Skip to content

feat: add image scanning #70

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gilescope wants to merge 20 commits into
base: main
Choose a base branch
from
Open

feat: add image scanning #70

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
3ca27ca
feat: add trivy
gilescope Nov 29, 2025
156b4e4
fix: bump version
gilescope Nov 29, 2025
e851929
fix: correct output file
gilescope Nov 29, 2025
ae9ad09
feat: broader scan
gilescope Nov 29, 2025
1c5c7b5
feat: build images and scan them
gilescope Nov 29, 2025
0387d3b
fix: source .envrc
gilescope Nov 29, 2025
980f5b7
fix: not a tty
gilescope Nov 29, 2025
3919856
fix: try not building image second time.
gilescope Nov 29, 2025
1ebddab
fix: double quote to prevent globbing
gilescope Nov 29, 2025
426d81c
fix: double quote to prevent globbing
gilescope Nov 29, 2025
b958134
fix: double quote to prevent globbing
gilescope Nov 29, 2025
8375a99
feat: scan images in one job so can matrix over environments
gilescope Nov 30, 2025
9dd9dc3
fix: typo
gilescope Nov 30, 2025
6710e23
fix: *.sarif not supported
gilescope Nov 30, 2025
8f51610
fix: unauth fix
gilescope Nov 30, 2025
1945369
feat: skip unfixed
gilescope Nov 30, 2025
223bc84
feat: scan qanet
gilescope Nov 30, 2025
008e8be
fix: lint issues
gilescope Dec 1, 2025
a0a10d0
feat: remove checkmarx scan
gilescope Dec 1, 2025
109d5f1
fix: shell lint
gilescope Dec 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions .envrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
# If your on windows use wsl / git bash / cygwin / msys2 with direnv
# If your on windows please use wsl2 with git bash / cygwin / msys2 with direnv

export CFG_PRESET=testnet-02
if [ -z "$CFG_PRESET" ]; then
export CFG_PRESET=testnet-02
fi

source ./.envrc.${CFG_PRESET}

Expand Down Expand Up @@ -41,7 +43,7 @@ export APPEND_ARGS="--allow-private-ip --pool-limit 10 --trie-cache-size 0 --pro
# Validator Values:
if [ ! -f node.privatekey ]; then
# generate node key like this:
DOCKER_DEFAULT_PLATFORM=linux/amd64 docker run --rm -it docker.io/parity/subkey:latest generate-node-key | sed -n '2p' > midnight-node.privatekey
DOCKER_DEFAULT_PLATFORM=linux/amd64 docker run --rm -i docker.io/parity/subkey:latest generate-node-key | sed -n '2p' > midnight-node.privatekey
# Use the second line of output for NODE_KEY (that's what sed -n '2p' does)
fi
export NODE_KEY="$(cat ./midnight-node.privatekey)"
Expand Down
36 changes: 36 additions & 0 deletions .github/scan.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
#!/usr/bin/env bash

source "./.envrc"

docker compose -f ./compose.yml -f ./compose-partner-chains.yml build

scan_image() {
local image SAFE_NAME SARIF_FILE
image="$1"
echo "Scanning $image..."
SAFE_NAME=$(echo "$image" | sed 's/[\/:]/-/g')
SARIF_FILE="${SAFE_NAME}.sarif"

time docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v trivy-cache:/root/.cache \
-v "$(pwd):/output" \
aquasec/trivy:0.67.2 image \
--format sarif \
--ignore-unfixed \
--no-progress \
--output "/output/$SARIF_FILE" \
"$image"
jq --arg image "$image" \
'.runs[0].automationDetails = {
id: "trivy/\($image)",
description: {text: "Trivy scan for \($image)"}
}' "$SARIF_FILE" > "./scan_reports/${SARIF_FILE}"
echo "Completed $SARIF_FILE"
}
export -f scan_image

mkdir scan_reports

docker compose -f ./compose.yml -f ./compose-partner-chains.yml config --images | \
xargs -I {} bash -c 'scan_image "$@"' _ {}
39 changes: 0 additions & 39 deletions .github/workflows/checkmarx.yaml
View file
Open in desktop

This file was deleted.

70 changes: 70 additions & 0 deletions .github/workflows/scan.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
name: Scan

permissions: {}

# Run on pushes to any branch and pull requests
on:
push:
branches: ['main']
pull_request:
branches: ['**']

jobs:
scan-fs:
name: Fs scan code
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
statuses: write
steps:
- name: Check out code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
with:
fetch-depth: 0

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
with:
version: 'v0.67.2'
scan-type: 'fs'
scanners: 'vuln,secret,misconfig'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH,MEDIUM'

- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a
if: success() || failure()
with:
sarif_file: trivy-results.sarif
category: 'trivy-fs'

scan-images:
name: Build and scan code
runs-on: ubuntu-latest
strategy:
matrix:
cfg_preset: ['testnet-02', 'qanet']
permissions:
actions: read
contents: read
security-events: write
statuses: write
steps:
- name: Check out code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
with:
fetch-depth: 0

- name: Scan images
env:
CFG_PRESET: ${{ matrix.cfg_preset }}
run: ./.github/scan.sh

- name: Upload to GitHub Security
uses: github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a #CodeQL Bundle v2.23.6
with:
sarif_file: 'scan_reports'
category: 'trivy-images'
3 changes: 3 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,7 @@
/data
*.privatekey
*.password
*.secret
*.sarif
/scan_reports
ogmios_client.log
2 changes: 1 addition & 1 deletion CODEOWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
* @midnightntwrk/mn-codeowners-node-docker
/.github/ISSUE_TEMPLATE/ @midnightntwrk/mn-security @midnightntwrk/mn-sre
/.github/PULL_REQUEST_TEMPLATE/ @midnightntwrk/mn-security @midnightntwrk/mn-sre
/.github/workflows/checkmarx.yaml @midnightntwrk/mn-security @midnightntwrk/mn-sre
/.github/workflows/scan.yaml @midnightntwrk/mn-security @midnightntwrk/mn-sre
/.github/workflows/dependabot.yml @midnightntwrk/mn-security @midnightntwrk/mn-sre
CODE_OF_CONDUCT.md @midnightntwrk/mn-security @midnightntwrk/mn-sre
CODEOWNERS @midnightntwrk/mn-security @midnightntwrk/mn-sre
Expand Down
Loading