diff --git a/.github/workflows/ndc-nodejs-lambda-connector.yaml b/.github/workflows/ndc-nodejs-lambda-connector.yaml index 600ae9b..6cd96fd 100644 --- a/.github/workflows/ndc-nodejs-lambda-connector.yaml +++ b/.github/workflows/ndc-nodejs-lambda-connector.yaml @@ -119,6 +119,49 @@ jobs: tags: ${{ steps.docker-metadata.outputs.tags }} labels: ${{ steps.docker-metadata.outputs.labels }} + - name: Build docker image for scanning + uses: docker/build-push-action@v6 + with: + context: . + build-args: | + CONNECTOR_VERSION=${{ steps.get-npm-package-version.outputs.package_version }} + load: true + tags: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:scan + + - name: Run Trivy vulnerability scanner (json output) + uses: aquasecurity/trivy-action@0.32.0 + with: + image-ref: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:scan + format: json + output: trivy-results.json + scanners: vuln + + - name: Upload Trivy scan results to Security Agent + if: always() + uses: hasura/security-agent-tools/upload-file@v1 + with: + file_path: trivy-results.json + security_agent_api_key: ${{ secrets.SECURITY_AGENT_API_KEY }} + tags: | + service=ndc-nodejs-lambda + source_code_path=. + docker_file_path=Dockerfile + scanner=trivy + image_name=${{ steps.docker-metadata.outputs.tags }} + product_domain=hasura-ddn-data-plane + team=engine + + - name: Fail build on High/Critical Vulnerabilities + uses: aquasecurity/trivy-action@0.32.0 + with: + skip-setup-trivy: true + image-ref: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:scan + format: table + severity: CRITICAL,HIGH + scanners: vuln + ignore-unfixed: true + exit-code: 1 + - name: Push docker image uses: docker/build-push-action@v6 if: ${{ startsWith(github.ref, 'refs/tags/v') }} diff --git a/Dockerfile b/Dockerfile index adeadf4..f4fe8fe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,20 @@ -FROM node:20-alpine +FROM ubuntu:noble-20260113 ARG CONNECTOR_VERSION -RUN npm update -g npm -RUN apk add bash jq curl +RUN apt-get update && apt-get install -y \ + curl \ + bash \ + jq \ + ca-certificates \ + gnupg \ + && mkdir -p /etc/apt/keyrings \ + && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \ + && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list \ + && apt-get update \ + && apt-get install -y nodejs \ + && npm update -g npm \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* COPY /docker /scripts COPY /connector-definition/scripts/upgrade-connector.sh /scripts/upgrade-connector.sh @@ -12,6 +24,12 @@ RUN echo ${CONNECTOR_VERSION} > /scripts/CONNECTOR_VERSION COPY /functions /functions RUN /scripts/package-restore.sh +# Create non-root user, let useradd pick a unique UID +RUN useradd -m -s /bin/bash hasura \ + && chown -R hasura:hasura /scripts /functions + +USER hasura + EXPOSE 8080 HEALTHCHECK --interval=5s --timeout=10s --start-period=1s --retries=3 CMD [ "sh", "-c", "exec curl -f http://localhost:${HASURA_CONNECTOR_PORT:-8080}/health" ] diff --git a/connector-definition/Dockerfile b/connector-definition/Dockerfile index bb8fdec..4501b93 100644 --- a/connector-definition/Dockerfile +++ b/connector-definition/Dockerfile @@ -1,9 +1,9 @@ FROM ghcr.io/hasura/ndc-nodejs-lambda:v{{VERSION}} -COPY package-lock.json package.json /functions/ +COPY --chown=hasura:hasura package-lock.json package.json /functions/ WORKDIR /functions -RUN --mount=type=cache,target=/root/.npm \ +RUN --mount=type=cache,target=/home/hasura/.npm,uid=1000,gid=1000 \ npm ci -COPY ./ /functions +COPY --chown=hasura:hasura ./ /functions