Merge pull request #143 from kaleido-io/vuln-checks

adding high/critical severity vuln checks

Dockerfile

@@ -7,14 +7,22 @@ ADD --chown=node:node . .
 RUN npm run build
 
 FROM node:20-alpine3.17 as solidity-build
-RUN apk add python3=3.10.13-r0 alpine-sdk=1.0-r1
+RUN apk add python3=3.10.14-r1 alpine-sdk=1.0-r1
 USER node
 WORKDIR /home/node
 ADD --chown=node:node ./samples/solidity/package*.json ./
 RUN npm install
 ADD --chown=node:node ./samples/solidity .
 RUN npx hardhat compile
 
+FROM alpine:3.19 AS SBOM
+WORKDIR /
+ADD . /SBOM
+RUN apk add --no-cache curl 
+RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.48.3
+RUN trivy fs --format spdx-json --output /sbom.spdx.json /SBOM
+RUN trivy sbom /sbom.spdx.json --severity UNKNOWN,HIGH,CRITICAL --exit-code 1
+
 FROM node:20-alpine3.17
 RUN apk add curl=8.5.0-r0 jq=1.6-r2
 RUN mkdir -p /app/contracts/source \
@@ -36,6 +44,7 @@ COPY --from=solidity-build --chown=1001:0 /home/node/artifacts/contracts/TokenFa
 WORKDIR /app
 COPY --from=build --chown=1001:0 /home/node/dist ./dist
 COPY --from=build --chown=1001:0 /home/node/package.json /home/node/package-lock.json ./
+COPY --from=SBOM /sbom.spdx.json /sbom.spdx.json
 
 RUN npm install --production
 EXPOSE 3000