RISDEV-5880 Create frontend image (#15)

digitalservicebund · Dec 17, 2024 · 2d04c09 · 2d04c09
1 parent c343b68
commit 2d04c09
Show file tree

Hide file tree

Showing 3 changed files with 112 additions and 3 deletions.
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
@@ -11,6 +11,12 @@ on:
   # Allow to run this workflow manually
   workflow_dispatch:
 
+
+env:
+  CONTAINER_REGISTRY: ghcr.io
+  CONTAINER_IMAGE_NAME: ${{ github.repository }}
+  CONTAINER_IMAGE_VERSION: ${{ github.event.pull_request.head.sha || github.sha }}
+
 jobs:
   ##############################################
   # jobs dispatched to separate workflow files #
@@ -26,3 +32,100 @@ jobs:
     permissions:
       contents: read
       security-events: write # trivy scan needs this
+
+  frontend-build-image-and-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build frontend image
+        run: docker build --file prod.Dockerfile --tag ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} .
+      - name: Run Trivy vulnerability image scanner
+        # Third-party action, pin to commit SHA!
+        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
+        env:
+          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
+        with:
+          image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
+          format: "sarif"
+          output: "trivy-results.sarif"
+      - name: Check trivy results
+        run: |
+          if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
+            echo "Vulnerabilities found"
+            exit 1
+          else
+            echo "No significant vulnerabilities found"
+            exit 0
+          fi
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
+        with:
+          sarif_file: "trivy-results.sarif"
+      - name: Run Trivy vulnerability file scanner
+        # Third-party action, pin to commit SHA!
+        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
+        env:
+          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
+        with:
+          scan-type: "fs"
+          scan-ref: "./frontend"
+          skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283
+          format: "sarif"
+          output: "trivy-results.sarif"
+      - name: Check trivy results
+        run: |
+          if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
+            echo "Vulnerabilities found"
+            exit 1
+          else
+            echo "No significant vulnerabilities found"
+            exit 0
+          fi
+      - name: Upload Trivy file scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
+        with:
+          sarif_file: "trivy-results.sarif"
+          category: trivy-fs-scan
+      - name: Generate cosign vulnerability scan record
+        # Third-party action, pin to commit SHA!
+        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
+        env:
+          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
+        with:
+          image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
+          format: "cosign-vuln"
+          output: "vuln-frontend.json"
+      - name: Upload cosign vulnerability scan record
+        uses: actions/upload-artifact@v4
+        with:
+          name: "vuln-frontend.json"
+          path: "vuln-frontend.json"
+          if-no-files-found: error
+      - name: Save image
+        run: |
+          mkdir /tmp/images
+          docker save -o /tmp/images/frontend-image.tar ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
+      - uses: actions/cache@v4
+        with:
+          path: /tmp/images
+          key: docker-frontend-images-cache-${{ env.RUN_ID }}
+          restore-keys: docker-frontend-images-cache-${{ env.RUN_ID }}
+      - name: Send status to Slack
+        # Third-party action, pin to commit SHA!
+        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+        uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
+        if: ${{ failure() && github.ref == 'refs/heads/main' }}
+        with:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
diff --git a/.talismanrc b/.talismanrc
@@ -5,9 +5,13 @@ fileignoreconfig:
   - filename: lefthook.yml
     checksum: 8168972ed7d27ebebc6e2c33243fad92abe4f859f3bd2edb0c3b171940cac0ec
   - filename: prod.Dockerfile
-    checksum: 67b03670b7d83e3d7439ed38beaa7bf44e645bdabd69526a820f21d5dbb945f3
+    checksum: e5d917f821d4d467ad4bcc77e165fb986971daeac4355adc0b60a758c69bf396
   - filename: nginx.conf
     checksum: 2f9c9124d8dfb11c9d7b4ce360b266d6fc26a47fbc99782bb82cf1b57ef292c4
+  - filename: frontend/env.d.ts
+    checksum: fa217d4a34afcd967e6c35b10e139cd5c52711e41c190f477576441081b5cf99
+  - filename: LICENSE
+    checksum: 00de5fa1aad2fcb968beb5d1bbf09931fc9d3f160f11b945b24f3203ea025917
 
 allowed_patterns:
   # allow these specific patterns that include hex encoded text
@@ -16,6 +20,7 @@ allowed_patterns:
   - "uses: digitalservicebund/setup-sonarscanner@3ade23691f865c02dce6b46452947a0e7944196e"
   - "uses: digitalservicebund/talisman-secrets-scan-action@9a4cb85589e29a62b4546eb566119753a5680aeb"
   - "uses: sonarsource/sonarqube-quality-gate-action@424137db1fae80e9eb279829995166f2f44bc8df"
+  - "uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0"
   - "dsn: 'https://[email protected]/4508482613084160'"
   # allow these specific patterns with the term "secret"
   - secrets-scan-with-talisman
@@ -25,5 +30,6 @@ allowed_patterns:
   # allow these specific patterns with the term "key"
   - "key: modules-"
   - "key:.+runner.os"
+  - "key[s]?: docker-frontend-images-cache"
   - "key: npm-cache"
   - "sonar.projectKey=digitalservicebund_ris-adm-vwv"
diff --git a/prod.Dockerfile b/prod.Dockerfile
@@ -1,4 +1,4 @@
-FROM node:23.1.0
+FROM node:23.1.0 AS builder
 
 # make the 'app' folder the current working directory
 WORKDIR /frontend
@@ -17,5 +17,5 @@ RUN npm run build
 
 FROM cgr.dev/chainguard/nginx@sha256:9cbce3d5ee2bf696232931119919c2db19e7272cddb0fae0dc0602e78281b688
 EXPOSE 8081
-COPY /frontend/dist /var/lib/nginx/html
+COPY --from=builder /frontend/dist /var/lib/nginx/html
 COPY nginx.conf /etc/nginx/conf.d/ris-adm-vwv.conf