE_TEMPLATE/ @midnightntwrk/mn-security @midnightntwrk/mn-sre /.github/PULL_REQUEST_TEMPLATE/ @midnightntwrk/mn-security @midnightntwrk/mn-sre -/.github/workflows/checkmarx.yaml @midnightntwrk/mn-security @midnightntwrk/mn-sre +/.github/workflows/scan.yaml @midnightntwrk/mn-security @midnightntwrk/mn-sre /.github/workflows/dependabot.yml @midnightntwrk/mn-security @midnightntwrk/mn-sre CODE_OF_CONDUCT.md @midnightntwrk/mn-security @midnightntwrk/mn-sre CODEOWNERS @midnightntwrk/mn-security @midnightntwrk/mn-sre