From 3bedaf913af8bb5b835f0195f0afb436f2dcd79a Mon Sep 17 00:00:00 2001
From: Namya LG <namyalg@gmail.com>
Date: Tue, 15 Feb 2022 17:59:03 +0530
Subject: [PATCH 1/3] Test workflow added

---
 .github/containerscan/allowedlist.yaml | 50 ++++++++++++++++++
 .github/workflows/check.yml            | 71 ++++++++++++++++++++++++++
 2 files changed, 121 insertions(+)
 create mode 100644 .github/containerscan/allowedlist.yaml
 create mode 100644 .github/workflows/check.yml

diff --git a/.github/containerscan/allowedlist.yaml b/.github/containerscan/allowedlist.yaml
new file mode 100644
index 00000000..14756afa
--- /dev/null
+++ b/.github/containerscan/allowedlist.yaml
@@ -0,0 +1,50 @@
+general:
+  vulnerabilities:
+    - CVE-2021-43527
+    - CVE-2021-3449
+    - CVE-2020-1971
+    - CVE-2021-3711
+    - CVE-2021-33910
+    - CVE-2021-33910
+    - CVE-2020-27170
+    - CVE-2020-28374
+    - CVE-2020-29661
+    - CVE-2021-22555
+    - CVE-2021-27365
+    - CVE-2021-29154
+    - CVE-2021-33909
+    - CVE-2021-3493
+    - CVE-2021-3600
+    - CVE-2021-3609
+    - CVE-2021-3653
+    - CVE-2021-3656
+    - CVE-2021-4002
+    - CVE-2020-1971
+    - CVE-2021-3449
+    - CVE-2021-3711
+    - CVE-2021-33430
+    - CVE-2020-27171
+    - CVE-2022-0492
+    - CVE-2021-29425
+    - CVE-2021-45046
+    - CVE-2021-44832
+    - CVE-2021-45105
+    - CVE-2021-42550
+    - CVE-2021-37136
+    - CVE-2021-37137
+    - CVE-2021-21290
+    - CVE-2021-43797
+    - CVE-2021-21295
+    - CVE-2021-21409
+    - CVE-2022-21724
+    - CVE-2021-22060
+    
+  bestPracticeViolations:
+    - CIS-DI-0007
+    - DKL-DI-0005
+    - CIS-DI-0001
+    - DKL-DI-0006
+    - CIS-DI-0005
+    - CIS-DI-0006
+    - CIS-DI-0008
+    - DKL-LI-0003
\ No newline at end of file
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
new file mode 100644
index 00000000..10aabe1c
--- /dev/null
+++ b/.github/workflows/check.yml
@@ -0,0 +1,71 @@
+name: FLINT Reporting Docker Images CI/CD
+
+on:
+  schedule:
+    - cron: "0 0 * * MON"
+
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    branches: [master]
+
+  push:
+    branches: [ master ]
+    # Publish semver tags as releases.
+    tags: [ 'v*.*.*' ]
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  publish-reporting-tool-frontend:
+    name: Publish Reporting Tool (client)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+        
+
+      - name: Cache Docker layers
+        uses: actions/cache@v2
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-client-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-client-
+      - name: Log into registry ${{ env.REGISTRY }}
+        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.REGISTRY }}/moja-global/flint_reporting.client
+
+      - name: Build Docker image
+        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+        with:
+          context: ./code/client/
+          file: "./code/client/Dockerfile"
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new
+
+      # This ugly bit is necessary if you don't want your cache to grow forever
+      # till it hits GitHub's limit of 5GB.
+      # Temp fix
+      # https://github.com/docker/build-push-action/issues/252
+      # https://github.com/moby/buildkit/issues/1896
+

From cb750d8acfe34b536d896960593f1045d252a736 Mon Sep 17 00:00:00 2001
From: Namya LG <namyalg@gmail.com>
Date: Tue, 15 Feb 2022 18:29:00 +0530
Subject: [PATCH 2/3] Added containerscan action

