chore: add trivy and grype image scans

.circleci/config.yml

@@ -10,7 +10,8 @@ orbs:
   slack: circleci/[email protected] # Ref: https://github.com/mojaloop/ci-config/tree/master/slack-templates
   pr-tools: mojaloop/[email protected] # Ref: https://github.com/mojaloop/ci-config/
   gh: circleci/[email protected]
-  anchore: anchore/[email protected]
+  grype: anchore/[email protected]
+#  trivy: cci-labs/[email protected]
 
 ##
 # defaults
@@ -148,7 +149,7 @@ executors:
     working_directory: *WORKING_DIR
     shell: "/bin/bash -leo pipefail"
     machine:
-      image: ubuntu-2204:2023.04.2 # Ref: https://circleci.com/developer/machine/image/ubuntu-2204
+      image: ubuntu-2404:2024.11.1 # Ref: https://circleci.com/developer/machine/image/ubuntu-2404
 
 ##
 # Jobs
@@ -360,81 +361,179 @@ jobs:
           path: /tmp/license-scanner/results
           destination: licenses
 
-  image-scan:
-    executor: anchore/anchore_engine
-    shell: /bin/sh -leo pipefail ## Ref: https://circleci.com/docs/env-vars/#alpine-linux
+#  grype-scan-orb:
+#    executor: grype/default
+#    environment:
+#      <<: *defaults_environment
+#    steps:
+#      - attach_workspace:
+#          at: /tmp
+#      - run:
+#          name: Load the pre-built docker image from workspace
+#          command: docker load -i /tmp/docker-image.tar
+#      - grype/scan-image:
+#          image-name: ${DOCKER_ORG:-mojaloop}/$CIRCLE_PROJECT_REPONAME:local
+#          output-format: json
+#          output-file: "grype-vulnerabilities-orb.json"
+#          # You can uncomment to fail on severity levels if desired
+#          # fail-on-severity: critical
+#      - run:
+#          name: Check critical vulnerabilities count
+#          command: |
+#            CRITICAL_COUNT=$(cat grype-vulnerabilities.json | jq '[.matches[] | select(.vulnerability.severity == "Critical")] | length')
+#            echo "Critical vulnerabilities found: $CRITICAL_COUNT"
+#      - store_artifacts:
+#          path: grype-vulnerabilities.json
+#          destination: grype-scan-orb/scan-results-orb.json
+#      - store_artifacts:
+#          path: grype-vulnerabilities.txt
+#          destination: grype-scan-orb/scan-results-orb.txt
+
+#  grype-scan:
+#    executor: default-machine
+#    environment:
+#      <<: *defaults_environment
+#    steps:
+#      - attach_workspace:
+#          at: /tmp
+#      - run:
+#          name: Load the pre-built docker image from workspace
+#          command: docker load -i /tmp/docker-image.tar
+#      - run:
+#          name: Install Grype
+#          command: |
+#            curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin
+#      - run:
+#          name: Run Grype scan
+#          command: |
+#            IMAGE_NAME="${DOCKER_ORG:-mojaloop}/$CIRCLE_PROJECT_REPONAME:local"
+#            echo "Scanning image: $IMAGE_NAME"
+#            grype $IMAGE_NAME -o table > grype-results.txt
+#            grype $IMAGE_NAME -o json > grype-results.json
+#            cat grype-results.txt
+#            cat grype-results.json
+#      - run:
+#          name: Check critical vulnerabilities count
+#          command: |
+#            CRITICAL_COUNT=$(cat grype-results.json | jq '[.matches[] | select(.vulnerability.severity == "Critical")] | length')
+#            echo "Critical vulnerabilities found: $CRITICAL_COUNT"
+#      - store_artifacts:
+#          path: grype-results.json
+#          destination: grype-scan/scan-results.json
+#      - store_artifacts:
+#          path: grype-results.txt
+#          destination: grype-scan/scan-results.txt
+
+  grype-scan:
+    executor: default-machine
     environment:
       <<: *defaults_environment
-      BASH_ENV: /etc/profile ## Ref: https://circleci.com/docs/env-vars/#alpine-linux
-      ENV: ~/.profile
-      NVM_ARCH_UNOFFICIAL_OVERRIDE: x64-musl ## Ref: https://github.com/nvm-sh/nvm/issues/1102#issuecomment-550572252
-    working_directory: *WORKING_DIR
     steps:
-      - setup_remote_docker
+      - checkout  # Add this to get your repo code including the .grype.yaml config
       - attach_workspace:
           at: /tmp
-      - run:
-          name: Install docker dependencies for anchore
-          command: |
-            apk add --update py-pip docker python3-dev libffi-dev openssl-dev gcc libc-dev make jq npm curl bash
-      - run:
-          name: Install AWS CLI dependencies
-          command: *defaults_awsCliDependencies
-      - checkout
-      - run:
-          name: Setup Slack config
-          command: |
-            echo "export SLACK_PROJECT_NAME=${CIRCLE_PROJECT_REPONAME}" >> $BASH_ENV
-            echo "export SLACK_RELEASE_TYPE='GitHub Release'" >> $BASH_ENV
-            echo "export SLACK_RELEASE_TAG='${RELEASE_TAG} on ${CIRCLE_BRANCH} branch'" >> $BASH_ENV
-            echo "export SLACK_BUILD_ID=${CIRCLE_BUILD_NUM}" >> $BASH_ENV
-            echo "export SLACK_CI_URL=${CIRCLE_BUILD_URL}" >> $BASH_ENV
-            echo "export SLACK_CUSTOM_MSG='Anchore Image Scan failed for: \`${DOCKER_ORG}/${CIRCLE_PROJECT_REPONAME}:${CIRCLE_TAG}\`'" >> $BASH_ENV
-      - run:
-          <<: *defaults_configure_nvm
-      - run:
-          <<: *defaults_display_versions
-      - run:
-          name: Install general dependencies
-          command: *defaults_docker_Dependencies
       - run:
           name: Load the pre-built docker image from workspace
           command: docker load -i /tmp/docker-image.tar
       - run:
-          name: Download the mojaloop/ci-config repo
+          name: Install Grype
           command: |
-            git clone https://github.com/mojaloop/ci-config /tmp/ci-config
-            # Generate the mojaloop anchore-policy
-            cd /tmp/ci-config/container-scanning && ./mojaloop-policy-generator.js /tmp/mojaloop-policy.json
+            curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin
       - run:
-          name: Pull base image locally
+          name: Run Grype scan with custom config
           command: |
-            echo "Pulling docker image: node:$NVMRC_VERSION-alpine"
-            docker pull node:$NVMRC_VERSION-alpine
-      ## Analyze the base and derived image
-      ## Note: It seems images are scanned in parallel, so preloading the base image result doesn't give us any real performance gain
