Check Docker images for vulnerabilities

hemilabs · Mar 4, 2025 · ce0e651 · ce0e651
1 parent 1993cee
commit ce0e651
Show file tree

Hide file tree

Showing 9 changed files with 69 additions and 11 deletions.
diff --git a/.github/actions/docker-build-push/action.yml b/.github/actions/docker-build-push/action.yml
@@ -25,6 +25,9 @@ runs:
       uses: docker/metadata-action@v5
       with:
         images: ${{ inputs.images }}
+        tags: |
+          type=ref
+          type=sha
     - uses: docker/login-action@v3
       with:
         password: ${{ inputs.dockerHubPassword }}
@@ -34,5 +37,7 @@ runs:
         context: ${{ inputs.context }}
         labels: ${{ steps.meta.outputs.labels }}
         platforms: linux/amd64
+        provenance: true
         push: true
+        sbom: true
         tags: ${{ steps.meta.outputs.tags }}
diff --git a/.github/workflows/build-push-images.yml b/.github/workflows/build-push-images.yml
@@ -7,11 +7,18 @@ on:
     paths:
       - 'staking-points/**'
       - 'token-prices/**'
-  workflow_dispatch:
 
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/docker-build-push
+        with:
+          context: ${{ matrix.context }}
+          dockerHubPassword: ${{ secrets.DOCKERHUB_TOKEN }}
+          dockerHubUsername: ${{ secrets.DOCKERHUB_USERNAME }}
+          images: ${{ matrix.image }}
     strategy:
       matrix:
         include:
@@ -21,11 +28,3 @@ jobs:
             image: hemilabs/token-prices-api
           - context: token-prices/cron
             image: hemilabs/token-prices-cron
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./.github/actions/docker-build-push
-        with:
-          context: ${{ matrix.context }}
-          dockerHubPassword: ${{ secrets.DOCKERHUB_TOKEN }}
-          dockerHubUsername: ${{ secrets.DOCKERHUB_USERNAME }}
-          images: ${{ matrix.image }}
diff --git a/.github/workflows/docker-checks.yml b/.github/workflows/docker-checks.yml
@@ -0,0 +1,35 @@
+name: Docker Checks
+
+on:
+  pull_request:
+    paths:
+      - 'staking-points/**'
+      - 'token-prices/**'
+  push:
+    paths:
+      - 'staking-points/**'
+      - 'token-prices/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
+  cancel-in-progress: true
+
+jobs:
+  docker-checks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: docker build --tag ${{ github.repository }}:${{ github.sha }} ${{ matrix.context }}
+      - uses: aquasecurity/[email protected]
+        with:
+          exit-code: 1
+          ignore-unfixed: true
+          image-ref: ${{ github.repository }}:${{ github.sha }}
+          severity: HIGH,CRITICAL
+          skip-dirs: /root/.npm
+    strategy:
+      matrix:
+        context:
+          - staking-points
+          - token-prices/api
+          - token-prices/cron
diff --git a/staking-points/Dockerfile b/staking-points/Dockerfile
@@ -2,6 +2,9 @@ FROM node:20.18.3-alpine
 
 ENV NODE_ENV=production
 
+# Fix the cross-spawn vulnerability in the preinstalled npm version
+RUN npm i --global [email protected]
+
 WORKDIR /app
 
 COPY package*.json .

diff --git a/staking-points/README.md b/staking-points/README.md
@@ -33,5 +33,5 @@ Then the points for a user can be obtained as follows:
 
 ```console
 $ curl http://localhost:3002/0x85e0D9e73c12eFE889750f44422a77B544D48d17
-{"points":270644}
+{"points":270655}
 ```
diff --git a/token-prices/README.md b/token-prices/README.md
@@ -55,5 +55,5 @@ Then the prices can be obtained as follows:
 
 ```console
 $ curl http://localhost:3001
-{"prices":{"BTC":"94514.79193898945","M-BTC":"95894.52612269788","PUMPBTC":"95990.74415080296","WBTC":"95797.80677773379"},"time":"2025-02-17T23:12:35.803Z"}
+{"prices":{"BTC":"94514.79193898945","M-BTC":"95894.52612269788","PUMPBTC":"95990.74415080296","WBTC":"95797.80677773379"},"time":"2025-02-17T23:12:35.804Z"}
 ```
diff --git a/token-prices/api/Dockerfile b/token-prices/api/Dockerfile
@@ -2,6 +2,9 @@ FROM node:20.18.3-alpine
 
 ENV NODE_ENV=production
 
+# Fix the cross-spawn vulnerability in the preinstalled npm version
+RUN npm i --global [email protected]
+
 WORKDIR /app
 
 COPY package*.json .

diff --git a/token-prices/cron/Dockerfile b/token-prices/cron/Dockerfile
@@ -2,6 +2,9 @@ FROM node:20.18.3-alpine
 
 ENV NODE_ENV=production
 
+# Fix the cross-spawn vulnerability in the preinstalled npm version
+RUN npm i --global [email protected]
+
 WORKDIR /app
 
 COPY package*.json .

diff --git a/token-prices/notes.md b/token-prices/notes.md
@@ -0,0 +1,10 @@
+# Notes
+
+```js
+// const other = [
+//   'bedrock-btc',
+//   'ether-fi-staked-btc',
+//   'lombard-staked-btc'
+// ]
+// const notfound = ['enzoBTC', 'ibtc', 'obtc', 'ubtc']
+```