---
 .github/containerscan/allowedlist.yaml |  5 ++
 .github/workflows/check.yml            | 71 --------------------------
 .github/workflows/docker.yml           |  9 ++++
 3 files changed, 14 insertions(+), 71 deletions(-)
 delete mode 100644 .github/workflows/check.yml

diff --git a/.github/containerscan/allowedlist.yaml b/.github/containerscan/allowedlist.yaml
index 14756afa..c60b627b 100644
--- a/.github/containerscan/allowedlist.yaml
+++ b/.github/containerscan/allowedlist.yaml
@@ -1,5 +1,6 @@
 general:
   vulnerabilities:
+    - CVE-2019-12402   
     - CVE-2021-43527
     - CVE-2021-3449
     - CVE-2020-1971
@@ -38,6 +39,10 @@ general:
     - CVE-2021-21409
     - CVE-2022-21724
     - CVE-2021-22060
+    - CVE-2021-35515
+    - CVE-2021-35516
+    - CVE-2021-35517
+    - CVE-2021-36090  
     
   bestPracticeViolations:
     - CIS-DI-0007
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
deleted file mode 100644
index 10aabe1c..00000000
--- a/.github/workflows/check.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-name: FLINT Reporting Docker Images CI/CD
-
-on:
-  schedule:
-    - cron: "0 0 * * MON"
-
-  pull_request:
-    types: [opened, synchronize, reopened, ready_for_review]
-    branches: [master]
-
-  push:
-    branches: [ master ]
-    # Publish semver tags as releases.
-    tags: [ 'v*.*.*' ]
-
-env:
-  REGISTRY: ghcr.io
-
-jobs:
-  publish-reporting-tool-frontend:
-    name: Publish Reporting Tool (client)
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v2
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-        
-
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-client-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-client-
-      - name: Log into registry ${{ env.REGISTRY }}
-        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Extract Docker metadata
-        id: meta
-        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
-        with:
-          images: ${{ env.REGISTRY }}/moja-global/flint_reporting.client
-
-      - name: Build Docker image
-        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
-        with:
-          context: ./code/client/
-          file: "./code/client/Dockerfile"
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache-new
-
-      # This ugly bit is necessary if you don't want your cache to grow forever
-      # till it hits GitHub's limit of 5GB.
-      # Temp fix
-      # https://github.com/docker/build-push-action/issues/252
-      # https://github.com/moby/buildkit/issues/1896
-
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 269afd74..af5e3309 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -62,6 +62,10 @@ jobs:
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache-new
 
+-       uses: azure/container-scan@v0
+        with:
+          image-name: ${{ env.REGISTRY }}/moja-global/flint_reporting.client:master
+
       # This ugly bit is necessary if you don't want your cache to grow forever
       # till it hits GitHub's limit of 5GB.
       # Temp fix
@@ -79,6 +83,7 @@ jobs:
       contents: read
       packages: write
     strategy:
+      fail-fast: false
       matrix:
         services:
           - accountabilities
@@ -161,6 +166,10 @@ jobs:
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache-new
 
+      - uses: azure/container-scan@v0
+        with:
+          image-name: ${{ env.REGISTRY }}/moja-global/flint_reporting.${{ matrix.services }}:master
+
       - name: Move cache
         run: |
           rm -rf /tmp/.buildx-cache

From 67f6730ae727139cfdf58b62dd0f68ce50e010bc Mon Sep 17 00:00:00 2001
From: Namya LG <53875297+Namyalg@users.noreply.github.com>
Date: Tue, 15 Feb 2022 18:33:18 +0530
Subject: [PATCH 3/3] Update docker.yml

---
 .github/workflows/docker.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index af5e3309..130880a9 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -62,7 +62,7 @@ jobs:
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache-new
 
--       uses: azure/container-scan@v0
+      - uses: azure/container-scan@v0
         with:
           image-name: ${{ env.REGISTRY }}/moja-global/flint_reporting.client:master