-      - anchore/analyze_local_image:
-          # Force the older version, version 0.7.0 was just published, and is broken
-          anchore_version: v0.6.1
-          image_name: "docker.io/node:${NVMRC_VERSION}-alpine ${DOCKER_ORG:-mojaloop}/$CIRCLE_PROJECT_REPONAME:local"
-          policy_failure: false
-          timeout: '500'
-          # Note: if the generated policy is invalid, this will fallback to the default policy, which we don't want!
-          policy_bundle_file_path: /tmp/mojaloop-policy.json
-      - run:
-          name: Upload Anchore reports to s3
+            IMAGE_NAME="${DOCKER_ORG:-mojaloop}/$CIRCLE_PROJECT_REPONAME:local"
+            echo "Scanning image: $IMAGE_NAME"
+            # Use the config file in your repo
+            grype $IMAGE_NAME -c .grype.yaml -o table > grype-results.txt
+            grype $IMAGE_NAME -c .grype.yaml -o json > grype-results.json
+            cat grype-results.txt
+            cat grype-results.json
+      - run:
+          name: Check for critical, high and medium vulnerabilities
           command: |
-            aws s3 cp anchore-reports ${AWS_S3_DIR_ANCHORE_REPORTS}/${CIRCLE_PROJECT_REPONAME}/ --recursive
-            aws s3 rm ${AWS_S3_DIR_ANCHORE_REPORTS}/latest/ --recursive --exclude "*" --include "${CIRCLE_PROJECT_REPONAME}*"
-            aws s3 cp anchore-reports ${AWS_S3_DIR_ANCHORE_REPORTS}/latest/ --recursive
-      - run:
-          name: Evaluate failures
-          command: /tmp/ci-config/container-scanning/anchore-result-diff.js anchore-reports/node_${NVMRC_VERSION}-alpine-policy.json anchore-reports/${CIRCLE_PROJECT_REPONAME}*-policy.json
+            # Count vulnerabilities in the filtered results
+            CRITICAL_COUNT=$(cat grype-results.json | jq '[.matches[] | select(.vulnerability.severity == "Critical")] | length')
+            HIGH_COUNT=$(cat grype-results.json | jq '[.matches[] | select(.vulnerability.severity == "High")] | length')
+            MEDIUM_COUNT=$(cat grype-results.json | jq '[.matches[] | select(.vulnerability.severity == "Medium")] | length')
+
+            echo "Critical vulnerabilities found: $CRITICAL_COUNT"
+            echo "High vulnerabilities found: $HIGH_COUNT"
+            echo "Medium vulnerabilities found: $MEDIUM_COUNT"
+
+            # List remaining critical, high and medium vulnerabilities for awareness
+            echo "Critical severity vulnerabilities:"
+            cat grype-results.json | jq -r '.matches[] | select(.vulnerability.severity == "Critical") | "- \(.artifact.name) \(.artifact.version): \(.vulnerability.id)"'
+
+            echo "High severity vulnerabilities:"
+            cat grype-results.json | jq -r '.matches[] | select(.vulnerability.severity == "High") | "- \(.artifact.name) \(.artifact.version): \(.vulnerability.id)"'
+
+            echo "Medium severity vulnerabilities:"
+            cat grype-results.json | jq -r '.matches[] | select(.vulnerability.severity == "Medium") | "- \(.artifact.name) \(.artifact.version): \(.vulnerability.id)"'
+
+            # Fail if any critical, high, or medium vulnerabilities are found
+            if [ "$CRITICAL_COUNT" -gt 0 ] || [ "$HIGH_COUNT" -gt 0 ] || [ "$MEDIUM_COUNT" -gt 0 ]; then
+              echo "Critical, High, or Medium vulnerabilities found. Failing the build."
+              exit 1
+            fi
       - store_artifacts:
-          path: anchore-reports
-      - slack/notify:
-          event: fail
-          template: SLACK_TEMP_RELEASE_FAILURE
+          path: grype-results.json
+          destination: grype-scan/scan-results.json
+      - store_artifacts:
+          path: grype-results.txt
+          destination: grype-scan/scan-results.txt
+      - store_artifacts:
+          path: grype-results.json
+          destination: grype-scan/grype-results.json
+
+#  trivy-scan:
+#    executor: default-machine
+#    environment:
+#      <<: *defaults_environment
+#    steps:
+#      - checkout  # Add this to get your repo code including the .trivyignore.yaml config
+#      - attach_workspace:
+#          at: /tmp
+#      - run:
+#          name: Load the pre-built docker image from workspace
+#          command: docker load -i /tmp/docker-image.tar
+#      - trivy/scan:
+#          image-ref: ${DOCKER_ORG:-mojaloop}/$CIRCLE_PROJECT_REPONAME:local
+#          # You can uncomment to fail on severity levels if desired
+#          # security-checks: vuln
+#          # severity: 'CRITICAL,HIGH'
+#          # exit-code: '1'
+#          exit-code: '0'
+#          format: 'table'
+#          output: 'trivy-results.txt'
+#          # ignore-policy: '.trivyignore.yaml'
+#          additional-args: '--ignorefile .trivyignore.yaml'
+#      - trivy/scan:
+#          image-ref: ${DOCKER_ORG:-mojaloop}/$CIRCLE_PROJECT_REPONAME:local
+#          format: 'json'
+#          output: 'trivy-results.json'
+#          #ignore-policy: '.trivyignore.yaml'
+#          additional-args: '--ignorefile .trivyignore.yaml'
+#          exit-code: '0'
+#      - run:
+#          name: Check critical vulnerabilities count
+#          command: |
+#            CRITICAL_COUNT=$(cat trivy-results.json | jq '[.Results[] | .Vulnerabilities // [] | .[] | select(.Severity == "CRITICAL")] | length')
+#            echo "Critical vulnerabilities found: $CRITICAL_COUNT"
+#
+#            # Optional: Verify cross-spawn vulnerabilities are excluded
+#            CROSS_SPAWN_COUNT=$(cat trivy-results.json | jq '[.Results[] | .Vulnerabilities // [] | .[] | select(.PkgName == "cross-spawn")] | length')
+#            echo "Cross-spawn vulnerabilities found after filtering: $CROSS_SPAWN_COUNT"
+#
+#            # List remaining high vulnerabilities for awareness
+#            echo "High severity vulnerabilities:"
+#            cat trivy-results.json | jq -r '.Results[] | .Vulnerabilities // [] | .[] | select(.Severity == "HIGH") | "- \(.PkgName) \(.InstalledVersion): \(.VulnerabilityID)"'
+#      - store_artifacts:
+#          path: trivy-results.json
+#          destination: trivy-scan/scan-results.json
+#      - store_artifacts:
+#          path: trivy-results.txt
+#          destination: trivy-scan/scan-results.txt
 
