Merge pull request #138 from kaleido-io/vuln-checks

adding high/critical severity vuln checks
hyperledger · Mar 28, 2024 · 2976b65 · 2976b65
2 parents 34717b7 + 82d050a
commit 2976b65
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -14,7 +14,15 @@ RUN npm install
 ADD . .
 RUN npm run build
 
-FROM node:20-alpine3.17 
+FROM alpine:3.19 AS SBOM
+WORKDIR /
+ADD . /SBOM
+RUN apk add --no-cache curl 
+RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.48.3
+RUN trivy fs --format spdx-json --output /sbom.spdx.json /SBOM
+RUN trivy sbom /sbom.spdx.json --severity UNKNOWN,HIGH,CRITICAL --exit-code 1
+
+FROM node:20-alpine3.17
 RUN apk add curl=8.5.0-r0
 # We also need to keep copying it to the old location to maintain compatibility with the FireFly CLI
 COPY --from=solidity-build --chown=1001:0 /home/node/artifacts/contracts/ERC1155MixedFungible.sol/ERC1155MixedFungible.json /root/contracts/
@@ -27,6 +35,7 @@ COPY --from=build /root/dist dist
 COPY --from=build /root/.env /app/.env
 RUN chgrp -R 0 /app/ \
     && chmod -R g+rwX /app/
+COPY --from=SBOM /sbom.spdx.json /sbom.spdx.json
 USER 1001
 EXPOSE 3000
 CMD ["node", "dist/src/main"]