Adding Anchore security checks

.circleci/.anchore/policy_bundle.json

@@ -0,0 +1,33 @@
+{
+  "id": "default0",
+  "version": "1_0",
+  "name": "My Default bundle",
+  "comment": "My system's default bundle",
+  "whitelisted_images": [],
+  "blacklisted_images": [],
+  "mappings": [],
+  "whitelists": [],
+  "policies": [
+    {
+      "name": "IgnoreUnfixablePkgs",
+      "version": "1_0",
+      "comment": "Policy for basic checks",
+      "id": "ba6daa06-da3b-46d3-9e22-f01f07b0489a",
+      "rules": [
+        {
+          "action": "STOP",
+          "gate": "vulnerabilities",
+          "id": "80569900-d6b3-4391-b2a0-bf34cf6d813d",
+          "params": [
+            { "name": "package_type", "value": "all" },
+            { "name": "severity_comparison", "value": ">=" },
+            { "name": "severity", "value": "medium" },
+            { "name": "fix_available", "value": "true"}
+          ],
+          "trigger": "package"
+        }
+      ]
+    }
+
+  ]
+}

.circleci/config.yml

@@ -1,22 +1,21 @@
-version: 2
+version: 2.1
+orbs:
+  anchore: anchore/[email protected]
 jobs:
-  build:
-    machine: true
-    working_directory: ~/go/src/github.com/fnproject/fdk-node
-    # docker:
-    #   - image: node:9
+
+  "test":
+    docker:
+      - image: circleci/node:9-stretch
+    working_directory: ~/fdk-node
     steps:
-      - run:
-          name: "Checking Versions"
-          command: |
-            node --version
-            npm --version
+      - setup_remote_docker:
+          docker_layer_caching: true
       - checkout
       - run:
           name: "test"
           command: |
-              ./test.sh
-      # TODO: run npm test
+            npm install
+            npm run test
       - deploy:
           command: |
             if [[ "${CIRCLE_BRANCH}" == "master" && -z "${CIRCLE_PR_REPONAME}" ]]; then
@@ -27,4 +26,83 @@ jobs:
               echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > .npmrc
               ./release.sh
               rm -f .npmrc
+              ./build-images.sh 9
+              ./build-images.sh 10
+              ./build-images.sh 11
+              ./release_images.sh
             fi
+
+  "node9_security_check":
+    executor: anchore/anchore_engine
+    working_directory: ~/fdk-node
+    steps:
+      - setup_remote_docker:
+          docker_layer_caching: true
+      - checkout
+      - run:
+          name: Node.JS 9 build
+          command: |
+            apk add bash
+            ./build-images.sh 9
+      - anchore/analyze_local_image:
+          image_name: "fnproject/node:9-dev fnproject/node:9"
+          timeout: '500'
+          policy_failure: true
+          policy_bundle_file_path: .circleci/.anchore/policy_bundle.json
+      - anchore/parse_reports
+
+  "node10_security_check":
+    executor: anchore/anchore_engine
+    working_directory: ~/fdk-node
+    steps:
+      - setup_remote_docker:
+          docker_layer_caching: true
+      - checkout
+      - run:
+          name: Node.JS 10 build
+          command: |
+            apk add bash
+            ./build-images.sh 10
+      - anchore/analyze_local_image:
+          image_name: "fnproject/node:10-dev fnproject/node:10"
+          timeout: '500'
+          policy_failure: true
+          policy_bundle_file_path: .circleci/.anchore/policy_bundle.json
+      - anchore/parse_reports
+
+  "node11_security_check":
+    executor: anchore/anchore_engine
+    working_directory: ~/fdk-node
+    steps:
+      - setup_remote_docker:
+          docker_layer_caching: true
+      - checkout
+      - run:
+          name: Node.JS 11 build
+          command: |
+            apk add bash
+            ./build-images.sh 11
+      - anchore/analyze_local_image:
+          image_name: "fnproject/node:11-dev fnproject/node:11"
+          timeout: '500'
+          policy_failure: true
+          policy_bundle_file_path: .circleci/.anchore/policy_bundle.json
+      - anchore/parse_reports
+
+workflows:
+  version: 2
+  build:
+    jobs:
+      - "test"
+  nightly:
+    triggers:
+      - schedule:
+          cron: "0 0 * * *"
+          filters:
+            branches:
+              only:
+                - master
+    jobs:
+      - "node9_security_check"
+      - "node10_security_check"
+      - "node11_security_check"

build-images.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -ex
+
+nodeversion=${1:-"9"}
+pushd images && \
+    pushd build-stage && \
+        pushd ${nodeversion} && docker build -t fnproject/node:${nodeversion}-dev .; popd && \
+    popd && \
+
+    pushd runtime && \
+        pushd ${nodeversion} && docker build -t fnproject/node:${nodeversion} .; popd && \
+    popd && \
+popd

images/build-stage/10/Dockerfile

@@ -0,0 +1,3 @@
+FROM node:10-stretch
+
+RUN apt-get update && apt-get upgrade -qy && apt-get clean

images/build-stage/11/Dockerfile

@@ -0,0 +1,3 @@
+FROM node:11-stretch
+
+RUN apt-get update && apt-get upgrade -qy && apt-get clean

images/build-stage/9/Dockerfile

@@ -0,0 +1,3 @@
+FROM node:9-stretch
+
+RUN apt-get update && apt-get upgrade -qy && apt-get clean

images/runtime/10/Dockerfile

@@ -0,0 +1,6 @@
+FROM node:10-stretch-slim
+
+RUN apt-get update && apt-get upgrade -qy && apt-get clean
+# for some reason i see this:
+# addgroup: The GID `1000' is already in use.
+RUN addgroup --system --gid 1001 --system fn && adduser --system --uid 1001 --ingroup fn fn

images/runtime/11/Dockerfile

@@ -0,0 +1,6 @@
+FROM node:11-stretch-slim
+
+RUN apt-get update && apt-get upgrade -qy && apt-get clean
+# for some reason i see this:
+# addgroup: The GID `1000' is already in use.
+RUN addgroup --system --gid 1001 --system fn && adduser --system --uid 1001 --ingroup fn fn

images/runtime/9/Dockerfile

@@ -0,0 +1,6 @@
+FROM node:9-stretch-slim
+
+RUN apt-get update && apt-get upgrade -qy && apt-get clean
+# for some reason i see this:
+# addgroup: The GID `1000' is already in use.
+RUN addgroup --system --gid 1001 --system fn && adduser --system --uid 1001 --ingroup fn fn