   release:
     executor: default-docker
@@ -541,7 +640,7 @@ jobs:
           at: /tmp
       - run:
           name: Load the pre-built docker image from workspace
-          command: | 
+          command: |
             docker load -i /tmp/docker-image.tar
       - run:
           name: Login to Docker Hub
@@ -714,8 +813,7 @@ workflows:
             tags:
               only: /v[0-9]+(\.[0-9]+)*(\-snapshot(\.[0-9]+)?)?(\-hotfix(\.[0-9]+)?)?(\-perf(\.[0-9]+)?)?/
             branches:
-              ignore:
-                - /.*/
+              only: /.*/
       - license-scan:
           context: org-global
           requires:
@@ -726,16 +824,24 @@ workflows:
             branches:
               ignore:
                 - /.*/
-      - image-scan:
+      - grype-scan:
           context: org-global
           requires:
             - build-local
           filters:
             tags:
               only: /v[0-9]+(\.[0-9]+)*(\-snapshot(\.[0-9]+)?)?(\-hotfix(\.[0-9]+)?)?(\-perf(\.[0-9]+)?)?/
             branches:
-              ignore:
-                - /.*/
+              only: /.*/
+#      - trivy-scan:
+#          context: org-global
+#          requires:
+#            - build-local
+#          filters:
+#            tags:
+#              only: /v[0-9]+(\.[0-9]+)*(\-snapshot(\.[0-9]+)?)?(\-hotfix(\.[0-9]+)?)?(\-perf(\.[0-9]+)?)?/
+#            branches:
+#              only: /.*/
       # New commits to main release automatically
       - release:
           context: org-global
@@ -749,7 +855,9 @@ workflows:
             - vulnerability-check
             - audit-licenses
             - license-scan
-            - image-scan
+            - grype-scan
+#            - trivy-scan
+            # - grype-scan-orb
           filters:
             branches:
               only:
@@ -777,7 +885,9 @@ workflows:
             - audit-licenses
             # - test-integration
             - license-scan
-            - image-scan
+            - grype-scan
+#            - trivy-scan
+            # - grype-scan-orb
           filters:
             tags:
               only: /v[0-9]+(\.[0-9]+)*/
@@ -797,10 +907,12 @@ workflows:
             - audit-licenses
             # - test-integration
             - license-scan
-            - image-scan
+            - grype-scan
+#            - trivy-scan
+            # - grype-scan-orb
           filters:
             tags:
               only: /v[0-9]+(\.[0-9]+)*\-snapshot+((\.[0-9]+)?)/
             branches:
               ignore:
-                - /.*/
+                - /.*/

