chore(rpc-proxy): using trivy for scanning the docker image (#1414)

* chore: first commit

* chore: first commit

* chore: first commit

* chore: first commit

* chore: first commit

* chore: added vulnerability scan

* chore: added vulnerability scan

* chore: added vulnerability scan

* chore: added vulnerability scan

* chore: added vulnerability scan

* chore: added vulnerability scan

* chore: changes in the dockerfile

.github/workflows/on-pr.yml

@@ -38,14 +38,10 @@ jobs:
         uses: ./.github/workflows/test-apps.yml
         secrets: inherit
 
-    test-rpc-proxy:
-        uses: ./.github/workflows/test-rpc-proxy.yml
+    rpc-proxy:
+        uses: ./.github/workflows/rpc-proxy.yml
         secrets: inherit
 
-    test-e2e-rpc-proxy:
-      uses: ./.github/workflows/test-rpc-proxy-e2e.yml
-      secrets: inherit
-
     install-build:
         uses: ./.github/workflows/build-lint.yml
         secrets: inherit

.github/workflows/test-rpc-proxy.yml → .github/workflows/rpc-proxy-test.yml

@@ -1,4 +1,4 @@
-name: Test RPC Proxy
+name: RPC Proxy - Test
 
 on:
     workflow_call:
@@ -21,16 +21,18 @@ jobs:
 
             - name: Build
               run: yarn build
+
+            - name: Run E2E RPC Proxy tests
+              run: |
+                yarn workspace @vechain/sdk-rpc-proxy test:e2e
             
             - name: Start Thor solo node
               id: start-solo
               run: yarn start-thor-solo
 
             - name: Start RPC Proxy
               run: |
-                cd packages/rpc-proxy
-                yarn start &
-                disown
+                yarn workspace @vechain/sdk-rpc-proxy start & disown
             
             - name: Run RPC Proxy tests
               run: |

.github/workflows/rpc-proxy-vulnerability-scan.yml

@@ -0,0 +1,37 @@
+name: RPC Proxy - Vulnerability scan
+
+on:
+   workflow_call:
+
+permissions:
+  contents: read
+  packages: write
+  checks: write
+  actions: read
+
+jobs:
+  vulnerability-scan:
+    name: Vulnerability Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Print commit hash
+        run: echo ${{ github.sha }}
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Build Docker image
+        run: |
+          IMAGE_TAG=rpc-proxy-${{ github.sha }}
+          docker build -f ./docker/rpc-proxy/Dockerfile -t $IMAGE_TAG .
+
+      - name: Run Trivy Scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: rpc-proxy-${{ github.sha }}
+          format: 'table'
+          ignore-unfixed: true
+          exit-code: '1'
+          vuln-type: os,library
+          severity: CRITICAL,HIGH,MEDIUM
+          scanners: misconfig,vuln,secret

.github/workflows/rpc-proxy.yml

@@ -0,0 +1,15 @@
+name: RPC Proxy
+
+on:
+  workflow_call:
+
+jobs:
+    test:
+      uses: ./.github/workflows/rpc-proxy-test.yml
+      secrets: inherit
+
+    docker-vulnerability-check:
+      uses: ./.github/workflows/rpc-proxy-vulnerability-scan.yml
+      secrets: inherit
+
+

docker/rpc-proxy/Dockerfile

@@ -15,11 +15,8 @@ COPY ./turbo.json ./turbo.json
 COPY ./yarn.lock ./yarn.lock
 COPY ./tsconfig.json ./tsconfig.json
 
-# Install all the dependencies
-RUN yarn install
-
-# Build the app (assumes output is in /app/dist or similar)
-RUN yarn build
+# Install all the dependencies and build the app
+RUN yarn install && yarn build
 
 # Stage 2: Serve the app using node
 FROM node:20.17.0-alpine3.20 AS runner
@@ -42,10 +39,10 @@ COPY --from=builder /app/packages/errors/package.json /app/packages/errors/packa
 COPY --from=builder /app/package.json /app/package.json
 COPY --from=builder /app/yarn.lock /app/yarn.lock
 WORKDIR /app
-RUN yarn workspace @vechain/sdk-rpc-proxy install --production --ignore-scripts
-
+RUN yarn workspace @vechain/sdk-rpc-proxy install --production --ignore-scripts \
+    && yarn cache clean \
+    && adduser -D rpc-proxy-user 
 # Create a new user to run the app so we do not use root
-RUN adduser -D rpc-proxy-user
 USER rpc-proxy-user
 
 # Tell we are running with Docker