Merge pull request #8 from UKHomeOffice/enhancement/anchore_scan

ASL-4129 - Add Anchore Image Scanning as part of build pipelines
UKHomeOffice · Jan 24, 2023 · 51aa7e5 · 51aa7e5
2 parents d35e772 + 34eb3d2
commit 51aa7e5
Show file tree

Hide file tree

Showing 5 changed files with 1,230 additions and 1,720 deletions.
diff --git a/.auditrc.json b/.auditrc.json
@@ -0,0 +1,8 @@
+{
+  "comments": [
+    "GHSA-4jv9-3563-23j3 - this is a SQL injection vulnerability that only affects MySQL see https://github.com/advisories/GHSA-4jv9-3563-23j3, https://github.com/knex/knex/issues/1227 & https://www.ghostccamm.com/blog/knex_sqli/"
+  ],
+  "allowlist": [
+    "GHSA-4jv9-3563-23j3"
+  ]
+}
diff --git a/.drone-1.0.yml b/.drone-1.0.yml
@@ -29,7 +29,7 @@ steps:
       NPM_AUTH_TOKEN:
         from_secret: npm_auth_token
     commands:
-      - npm audit --audit-level=high --production
+      - npm run test:audit
   - name: docker build
     image: docker:dind
     environment:
@@ -41,6 +41,13 @@ steps:
         from_secret: npm_auth_token
     commands:
       - docker build --secret id=username,env=NPM_AUTH_USERNAME --secret id=token,env=NPM_AUTH_TOKEN -t asl-attachments .
+  - name: scan-image
+    image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/anchore-submission:latest
+    pull: always
+    environment:
+      IMAGE_NAME: asl-attachments
+      WHITELIST: CVE-2022-3734, CVE-2018-11218, CVE-2022-0543, CVE-2018-11219, CVE-2021-29940, CVE-2022-32511
+      WHITELIST_FILE: cve-exceptions.txt
   - name: docker push
     image: docker:dind
     environment:
@@ -79,3 +86,9 @@ services:
   image: docker:dind
   environment:
     DOCKER_TLS_CERTDIR: ""
+- name: anchore-submission-server
+  image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/anchore-submission:latest
+  pull: always
+  commands:
+    - /run.sh server
+
diff --git a/cve-exceptions.txt b/cve-exceptions.txt
@@ -0,0 +1,29 @@
+CVE-2022-3734
+CVE-2018-11218
+CVE-2022-0543
+CVE-2018-11219
+CVE-2021-29940
+CVE-2022-32511
+
+CVE-2018-12326
+CVE-2019-10192
+CVE-2022-24735
+CVE-2020-14147
+CVE-2016-10517
+CVE-2021-32626
+CVE-2018-12453
+CVE-2019-10193
+CVE-2021-32761
+
+CVE-2014-1936
+CVE-2009-4592
+CVE-2009-4591
+CVE-2017-18589
+CVE-2017-18589
+CVE-2017-18589
+CVE-2021-27478
+CVE-2021-27500
+CVE-2021-27482
+CVE-2021-27498
+CVE-2022-0323
+GHSA-4jv9-3563-23j3