Merge pull request hyperledger#123 from kaleido-io/vuln-check

adding high/critical severity vuln checks
kaleido-io · May 14, 2024 · 5403101 · 5403101
1 parent 9578869
commit 5403101
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,3 @@
+# not relevant to the way grpc is used in fabconnect
+# see https://github.com/hyperledger/firefly-fabconnect/pull/123#discussion_r1543748524
+GHSA-m425-mq94-257g
diff --git a/Dockerfile b/Dockerfile
@@ -7,10 +7,19 @@ RUN mkdir /.cache \
     && chmod -R g+rwX /.cache
 RUN make
 
+FROM alpine:3.19 AS SBOM
+WORKDIR /
+COPY . /SBOM
+RUN apk add --no-cache curl
+RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.48.3
+RUN trivy fs --format spdx-json --output /sbom.spdx.json /SBOM
+RUN trivy sbom /sbom.spdx.json --severity UNKNOWN,HIGH,CRITICAL --exit-code 1 --ignorefile /SBOM/.trivyignore
+
 FROM alpine:3.19
 RUN apk add curl
 WORKDIR /fabconnect
 COPY --from=fabconnect-builder /fabconnect/fabconnect ./
 ADD ./openapi ./openapi/
 RUN ln -s /fabconnect/fabconnect /usr/bin/fabconnect
+COPY --from=SBOM /sbom.spdx.json /sbom.spdx.json
 ENTRYPOINT [ "fabconnect" ]