From 3ca27ca50d9daff7947fe9093278e65dc2415cfe Mon Sep 17 00:00:00 2001 From: Giles Cope Date: Sat, 29 Nov 2025 15:17:48 +0000 Subject: [PATCH 01/20] feat: add trivy --- .github/workflows/scan.yaml | 40 +++++++++++++++++++++++++++++++++++++ .gitignore | 1 + 2 files changed, 41 insertions(+) create mode 100644 .github/workflows/scan.yaml diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml new file mode 100644 index 0000000..2d88cd0 --- /dev/null +++ b/.github/workflows/scan.yaml @@ -0,0 +1,40 @@ +name: Scan + +permissions: {} + +# Run on pushes to any branch and pull requests +on: + push: + branches: ['main'] + pull_request: + branches: ['**'] + +jobs: + scan: + name: Scan code & configs with Trivy + runs-on: ubuntu-latest + permissions: + contents: read # we only need to checkout code + actions: read # to query workflows/runs + statuses: write + steps: + - name: Check out code + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 + with: + fetch-depth: 0 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + with: + scan-type: 'config' + scan-ref: '.' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH,MEDIUM' + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a + if: success() || failure() + with: + sarif_file: results.sarif + category: 'trivy' diff --git a/.gitignore b/.gitignore index 2cbdf12..e58663d 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,5 @@ /data *.privatekey *.password +*.secret ogmios_client.log From 156b4e49c9f983b9ae54907a3dbabd2edc2fd020 Mon Sep 17 00:00:00 2001 From: Giles Cope Date: Sat, 29 Nov 2025 15:21:57 +0000 Subject: [PATCH 02/20] fix: bump version --- .github/workflows/scan.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 2d88cd0..235eb93 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -26,6 +26,7 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: + version: 'v0.67.2' scan-type: 'config' scan-ref: '.' format: 'sarif' From e8519292248bea1b310aa4489e291b631340c536 Mon Sep 17 00:00:00 2001 From: Giles Cope Date: Sat, 29 Nov 2025 15:23:27 +0000 Subject: [PATCH 03/20] fix: correct output file --- .github/workflows/scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 235eb93..a00bd6e 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -37,5 +37,5 @@ jobs: uses: github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a if: success() || failure() with: - sarif_file: results.sarif + sarif_file: trivy-results.sarif category: 'trivy' From ae9ad091aeb2c1307705c053ad053affc71c828c Mon Sep 17 00:00:00 2001 From: Giles Cope Date: Sat, 29 Nov 2025 15:29:55 +0000 Subject: [PATCH 04/20] feat: broader scan --- .github/workflows/scan.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index a00bd6e..ab76185 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -27,8 +27,8 @@ jobs: uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: version: 'v0.67.2' - scan-type: 'config' - scan-ref: '.' + scan-type: 'fs' + scanners: 'vuln,secret,misconfig' format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH,MEDIUM' From 1c5c7b581959d182ab5077a854e47b12d1fb376c Mon Sep 17 00:00:00 2001 From: Giles Cope Date: Sat, 29 Nov 2025 17:53:07 +0000 Subject: [PATCH 05/20] feat: build images and scan them --- .github/workflows/scan.yaml | 49 +++++++++++++++++++++++++++++++++++-- 1 file changed, 47 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index ab76185..5938423 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -10,13 +10,15 @@ on: branches: ['**'] jobs: - scan: - name: Scan code & configs with Trivy + build: + name: Build code runs-on: ubuntu-latest permissions: contents: read # we only need to checkout code actions: read # to query workflows/runs statuses: write + outputs: + images: ${{ steps.get-images.outputs.images }} steps: - name: Check out