.gitignore

@@ -69,7 +69,3 @@ typings/
 # https://devspace.sh/
 devspace*
 .devspace/**.*
-
-# Add ignores
-*IGNORE*
-*ignore*

.grype.yaml

@@ -0,0 +1,18 @@
+ignore:
+  # Ignore cross-spawn vulnerabilities by CVE ID due to false positive
+  # as grype looks at package-lock.json where it shows versions with
+  # vulnerabilities, npm ls shows only 7.0.6 verion is used
+  - vulnerability: "GHSA-3xgq-45jj-v275"
+    package:
+      name: "cross-spawn"
+
+# Set output format defaults
+output:
+  - "table"
+  - "json"
+
+# Modify your CircleCI job to check critical count
+search:
+  scope: "squashed"
+quiet: false
+check-for-app-update: false

.nvmrc

@@ -1 +1 @@
-18.20.4
+18.20.6

.trivyignore.yaml

@@ -0,0 +1,14 @@
+ignorePkgs:
+  - pkg:npm/cross-spawn@*
+
+# Alternatively, can specify exact CVE/GHSA IDs
+ignoreVulns:
+  - CVE-2024-21538
+  - GHSA-3xgq-45jj-v275
+
+# can also be more specific with both package and vulnerability
+# ignoreRules:
+#   - id: CVE-2024-21538
+#     pkg: pkg:npm/cross-spawn@*
+#     until: 2025-12-31T23:59:59Z
+#     reason: "We've assessed this vulnerability and determined it's not exploitable in our context"