-
Notifications
You must be signed in to change notification settings - Fork 1
89 lines (88 loc) · 3.73 KB
/
create-docker-image-job.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
on:
workflow_call:
inputs:
container-registry:
required: true
type: string
container-image-name:
required: true
type: string
container-image-version:
required: true
type: string
jobs:
create-docker-image:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
with:
submodules: true
- name: Build docker image
run: docker build --tag ${{ inputs.container-registry }}/${{ inputs.container-image-name }}:${{ inputs.container-image-version }} --secret id=SENTRY_DNS,env=SENTRY_DNS --secret id=SENTRY_AUTH_TOKEN,env=SENTRY_AUTH_TOKEN -f DockerfileApp .
env:
SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
- name: Run Trivy vulnerability image scanner
uses: aquasecurity/trivy-action@a11da62073708815958ea6d84f5650c78a3ef85b
env:
ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
with:
image-ref: ${{ inputs.container-registry }}/${{ inputs.container-image-name }}:${{ inputs.container-image-version }}
format: "sarif"
output: "trivy-results.sarif"
- name: Check trivy results
run: |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
echo "Vulnerabilities found"
exit 1
else
echo "No significant vulnerabilities found"
exit 0
fi
- name: Upload trivy-results.sarif as an artifact
uses: actions/upload-artifact@v4
if: ${{ always () }}
with:
name: trivy-results.sarif
path: trivy-results.sarif
- name: Upload Trivy image scan results to GitHub Security tab (on 'main' only)
uses: github/codeql-action/upload-sarif@v3
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
with:
sarif_file: "trivy-results.sarif"
category: trivy-image-scan
- name: Generate cosign vulnerability scan record
uses: aquasecurity/trivy-action@a11da62073708815958ea6d84f5650c78a3ef85b
env:
ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
with:
image-ref: ${{ inputs.container-registry }}/${{ inputs.container-image-name }}:${{ inputs.container-image-version }}
format: "cosign-vuln"
output: "vuln.json"
- name: Upload cosign vulnerability scan record
uses: actions/upload-artifact@v4
with:
name: "vuln.json"
path: "vuln.json"
if-no-files-found: error
- name: Save image
run: |
mkdir /tmp/images
docker save -o /tmp/images/fullstack-image.tar ${{ inputs.container-registry }}/${{ inputs.container-image-name }}:${{ inputs.container-image-version }}
- uses: actions/cache@v4
with:
path: /tmp/images
key: docker-images-cache-${{ github.run_id }}
restore-keys: docker-images-cache-${{ github.run_id }}
- name: Send status to Slack
uses: digitalservicebund/notify-on-failure-gha@66c485757701f8d5dbee32f24df38d904ca693ba
if: ${{ failure() && github.ref == 'refs/heads/main' }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}