code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 @@ -39,3 +41,46 @@ jobs: with: sarif_file: trivy-results.sarif category: 'trivy' + + - name: Build images + env: + DOCKER_BUILDKIT: 1 + run: docker compose -f ./compose.yml -f ./compose-partner-chains.yml build + + - name: Get image list + id: get-images + run: | + IMAGES=$(docker compose -f ./compose.yml -f ./compose-partner-chains.yml config --images | jq -R -s -c 'split("\n")[:-1]') + echo "images=$IMAGES" >> $GITHUB_OUTPUT + + scan: + needs: build + runs-on: ubuntu-latest + strategy: + matrix: + image: ${{ fromJson(needs.build.outputs.images) }} + + steps: + - name: Checkout + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1 + + - name: Build image + run: docker compose -f ./compose.yml build + env: + DOCKER_BUILDKIT: 1 + + - name: Run Trivy scanner + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 #v0.33.1 + with: + image-ref: ${{ matrix.image }} + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload to GitHub Security + uses: github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a #CodeQL Bundle v2.23.6 + with: + sarif_file: 'trivy-results.sarif' + category: ${{ matrix.image }} From 0387d3b66eea7926c5378132ae948330798e4b81 Mon Sep 17 00:00:00 2001 From: Giles Cope Date: Sat, 29 Nov 2025 17:55:14 +0000 Subject: [PATCH 06/20] fix: source .envrc --- .github/workflows/scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 5938423..539c88e 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -45,7 +45,7 @@ jobs: - name: Build images env: DOCKER_BUILDKIT: 1 - run: docker compose -f ./compose.yml -f ./compose-partner-chains.yml build + run: source ./.envrc && docker compose -f ./compose.yml -f ./compose-partner-chains.yml build - name: Get image list id: get-images From 980f5b7b3d926b504b2539a0a055a3867b2854e6 Mon Sep 17 00:00:00 2001 From: Giles Cope Date: Sat, 29 Nov 2025 17:57:54 +0000 Subject: [PATCH 07/20] fix: not a tty --- .envrc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.envrc b/.envrc index c642786..4a70fa4 100644 --- a/.envrc +++ b/.envrc @@ -41,7 +41,7 @@ export APPEND_ARGS="--allow-private-ip --pool-limit 10 --trie-cache-size 0 --pro # Validator Values: if [ ! -f node.privatekey ]; then # generate node key like this: - DOCKER_DEFAULT_PLATFORM=linux/amd64 docker run --rm -it docker.io/parity/subkey:latest generate-node-key | sed -n '2p' > midnight-node.privatekey + DOCKER_DEFAULT_PLATFORM=linux/amd64 docker run --rm -i docker.io/parity/subkey:latest generate-node-key | sed -n '2p' > midnight-node.privatekey # Use the second line of output for NODE_KEY (that's what sed -n '2p' does) fi export NODE_KEY="$(cat ./midnight-node.privatekey)" From 3919856970fd160ee4e7d3840ba17950393d901e Mon Sep 17 00:00:00 2001 From: Giles Cope Date: Sat, 29 Nov 2025 18:03:06 +0000 Subject: [PATCH 08/20] fix: try not building image second time. --- .github/workflows/scan.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 539c88e..e777d7a 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -47,10 +47,10 @@ jobs: DOCKER_BUILDKIT: 1 run: source ./.envrc && docker compose -f ./compose.yml -f ./compose-partner-chains.yml build - - name: Get image list + - name: Build and get image list id: get-images run: | - IMAGES=$(docker compose -f ./compose.yml -f ./compose-partner-chains.yml config --images | jq -R -s -c 'split("\n")[:-1]') + source ./.envrc && IMAGES=$(docker compose -f ./compose.yml -f ./compose-partner-chains.yml config --images | jq -R -s -c 'split("\n")[:-1]') echo "images=$IMAGES" >> $GITHUB_OUTPUT scan: @@ -67,10 +67,10 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1 - - name: Build image - run: docker compose -f ./compose.yml build - env: - DOCKER_BUILDKIT: 1 + # - name: Build image + # run: docker compose -f ./compose.yml build + # env: + # DOCKER_BUILDKIT: 1 - name: Run Trivy scanner uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 #v0.33.1 From 1ebddab01b566d31e4bcc5f18fa5bb94e62f3c92 Mon Sep 17 00:00:00 2001 From: Giles Cope Date: Sat, 29 Nov 2025 18:08:30 +0000 Subject: [PATCH 09/20] fix: double quote to prevent globbing --- .github/workflows/scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index e777d7a..ff6d842 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -50,7 +50,7 @@ jobs: - name: Build and get image list id: get-images run: | - source ./.envrc && IMAGES=$(docker compose -f ./compose.yml -f ./compose-partner-chains.yml config --images | jq -R -s -c 'split("\n")[:-1]') + source ./.envrc && IMAGES="$(docker compose -f ./compose.yml -f ./compose-partner-chains.yml config --images | jq -R -s -c 'split("\n")[:-1]')" echo "images=$IMAGES" >> $GITHUB_OUTPUT scan: From 426d81c8571f95ee3b795e685b8deb22aadf8cb8 Mon Sep 17 00:00:00 2001 From: Giles Cope Date: Sat, 29 Nov 2025 18:17:14 +0000 Subject: [PATCH 10/20] fix: double quote to prevent globbing --- .github/workflows/scan.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index ff6d842..36d7be1 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -45,12 +45,12 @@ jobs: - name: Build images env: DOCKER_BUILDKIT: 1 - run: source ./.envrc && docker compose -f ./compose.yml -f ./compose-partner-chains.yml build + run: source "./.envrc" && docker compose -f ./compose.yml -f ./compose-partner-chains.yml build - name: Build and get image list id: get-images run: | - source ./.envrc && IMAGES="$(docker compose -f ./compose.yml -f ./compose-partner-chains.yml config --images | jq -R -s -c 'split("\n")[:-1]')" + source "./.envrc" && IMAGES="$(docker compose -f ./compose.yml -f ./compose-partner-chains.yml config --images | jq -R -s -c 'split("\n")[:-1]')" echo "images=$IMAGES" >> $GITHUB_OUTPUT scan: From b958134006951a2bc908b8a1706863a86f64722f Mon Sep 17 00:00:00 2001 From: Giles Cope Date: Sat, 29 Nov 2025 18:21:32 +0000 Subject: [PATCH 11/20] fix: double quote to prevent globbing --- .github/workflows/scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 36d7be1..d06a832 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -51,7 +51,7 @@ jobs: id: get-images run: | source "./.envrc" && IMAGES="$(docker compose -f ./compose.yml -f ./compose-partner-chains.yml config --images | jq -R -s -c 'split("\n")[:-1]')" - echo "images=$IMAGES" >> $GITHUB_OUTPUT + echo "images=$IMAGES" >> "$GITHUB_OUTPUT" scan: needs: build From 8375a99143fa0b40a281c817fc7ab554e32c5d0c Mon Sep 17 00:00:00 2001 From: Giles Cope Date: Sun, 30 Nov 2025 09:12:38 +0000 Subject: [PATCH 12/20] feat: scan images in one job so can matrix over environments --- .envrc | 6 ++-- .github/scan.sh | 27 +++++++++++++++ .github/workflows/scan.yaml | 66 ++++++++++++++----------------------- .gitignore | 1 + 4 files changed, 57 insertions(+), 43 deletions(-) create mode 100755 .github/scan.sh diff --git a/.envrc b/.envrc index 4a70fa4..54889e9 100644 --- a/.envrc +++ b/.envrc @@ -1,6 +1,8 @@ -# If your on windows use wsl / git bash / cygwin / msys2 with direnv +# If your on windows please use wsl2 with git bash / cygwin / msys2 with direnv -export CFG_PRESET=testnet-02 +if [ -z "$CFG_PRESET" ]; then + export CFG_PRESET=testnet-02 +fi source ./.envrc.${CFG_PRESET} diff --git a/.github/scan.sh b/.github/scan.sh new file mode 100755 index 0000000..171c27b --- /dev/null +++ b/.github/scan.