Skip to content

Commit

Permalink
build: configure grype image scan (#1158)
Browse files Browse the repository at this point in the history 
* build: configure grype image scan

* build: update README
  • Loading branch information
@gibaros
gibaros authored Mar 6, 2025
1 parent 97423e9 commit 98d2a17
Show file tree
Hide file tree
Showing 6 changed files with 256 additions and 21 deletions.
2 changes: 1 addition & 1 deletion .circleci/config.yml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
version: 2.1
setup: true
orbs:
build: mojaloop/build@1.0.53
build: mojaloop/build@1.0.58
workflows:
setup:
jobs:
Expand Down
18 changes: 18 additions & 0 deletions .grype.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
ignore:
# Ignore cross-spawn vulnerabilities by CVE ID due to false positive
# as grype looks at package-lock.json where it shows versions with
# vulnerabilities, npm ls shows only 7.0.6 verion is used
- vulnerability: "GHSA-3xgq-45jj-v275"
package:
name: "cross-spawn"

# Set output format defaults
output:
- "table"
- "json"

# Modify your CircleCI job to check critical count
search:
scope: "squashed"
quiet: false
check-for-app-update: false
2 changes: 1 addition & 1 deletion .nvmrc
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
18.20.4
18.20.6
10 changes: 5 additions & 5 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -374,13 +374,13 @@ The [audit-ci.jsonc](./audit-ci.jsonc) contains any audit-exceptions that cannot

## Container Scans

As part of our CI/CD process, we use anchore-cli to scan our built docker container for vulnerabilities upon release.
As part of our CI/CD process, we use grype a vulnerability scanner for container images and filesystems upon release.

If you find your release builds are failing, refer to the [container scanning](https://github.com/mojaloop/ci-config#container-scanning) in our shared Mojaloop CI config repo. There is a good chance you simply need to update the `mojaloop-policy-generator.js` file and re-run the circleci workflow.
If you find your release builds are failing, please review Mojaloop orb with grype image scan at [container scanning](https://github.com/mojaloop/ci-config-orb-build?tab=readme-ov-file#vulnerability-image-scan-configuration) and review [grype_image_scan.yml](https://github.com/mojaloop/ci-config-orb-build/blob/main/src/jobs/grype_image_scan.yml) job.

For more information on anchore and anchore-cli, refer to:
- [Anchore CLI](https://github.com/anchore/anchore-cli)
- [Circle Orb Registry](https://circleci.com/orbs/registry/orb/anchore/anchore-engine)
For more information on grype, refer to:

- [Grype](https://github.com/anchore/grype)

## Automated Releases

Expand Down
241 changes: 229 additions & 12 deletions package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 98d2a17

Please sign in to comment.