diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..aa30f9b --- /dev/null +++ b/.trivyignore @@ -0,0 +1,3 @@ +# not relevant to the way grpc is used in fabconnect +# see https://github.com/hyperledger/firefly-fabconnect/pull/123#discussion_r1543748524 +GHSA-m425-mq94-257g diff --git a/Dockerfile b/Dockerfile index 4890064..f3dcf31 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,9 +7,18 @@ RUN mkdir /.cache \ && chmod -R g+rwX /.cache RUN make +FROM alpine:3.19 AS SBOM +WORKDIR / +COPY . /SBOM +RUN apk add --no-cache curl +RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.48.3 +RUN trivy fs --format spdx-json --output /sbom.spdx.json /SBOM +RUN trivy sbom /sbom.spdx.json --severity UNKNOWN,HIGH,CRITICAL --exit-code 1 --ignorefile /SBOM/.trivyignore + FROM alpine:3.19 WORKDIR /fabconnect COPY --from=fabconnect-builder /fabconnect/fabconnect ./ ADD ./openapi ./openapi/ RUN ln -s /fabconnect/fabconnect /usr/bin/fabconnect +COPY --from=SBOM /sbom.spdx.json /sbom.spdx.json ENTRYPOINT [ "fabconnect" ]