diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f89ccad7..55da9172 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,6 +5,7 @@ on: branches: - "main" - "dev" + - "fix/*" tags: - "v*.*.*" - "v*.*.*-*" diff --git a/.github/workflows/trivy-test-images.yml b/.github/workflows/trivy-test-images.yml new file mode 100644 index 00000000..159001bb --- /dev/null +++ b/.github/workflows/trivy-test-images.yml @@ -0,0 +1,55 @@ +name: Trivy Docker Image Analysis + +on: + push: + branches: + - fix/trivy_findings + # Trigger manually + workflow_dispatch: + +permissions: + security-events: write # To upload sarif files + +jobs: + build-and-scan: + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Set up Helm + uses: azure/setup-helm@v3 + with: + version: '3.6.3' + + - name: Set up python + uses: actions/setup-python@v4 + with: + python-version: '3.7' + + # Workaround: https://github.com/docker/build-push-action/issues/461 + - name: Setup Docker buildx + uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc + with: + context: . + file: ./Dockerfile + push: false + tags: frontend:latest + load: true # Load the image into Docker's local image store + + + - name: Run Trivy Table + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: 'frontend:latest' + severity: 'MEDIUM,HIGH,CRITICAL' + format: 'table' + diff --git a/DOCKER_NOTICE.md b/DOCKER_NOTICE.md index 099c677f..79cb702b 100644 --- a/DOCKER_NOTICE.md +++ b/DOCKER_NOTICE.md @@ -16,7 +16,7 @@ Eclipse Tractus-X product(s) installed within the image: **Used base image** -- Dockerfile: [`nginxinc/nginx-unprivileged:alpine`](https://hub.docker.com/r/nginxinc/nginx-unprivileged) +- Dockerfile: [`nginxinc/nginx-unprivileged:alpine`](https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/Dockerfile-alpine.template) - GitHub Project: [nginxinc/docker-nginx-unprivileged](https://github.com/nginxinc/docker-nginx-unprivileged) - DockerHub: [nginxinc/nginx-unprivileged](https://hub.docker.com/r/nginxinc/nginx-unprivileged) diff --git a/Dockerfile b/Dockerfile index b36015fb..3d5bb5f0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -48,7 +48,7 @@ RUN npm install --ignore-scripts RUN npm run build # Base image for the final stage -FROM nginxinc/nginx-unprivileged:stable-alpine +FROM nginxinc/nginx-unprivileged:alpine # Copy Nginx configuration file COPY .conf/nginx.conf /etc/nginx/conf.d/default.conf @@ -67,8 +67,6 @@ COPY ./scripts/inject-dynamic-env.sh /docker-entrypoint.d/00-inject-dynamic-env. RUN chmod +x /docker-entrypoint.d/00-inject-dynamic-env.sh -# Update vulnerable packages -RUN apk update # Change ownership and switch back to nginx user RUN chown -R 101:101 /usr/share/nginx/html/ diff --git a/README.md b/README.md index ba1fc6a4..8907920c 100644 --- a/README.md +++ b/README.md @@ -14,20 +14,6 @@ This dashboard calculates a risk score per country based on information regardin Country risk refers to the risk of investing or lending money in a country, arising from possible changes in the business environment that may adversely affect operating profits or the value of assets in the country. For example, financial factors such as currency controls, devaluation or regulatory changes, or stability factors such as mass riots, civil war and other potential events contribute to companies' operational risks. This term is also sometimes referred to as political risk - however, country risk is a more general term that generally refers only to risks affecting all companies operating within or involved with a particular country. -## Container images - -This application provides container images for demonstration purposes. -The base image used, to build this demo application image is `node:18-alpine` and `nginxinc/nginx-unprivileged:stable-alpine` - -Docker Hub: - -* [node:18-alpine](https://hub.docker.com/_/node) -* [nginxinc](https://hub.docker.com/r/nginxinc/nginx-unprivileged) - -Source: - -* [node repo info](https://github.com/docker-library/repo-info/tree/master/repos/node) -* [nginxinc repo info](https://github.com/nginxinc/docker-nginx-unprivileged/pkgs/container/nginx-unprivileged) ## More documentation diff --git a/charts/country-risk/Chart.yaml b/charts/country-risk/Chart.yaml index 2514cf59..603bd9cf 100644 --- a/charts/country-risk/Chart.yaml +++ b/charts/country-risk/Chart.yaml @@ -20,7 +20,8 @@ apiVersion: v2 name: country-risk type: application -version: 1.1.0 +version: 1.1.1 +appVersion: "1.2.0" description: A Helm chart for deploying the Country Risk service home: https://github.com/eclipse-tractusx/vas-country-risk-frontend sources: @@ -37,6 +38,6 @@ dependencies: repository: https://helm.runix.net version: 1.x.x - name: country-risk-backend - version: 3.0.1 + version: 3.0.2 - name: country-risk-frontend - version: 3.0.1 + version: 3.0.2 diff --git a/charts/country-risk/charts/country-risk-backend/Chart.yaml b/charts/country-risk/charts/country-risk-backend/Chart.yaml index 814fd561..c95cb763 100644 --- a/charts/country-risk/charts/country-risk-backend/Chart.yaml +++ b/charts/country-risk/charts/country-risk-backend/Chart.yaml @@ -36,7 +36,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 3.0.1 +version: 3.0.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/country-risk/charts/country-risk-backend/values.yaml b/charts/country-risk/charts/country-risk-backend/values.yaml index 3ff02cbf..e0dd831a 100644 --- a/charts/country-risk/charts/country-risk-backend/values.yaml +++ b/charts/country-risk/charts/country-risk-backend/values.yaml @@ -64,6 +64,9 @@ securityContext: runAsUser: 10001 # -- Specifies the group ID that the process inside the container should run runAsGroup: 3000 + # -- Specifies Seccomp profile + seccompProfile: + type: RuntimeDefault # -- Capabilities that the process inside the container should have capabilities: drop: diff --git a/charts/country-risk/charts/country-risk-frontend/Chart.yaml b/charts/country-risk/charts/country-risk-frontend/Chart.yaml index 78b99676..20fb4009 100644 --- a/charts/country-risk/charts/country-risk-frontend/Chart.yaml +++ b/charts/country-risk/charts/country-risk-frontend/Chart.yaml @@ -34,7 +34,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 3.0.1 +version: 3.0.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/country-risk/charts/country-risk-frontend/values.yaml b/charts/country-risk/charts/country-risk-frontend/values.yaml index f5a35e18..65285252 100644 --- a/charts/country-risk/charts/country-risk-frontend/values.yaml +++ b/charts/country-risk/charts/country-risk-frontend/values.yaml @@ -64,6 +64,9 @@ securityContext: runAsUser: 101 # -- Specifies the group ID that the process inside the container should run runAsGroup: 3000 + # -- Specifies Seccomp profile + seccompProfile: + type: RuntimeDefault # -- Capabilities that the process inside the container should have capabilities: drop: