adding trivy nightly scan (#504)

Consensys · May 4, 2023 · 53e60e7 · 53e60e7
1 parent d844f3a
commit 53e60e7
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -29,6 +29,15 @@ executors:
       JAVA_TOOL_OPTIONS: -Xmx4096m
       GRADLE_OPTS: -Dorg.gradle.daemon=false -Dorg.gradle.parallel=true -Dorg.gradle.workers.max=4 -Xmx4096m
 
+  trivy_executor:
+    docker:
+      - image: docker:stable-git
+        auth:
+          username: $DOCKER_USER_RO
+          password: $DOCKER_PASSWORD_RO  
+    resource_class: small
+    working_directory: ~/project
+
 commands:
   prepare:
     description: "Prepare"
@@ -198,7 +207,25 @@ jobs:
 
             ./gradlew --no-daemon --parallel "-Pbranch=${CIRCLE_BRANCH}" dockerUpload
       - notify
-
+
+  dockerScan:
+    executor: trivy_executor
+    steps:
+      - prepare
+      - setup_remote_docker:
+          docker_layer_caching: false
+      - run:
+          name: Install trivy
+          command: |
+            apk add --update-cache --upgrade curl bash
+            curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+      - run:
+          name: Scan with trivy
+          shell: /bin/sh
+          command: |
+            trivy -q image --exit-code 1 --no-progress --severity HIGH,CRITICAL --ignorefile "gradle/trivyignore.txt" --timeout 10m "consensys/ethsigner:develop" 
+      - notify
+
 workflows:
   version: 2
   nightly:
@@ -213,6 +240,9 @@ workflows:
       - build:
           context:
             - protocols-dockerhub
+      - dockerScan:            
+          context:
+            - protocols-dockerhub
       - acceptanceTests:
           requires:
             - build

diff --git a/gradle/trivyignore.txt b/gradle/trivyignore.txt
@@ -0,0 +1,2 @@
+# Only applicable when parsing yaml from untrusted sources
+CVE-2022-1471