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +source "./.envrc" + +docker compose -f ./compose.yml -f ./compose-partner-chains.yml build + +scan_image() { + local image="$1" + echo "Scanning $image..." + local SAFE_NAME=$(echo "$image" | sed 's/[\/:]/-/g') + local SARIF_FILE="${SAFE_NAME}.sarif" + + time docker run --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v trivy-cache:/root/.cache \ + -v "$(pwd):/output" \ + aquasec/trivy:0.67.2 image \ + --format sarif \ + --output "/output/$SARIF_FILE" \ + "$image" + + echo "Completed $SARIF_FILE" +} +export -f scan_image + +docker compose -f ./compose.yml -f ./compose-partner-chains.yml config --images | \ + xargs -I {} bash -c 'scan_image "$@"' _ {} diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index d06a832..8c7735c 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -10,15 +10,14 @@ on: branches: ['**'] jobs: - build: - name: Build code - runs-on: ubuntu-latest + scan-fs: + name: Fs scan code + runs-on: ubuntu-slim permissions: - contents: read # we only need to checkout code - actions: read # to query workflows/runs + actions: read + contents: read + security-events: write statuses: write - outputs: - images: ${{ steps.get-images.outputs.images }} steps: - name: Check out code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 @@ -40,47 +39,32 @@ jobs: if: success() || failure() with: sarif_file: trivy-results.sarif - category: 'trivy' - - - name: Build images - env: - DOCKER_BUILDKIT: 1 - run: source "./.envrc" && docker compose -f ./compose.yml -f ./compose-partner-chains.yml build + category: 'trivy-fs' - - name: Build and get image list - id: get-images - run: | - source "./.envrc" && IMAGES="$(docker compose -f ./compose.yml -f ./compose-partner-chains.yml config --images | jq -R -s -c 'split("\n")[:-1]')" - echo "images=$IMAGES" >> "$GITHUB_OUTPUT" - - scan: - needs: build + scan-images: + name: Build and scan code runs-on: ubuntu-latest strategy: matrix: - image: ${{ fromJson(needs.build.outputs.images) }} - + cfg_preset: ['testnet-02'] + permissions: + actions: read + contents: read + security-events: write + statuses: write steps: - - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1 - - # - name: Build image - # run: docker compose -f ./compose.yml build - # env: - # DOCKER_BUILDKIT: 1 - - - name: Run Trivy scanner - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 #v0.33.1 + - name: Check out code + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: - image-ref: ${{ matrix.image }} - format: 'sarif' - output: 'trivy-results.sarif' + fetch-depth: 0 + + - name: Scan images + env: + CFG_PRESET: ${{ matrix.cfg_preset }} + run: source "./.envrc" && ./github/scan.sh - name: Upload to GitHub Security uses: github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a #CodeQL Bundle v2.23.6 with: - sarif_file: 'trivy-results.sarif' - category: ${{ matrix.image }} + sarif_file: '*.sarif' + category: 'trivy-images' diff --git a/.gitignore b/.gitignore index e58663d..30b7e2e 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,5 @@ *.privatekey *.password *.secret +*.sarif ogmios_client.log From 9dd9dc3924c65c96c7467afb2cc7e9ce362910bb Mon Sep 17 00:00:00 2001 From: Giles Cope Date: Sun, 30 Nov 2025 09:14:17 +0000 Subject: [PATCH 13/20] fix: typo --- .github/workflows/scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 8c7735c..d05e91e 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -61,7 +61,7 @@ jobs: - name: Scan images env: CFG_PRESET: ${{ matrix.cfg_preset }} - run: source "./.envrc" && ./github/scan.sh + run: source "./.envrc" && ./.github/scan.sh - name: Upload to GitHub Security uses: github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a #CodeQL Bundle v2.23.6 From 6710e232909a86d31dba45139b4fd21e4b475cbb Mon Sep 17 00:00:00 2001 From: Giles Cope Date: Sun, 30 Nov 2025 09:36:49 +0000 Subject: [PATCH 14/20] fix: *.sarif not supported --- .github/workflows/scan.yaml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index d05e91e..27d5f1c 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -64,7 +64,15 @@ jobs: run: source "./.envrc" && ./.github/scan.sh - name: Upload to GitHub Security - uses: github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a #CodeQL Bundle v2.23.6 - with: - sarif_file: '*.sarif' - category: 'trivy-images' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + for sarif_file in *.sarif; do + gh api \ + --method POST \ + -H "Accept: application/vnd.github+json" \ + /repos/"${GITHUB_REPOSITORY}"/code-scanning/sarifs \ + -f commit_sha="${GITHUB_SHA}" \ + -f ref="${GITHUB_REF}" \ + -f sarif="$(gzip -c "$sarif_file" | base64 -w0)" + done From 8f5161060c879ca11833dbfba476a03f8f64f25f Mon Sep 17 00:00:00 2001 From: Giles Cope Date: Sun, 30 Nov 2025 09:39:22 +0000 Subject: [PATCH 15/20] fix: unauth fix --- .github/workflows/scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 27d5f1c..29f87ad 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -65,7 +65,7 @@ jobs: - name: Upload to GitHub Security env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | for sarif_file in *.sarif; do gh api \ From 19453692f674c76c896045dd307274639034ac07 Mon Sep 17 00:00:00 2001 From: Giles Cope Date: Sun, 30 Nov 2025 10:04:00 +0000 Subject: [PATCH 16/20] feat: skip unfixed --- .github/scan.sh | 10 +++++++++- .github/workflows/scan.yaml | 18 +++++------------- .gitignore | 1 + 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/.github/scan.sh b/.github/scan.sh index 171c27b..be1f11b 100755 --- a/.github/scan.sh +++ b/.github/scan.sh @@ -16,12 +16,20 @@ scan_image() { -v "$(pwd):/output" \ aquasec/trivy:0.67.2 image \ --format sarif \ + --ignore-unfixed \ + --no-progress \ --output "/output/$SARIF_FILE" \ "$image" - + jq --arg image "$image" \ + '.runs[0].automationDetails = { + id: "trivy/\($image)", + description: {text: "Trivy scan for \($image)"} + }' $SARIF_FILE > ./scan_reports/${SARIF_FILE} echo "Completed $SARIF_FILE" } export -f scan_image +mkdir scan_reports + docker compose -f ./compose.yml -f ./compose-partner-chains.yml config --images | \ xargs -I {} bash -c 'scan_image "$@"' _ {} diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 29f87ad..e0697cd 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -61,18 +61,10 @@ jobs: - name: Scan images env: CFG_PRESET: ${{ matrix.cfg_preset }} - run: source "./.envrc" && ./.github/scan.sh + run: ./.github/scan.sh - name: Upload to GitHub Security - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - for sarif_file in *.sarif; do - gh api \ - --method POST \ - -H "Accept: application/vnd.github+json" \ - /repos/"${GITHUB_REPOSITORY}"/code-scanning/sarifs \ - -f commit_sha="${GITHUB_SHA}" \ - -f ref="${GITHUB_REF}" \ - -f sarif="$(gzip -c "$sarif_file" | base64 -w0)" - done + uses: github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a #CodeQL Bundle v2.23.6 + with: + sarif_file: 'scan_reports' + category: 'trivy-images' diff --git a/.gitignore b/.gitignore index 30b7e2e..f831a4b 100644 --- a/.gitignore +++ b/.gitignore @@ -4,4 +4,5 @@ *.password *.secret *.sarif +/scan_reports ogmios_client.log From 223bc845d7d0db77f88b4564e12b19008ef3acc1 Mon Sep 17 00:00:00 2001 From: Giles Cope Date: Sun, 30 Nov 2025 10:10:40 +0000 Subject: [PATCH 17/20] feat: scan qanet --- .github/workflows/scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index e0697cd..79933d6 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -46,7 +46,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - cfg_preset: ['testnet-02'] + cfg_preset: ['testnet-02', 'qanet'] permissions: actions: read contents: read From 008e8bef53e0dea85f02e3a46a25829b0f497d47 Mon Sep 17 00:00:00 2001 From: Giles Cope Date: Mon, 1 Dec 2025 12:07:47 +0000 Subject: [PATCH 18/20] fix: lint issues --- .github/scan.sh | 2 +- .github/workflows/scan.