ci: add image scanning (#424)

* ci(security): introduce image scanning step * 7.2.2-rc.0 * build(Dockerfile): update nodejs to version v22
mia-platform · Dec 13, 2024 · 44edeca · 44edeca
1 parent a0b0224
commit 44edeca
Show file tree

Hide file tree

Showing 8 changed files with 463 additions and 671 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -49,6 +49,7 @@ jobs:
       github_cr_token: ${{ secrets.GITHUB_TOKEN }}
       nexus_username: ${{ secrets.NEXUS_USER }}
       nexus_token: ${{ secrets.NEXUS_TOKEN }}
+      sysdig_token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
 
   security-checks:
     needs:

diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml
@@ -13,7 +13,9 @@ on:
         required: true
       nexus_token:
         required: true
-      kms_gcp_poject:
+      sysdig_token:
+        required: true
+      kms_gcp_project:
         required: false
       gcp_wif:
         required: false
@@ -97,6 +99,15 @@ jobs:
         platforms: linux/amd64 # ${{ steps.buildx.outputs.platforms }} use this for multiarch images
         cache-from: type=gha
         cache-to: type=gha,mode=max
+    - name: Scan image
+      uses: sysdiglabs/scan-action@0065d3b93bd4115371b55720251adb1d228fe188 # v5.1.1
+      with:
+        image-tag: nexus.mia-platform.eu/core/crud-service:${{ steps.meta.output.version.main }}
+        sysdig-secure-url: "https://eu1.app.sysdig.com"
+        sysdig-secure-token: ${{ secrets.sysdig_token }}
+        registry-user: ${{ secrets.nexus_username }}
+        registry-password: ${{ secrets.nexus_token }}
+        stop-on-processing-error: true
     - name: Generate SBOM
       uses: anchore/sbom-action@55dc4ee22412511ee8c3142cbea40418e6cec693 # v0.17.8
       if: github.ref_type == 'tag'

diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
@@ -25,6 +25,7 @@ jobs:
       kms_gcp_project: ${{ secrets.MIA_PLATFORM_KMS_GCP_PROJECT }}
       gcp_wif: ${{ secrets.MIA_PLATFORM_WIF }}
       cosign_key: ${{ secrets.MIA_PLATFORM_KEY_KMS }}
+      sysdig_token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
 
   release:
     runs-on: ubuntu-latest

diff --git a/.nvmrc b/.nvmrc
@@ -1 +1 @@
-lts/iron
+lts/jod
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+### Changed
+
+- updated service dependencies
+- upgrade NodeJS version in Docker image to v22.12.0
+
+### CI
+
+- added step for generating SBOM (Software Bill of Materials)
+- added step for scanning the built image
+
 ## 7.2.1 - 2024-10-08
 
 ### Fixed

diff --git a/Dockerfile b/Dockerfile
@@ -5,7 +5,7 @@ ARG TARGETARCH
 
 WORKDIR /cryptd
 
-ARG CRYPTD_VERSION=7.0.14
+ARG CRYPTD_VERSION=7.0.15
 ARG CRYPTD_OS=debian12
 
 # debian doesn't suppport arm architecture for now, if we switch to ubuntu we can uncomment the arm bit
@@ -23,7 +23,7 @@ RUN case "${TARGETARCH}" in \
 
 ########################################################################################################################
 
-FROM docker.io/library/node:20.18.0-bookworm-slim@sha256:967bab29ecde5d59a6dd781054bf9021eee8116068e1f5cb139750b6bc6a75e9 AS build
+FROM docker.io/library/node:22.12.0-bookworm-slim@sha256:a4b757cd491c7f0b57f57951f35f4e85b7e1ad54dbffca4cf9af0725e1650cd8 AS build
 
 ENV NODE_ENV=production
 
@@ -40,7 +40,7 @@ COPY . .
 
 # create a CRUD Service image that does not support automatic CSFLE
 # and therefore it can be employed by everybody in any MongoDB product
-FROM docker.io/library/node:20.18.0-bookworm-slim@sha256:967bab29ecde5d59a6dd781054bf9021eee8116068e1f5cb139750b6bc6a75e9 AS crud-service-no-encryption
+FROM docker.io/library/node:22.12.0-bookworm-slim@sha256:a4b757cd491c7f0b57f57951f35f4e85b7e1ad54dbffca4cf9af0725e1650cd8 AS crud-service-no-encryption
 
 ARG COMMIT_SHA
 ARG DEBIAN_FRONTEND=noninteractive