diff --git a/.circleci/config.yml b/.circleci/config.yml index 3b9b1ea7..6bd267c6 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,7 +1,7 @@ version: 2.1 setup: true orbs: - build: mojaloop/build@1.0.53 + build: mojaloop/build@1.0.58 workflows: setup: jobs: diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 00000000..ef2d2220 --- /dev/null +++ b/.grype.yaml @@ -0,0 +1,18 @@ +ignore: + # Ignore cross-spawn vulnerabilities by CVE ID due to false positive + # as grype looks at package-lock.json where it shows versions with + # vulnerabilities, npm ls shows only 7.0.6 verion is used + - vulnerability: "GHSA-3xgq-45jj-v275" + package: + name: "cross-spawn" + +# Set output format defaults +output: + - "table" + - "json" + +# Modify your CircleCI job to check critical count +search: + scope: "squashed" +quiet: false +check-for-app-update: false diff --git a/.nvmrc b/.nvmrc index 17719ce2..1fc51668 100644 --- a/.nvmrc +++ b/.nvmrc @@ -1 +1 @@ -18.20.4 +18.20.6 diff --git a/README.md b/README.md index 7933ecce..f5494cf3 100644 --- a/README.md +++ b/README.md @@ -160,11 +160,10 @@ The [audit-ci.jsonc](./audit-ci.jsonc) contains any audit-exceptions that cannot ## Container Scans -As part of our CI/CD process, we use anchore-cli to scan our built docker container for vulnerabilities upon release. +As part of our CI/CD process, we use grype a vulnerability scanner for container images and filesystems upon release. -If you find your release builds are failing, refer to the [container scanning](https://github.com/mojaloop/ci-config#container-scanning) in our shared Mojaloop CI config repo. There is a good chance you simply need to update the `mojaloop-policy-generator.js` file and re-run the circleci workflow. +If you find your release builds are failing, please review Mojaloop orb with grype image scan at [container scanning](https://github.com/mojaloop/ci-config-orb-build?tab=readme-ov-file#vulnerability-image-scan-configuration) and review [grype_image_scan.yml](https://github.com/mojaloop/ci-config-orb-build/blob/main/src/jobs/grype_image_scan.yml) job. -For more information on anchore and anchore-cli, refer to: +For more information on grype, refer to: -- [Anchore CLI](https://github.com/anchore/anchore-cli) -- [Circle Orb Registry](https://circleci.com/orbs/registry/orb/anchore/anchore-engine) +- [Grype](https://github.com/anchore/grype)