diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 883b113..772e81e 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -4,6 +4,7 @@ on: push: branches: - 'main' + - 'devops/add-docker-security-r3' tags: - '*' @@ -19,7 +20,13 @@ jobs: docker_pipeline: needs: ["lint_test"] - uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.7.0 + uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.10.2 + permissions: + # required for all workflows + security-events: write + # required to fetch internal or private CodeQL packs + packages: read secrets: inherit with: publish: true + docker_scan: true diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..1d2762e --- /dev/null +++ b/.trivyignore @@ -0,0 +1,8 @@ +# LND < 0.17.0 issue, not fixing +CVE-2024-27304 +GHSA-7jwh-3vrq-q3m8 +CVE-2024-27289 +CVE-2024-38359 + +# Go-ethereum related +CVE-2024-32972 \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 51ae9e5..8eb0b5b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,6 +37,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) ### Improvements + +* [#92](https://github.com/babylonlabs-io/btc-staker/pull/92) CI: Enable Dockerfile and image scanning * [#99](https://github.com/babylonlabs-io/btc-staker/pull/99) Bump babylon version and adapt staker to the changes diff --git a/Dockerfile b/Dockerfile index 37b4cd2..cfcedb7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,8 @@ FROM golang:1.23.1 AS builder # Install cli tools for building and final image -RUN apt-get update && apt-get install -y make git bash gcc curl jq +# hadolint ignore=DL3008 +RUN apt-get update && apt-get install --no-install-recommends -y make git bash gcc curl jq && rm -rf /var/lib/apt/lists/* # Build WORKDIR /go/src/github.com/babylonlabs-io/btc-staker @@ -18,17 +19,19 @@ RUN BUILD_TAGS=netgo \ # FINAL IMAGE FROM debian:bookworm-slim AS run +SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN addgroup --gid 1138 --system btcstaker && adduser --uid 1138 --system --home /home/btcstaker btcstaker -RUN apt-get update && apt-get install -y bash curl jq wget +# hadolint ignore=DL3008 +RUN apt-get update && apt-get install --no-install-recommends -y ca-certificates bash curl jq wget && rm -rf /var/lib/apt/lists/* COPY --from=builder /go/src/github.com/babylonlabs-io/btc-staker/go.mod /tmp RUN WASMVM_VERSION=$(grep github.com/CosmWasm/wasmvm /tmp/go.mod | cut -d' ' -f2) && \ - wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/libwasmvm.$(uname -m).so \ - -O /lib/libwasmvm.$(uname -m).so && \ + wget --progress=dot:giga https://github.com/CosmWasm/wasmvm/releases/download/"$WASMVM_VERSION"/libwasmvm."$(uname -m)".so \ + -O /lib/libwasmvm."$(uname -m)".so && \ # verify checksum - wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/checksums.txt -O /tmp/checksums.txt && \ - sha256sum /lib/libwasmvm.$(uname -m).so | grep $(cat /tmp/checksums.txt | grep libwasmvm.$(uname -m) | cut -d ' ' -f 1) + wget --progress=dot:giga https://github.com/CosmWasm/wasmvm/releases/download/"$WASMVM_VERSION"/checksums.txt -O /tmp/checksums.txt && \ + sha256sum /lib/libwasmvm."$(uname -m)".so | grep "$(cat /tmp/checksums.txt | grep libwasmvm."$(uname -m)" | cut -d ' ' -f 1)" RUN rm -f /tmp/go.mod COPY --from=builder /go/src/github.com/babylonlabs-io/btc-staker/build/stakerd /bin/stakerd