Merge pull request #117 from UKHomeOffice/enhancement/anchore_scan

ASL-4129 Add Anchore Image Scanning as part of build pipelines
UKHomeOffice · Jan 24, 2023 · 52443ad · 52443ad
2 parents 88379b1 + d75004c
commit 52443ad
Show file tree

Hide file tree

Showing 5 changed files with 297 additions and 46 deletions.
diff --git a/.auditrc.json b/.auditrc.json
@@ -1,10 +1,8 @@
 {
   "comments": [
-    "1002373 - this is a lodash vuln that has been withdrawn, see https://github.com/advisories/GHSA-8p5q-j9m2-g8wr",
-    "1002482 - this is an objection vuln that is disputed, see https://github.com/advisories/GHSA-r659-8xfp-j327"
+    "GHSA-4jv9-3563-23j3 - this is a SQL injection vulnerability that only affects MySQL see https://github.com/advisories/GHSA-4jv9-3563-23j3, https://github.com/knex/knex/issues/1227 & https://www.ghostccamm.com/blog/knex_sqli/"
   ],
   "allowlist": [
-    1002373,
-    1002482
+    "GHSA-4jv9-3563-23j3"
   ]
 }
diff --git a/.drone-1.0.yml b/.drone-1.0.yml
@@ -33,7 +33,7 @@ steps:
       NPM_AUTH_TOKEN:
         from_secret: npm_auth_token
     commands:
-      - npm audit --audit-level=high --production
+      - npm run test:audit
   - name: docker build
     image: docker:dind
     environment:
@@ -45,6 +45,12 @@ steps:
         from_secret: npm_auth_token
     commands:
       - docker build --secret id=username,env=NPM_AUTH_USERNAME --secret id=token,env=NPM_AUTH_TOKEN -t asl-notifications .
+  - name: scan-image
+    image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/anchore-submission:latest
+    pull: always
+    environment:
+      IMAGE_NAME: asl-notifications
+      WHITELIST_FILE: cve-exceptions.txt
   - name: docker push
     image: docker:dind
     environment:
@@ -88,3 +94,8 @@ services:
   environment:
     POSTGRES_USER: asl-test
     POSTGRES_PASSWORD: test-password
+- name: anchore-submission-server
+  image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/anchore-submission:latest
+  pull: always
+  commands:
+    - /run.sh server
diff --git a/cve-exceptions.txt b/cve-exceptions.txt
@@ -0,0 +1,26 @@
+CVE-2021-32761
+CVE-2018-12326
+CVE-2022-3734
+CVE-2018-12453
+CVE-2017-18589
+CVE-2021-27482
+CVE-2019-10193
+CVE-2021-29940
+CVE-2021-27478
+CVE-2021-27498
+CVE-2022-24735
+CVE-2019-10192
+CVE-2020-14147
+CVE-2018-11218
+CVE-2017-18589
+CVE-2022-0323
+CVE-2021-27500
+CVE-2022-32511
+CVE-2021-32626
+CVE-2022-0543
+CVE-2016-10517
+CVE-2018-11219
+CVE-2009-4592
+CVE-2009-4591
+CVE-2021-35065
+GHSA-4jv9-3563-23j3