Add Hadolint and Trivy Checks (#557)

* Add Hadolint and Trivy Checks * fix: Resolve 'no more disk space' --------- Co-authored-by: Harald Heckmann <mail@haraldheckmann.de>
zeitgeistpm · Aug 3, 2023 · 82ead37 · 82ead37
1 parent 41a2564
commit 82ead37
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 4 deletions.
diff --git a/.github/workflows/docker-hub-parachain.yml b/.github/workflows/docker-hub-parachain.yml
@@ -7,7 +7,17 @@ on:
       - '^v[0-9]+.[0-9]+.[0-9]+$'
 
 jobs:
+  hadolint:
+    runs-on: ubuntu-20.04
+    name: "Hadolint"
+    steps:
+      - uses: actions/checkout@v3
+      - uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: "./Dockerfile"
+
   publish:
+    needs: hadolint
     name: Publish
     runs-on: ubuntu-latest
     steps:
@@ -48,7 +58,15 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-
+
+      - name: Trivy Scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'zeitgeistpm/zeitgeist-node-parachain:latest'
+          format: 'sarif'
+          output: 'zeitgeist-node-parachain-report.sarif'
+          severity: 'HIGH,CRITICAL'
+
       - name: Update image version of the existing Zeitgeist network spec
         uses: "OnFinality-io/action-onf-release@v1"
         with:
@@ -69,4 +87,4 @@ jobs:
           onf-network-key: ${{ secrets.ONF_NETWORK_KEY_BS }}
           onf-sub-command: image
           onf-action: add
-          image-version: ${{ steps.vars.outputs.tag }}
+          image-version: ${{ steps.vars.outputs.tag }}
diff --git a/.github/workflows/docker-hub.yml b/.github/workflows/docker-hub.yml
@@ -7,7 +7,17 @@ on:
     tags: [ '*' ]
 
 jobs:
+  hadolint:
+    runs-on: ubuntu-20.04
+    name: "Hadolint"
+    steps:
+      - uses: actions/checkout@v3
+      - uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: "./Dockerfile"
+
   publish:
+    needs: hadolint
     name: Publish
     runs-on: ubuntu-latest
     steps:
@@ -28,3 +38,11 @@ jobs:
           else
             ./scripts/docker-hub-publish.sh ${GITHUB_SHA}
           fi
+
+      - name: Trivy Scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'zeitgeistpm/zeitgeist-node:latest'
+          format: 'sarif'
+          output: 'zetgeist-node-report.sarif'
+          severity: 'HIGH,CRITICAL'
diff --git a/.hadolint.yml b/.hadolint.yml
@@ -0,0 +1,3 @@
+ignored: 
+  - SC1091
+  - SC2115
diff --git a/Dockerfile b/Dockerfile
@@ -13,10 +13,12 @@ WORKDIR /zeitgeist
 COPY . /zeitgeist
 
 RUN apt-get update && \
-    apt-get dist-upgrade -y -o Dpkg::Options::="--force-confold"
-
+    apt-get upgrade -y -o Dpkg::Options::="--force-confold"
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN ./scripts/init.sh nosudo
 
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN . "$HOME/.cargo/env" && cargo build --profile "$PROFILE" --features "$FEATURES"
 
 # ==== SECOND STAGE ====