From 016940978366c59adef974e3c0be822d2f686c47 Mon Sep 17 00:00:00 2001
From: tawoe <weserwueter@posteo.de>
Date: Tue, 28 Feb 2023 17:52:50 +0100
Subject: [PATCH] create v100.1.0 container

---
 .github/Dockerfile_PreBuild         |  2 +-
 .github/Dockerfile_PreBuild_OC      | 10 ++++++
 .github/workflows/build_package.yml |  1 +
 .github/workflows/run_trivy.yml     | 52 +++++++++++++++++++++++++++++
 4 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 .github/Dockerfile_PreBuild_OC
 create mode 100644 .github/workflows/run_trivy.yml

diff --git a/.github/Dockerfile_PreBuild b/.github/Dockerfile_PreBuild
index ecbfbf5c..c0e3c0e1 100644
--- a/.github/Dockerfile_PreBuild
+++ b/.github/Dockerfile_PreBuild
@@ -1,4 +1,4 @@
-FROM jetty:9.4-jre11-slim
+FROM jetty:9.4.49-jre11-alpine
 
 # Copy OBP source code
 # Copy build artifact (.war file) into jetty from 'maven' stage.
diff --git a/.github/Dockerfile_PreBuild_OC b/.github/Dockerfile_PreBuild_OC
new file mode 100644
index 00000000..7e2dd794
--- /dev/null
+++ b/.github/Dockerfile_PreBuild_OC
@@ -0,0 +1,10 @@
+FROM jetty:9.4.49-jre11-alpine
+
+# Copy OBP source code
+# Copy build artifact (.war file) into jetty from 'maven' stage.
+COPY /target/API_Explorer-1.0.war /var/lib/jetty/webapps/ROOT.war
+USER root
+RUN chgrp -R 0 /tmp/jetty && chmod -R g+rwX /tmp/jetty
+RUN chgrp -R 0 /var/lib/jetty && chmod -R g+rwX /var/lib/jetty
+RUN chgrp -R 0 /usr/local/jetty && chmod -R g+rwX /usr/local/jetty
+USER jetty
\ No newline at end of file
diff --git a/.github/workflows/build_package.yml b/.github/workflows/build_package.yml
index fee7f1e3..1a89200c 100644
--- a/.github/workflows/build_package.yml
+++ b/.github/workflows/build_package.yml
@@ -26,6 +26,7 @@ jobs:
         run: |
           echo "${{ secrets.DOCKER_HUB_TOKEN }}" | docker login -u "${{ secrets.DOCKER_HUB_USERNAME }}" --password-stdin docker.io
           docker build . --file .github/Dockerfile_PreBuild --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:v100.1.0
+          docker build . --file .github/Dockerfile_PreBuild_OC  --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA-OC --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:v100.1.0-OC
           docker push docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }} --all-tags
           echo docker done
 
diff --git a/.github/workflows/run_trivy.yml b/.github/workflows/run_trivy.yml
new file mode 100644
index 00000000..a55cbb2d
--- /dev/null
+++ b/.github/workflows/run_trivy.yml
@@ -0,0 +1,52 @@
+name: scan container image
+
+on:
+  workflow_run:
+    workflows: [build and publish container]
+    types:
+      - completed
+env:
+  ## Sets environment variable
+  DOCKER_HUB_ORGANIZATION: openbankproject
+  DOCKER_HUB_REPOSITORY: obp-api
+
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+
+    steps:
+      - uses: actions/checkout@v3
+      - id: trivy-db
+        name: Check trivy db sha
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          endpoint='/orgs/aquasecurity/packages/container/trivy-db/versions'
+          headers='Accept: application/vnd.github+json'
+          jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
+          sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
+          echo "Trivy DB sha256:${sha}"
+          echo "::set-output name=sha::${sha}"
+      - uses: actions/cache@v3
+        with:
+          path: .trivy
+          key: ${{ runner.os }}-trivy-db-${{ steps.trivy-db.outputs.sha }}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ github.sha }}'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          security-checks: 'vuln'
+          severity: 'CRITICAL,HIGH'
+          timeout: '30m'
+          cache-dir: .trivy
+      - name: Fix .trivy permissions
+        run: sudo chown -R $(stat . -c %u:%g) .trivy
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'
\ No newline at end of file