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/scan.sh b/.github/scan.sh index be1f11b..5525137 100755 --- a/.github/scan.sh +++ b/.github/scan.sh @@ -24,7 +24,7 @@ scan_image() { '.runs[0].automationDetails = { id: "trivy/\($image)", description: {text: "Trivy scan for \($image)"} - }' $SARIF_FILE > ./scan_reports/${SARIF_FILE} + }' "$SARIF_FILE" > "./scan_reports/${SARIF_FILE}" echo "Completed $SARIF_FILE" } export -f scan_image diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 79933d6..94cc7bb 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -12,7 +12,7 @@ on: jobs: scan-fs: name: Fs scan code - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: actions: read contents: read From a0a10d04a5ee3c668a74ea34b9d8831ff1cb86dd Mon Sep 17 00:00:00 2001 From: Giles Cope Date: Mon, 1 Dec 2025 12:10:23 +0000 Subject: [PATCH 19/20] feat: remove checkmarx scan --- .github/workflows/checkmarx.yaml | 39 -------------------------------- CODEOWNERS | 2 +- 2 files changed, 1 insertion(+), 40 deletions(-) delete mode 100644 .github/workflows/checkmarx.yaml diff --git a/.github/workflows/checkmarx.yaml b/.github/workflows/checkmarx.yaml deleted file mode 100644 index 51c9d66..0000000 --- a/.github/workflows/checkmarx.yaml +++ /dev/null @@ -1,39 +0,0 @@ -name: Checkmarx One Scan (Fork-Friendly) - -# use only job-level permissions -permissions: {} - -on: - pull_request_target: # Changed from pull_request to pull_request_target - types: [opened, synchronize, reopened] - branches: [ '**' ] - push: - branches: [ 'main' ] - workflow_dispatch: {} # so you can still run it manually - schedule: - - cron: "0 0 * * *" # run daily at midnight UTC -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref }} - cancel-in-progress: true -jobs: - build: - permissions: - contents: read - pull-requests: write - security-events: write - actions: read # to query workflows/runs - - runs-on: ubuntu-latest - - steps: - # CRITICAL: DO NOT CHECKOUT THE PR CODE - # This is what makes it safe with pull_request_target - - - name: Checkmarx Full Scan - uses: midnightntwrk/upload-sarif-github-action/checkmarx-scan-public@53cdf3148dbbd85518ecc5e8f1ec485852c99c36 - with: - cx-client-id: ${{ secrets.CX_CLIENT_ID }} - cx-client-secret: ${{ secrets.CX_CLIENT_SECRET_EU }} - cx-tenant: ${{ secrets.CX_TENANT }} - scs-repo-token: ${{ secrets.MIDNIGHTCI_REPO }} - upload-to-github: 'true' diff --git a/CODEOWNERS b/CODEOWNERS index 9f17db6..159a095 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,7 +1,7 @@ * @midnightntwrk/mn-codeowners-node-docker /.github/ISSUE_TEMPLATE/ @midnightntwrk/mn-security @midnightntwrk/mn-sre /.github/PULL_REQUEST_TEMPLATE/ @midnightntwrk/mn-security @midnightntwrk/mn-sre -/.github/workflows/checkmarx.yaml @midnightntwrk/mn-security @midnightntwrk/mn-sre +/.github/workflows/scan.yaml @midnightntwrk/mn-security @midnightntwrk/mn-sre /.github/workflows/dependabot.yml @midnightntwrk/mn-security @midnightntwrk/mn-sre CODE_OF_CONDUCT.md @midnightntwrk/mn-security @midnightntwrk/mn-sre CODEOWNERS @midnightntwrk/mn-security @midnightntwrk/mn-sre From 109d5f16b7236e3a39173e16a618313f8fc5e80b Mon Sep 17 00:00:00 2001 From: Giles Cope Date: Mon, 1 Dec 2025 12:13:00 +0000 Subject: [PATCH 20/20] fix: shell lint --- .github/scan.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/scan.sh b/.github/scan.sh index 5525137..f0826c8 100755 --- a/.github/scan.sh +++ b/.github/scan.sh @@ -5,10 +5,11 @@ source "./.envrc" docker compose -f ./compose.yml -f ./compose-partner-chains.yml build scan_image() { - local image="$1" + local image SAFE_NAME SARIF_FILE + image="$1" echo "Scanning $image..." - local SAFE_NAME=$(echo "$image" | sed 's/[\/:]/-/g') - local SARIF_FILE="${SAFE_NAME}.sarif" + SAFE_NAME=$(echo "$image" | sed 's/[\/:]/-/g') + SARIF_FILE="${SAFE_NAME}.sarif" time docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \