Patch vulnerabilities with COPA #10
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Patch vulnerabilities with COPA | |
| on: | |
| # change these to your preferred event triggers | |
| # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: 'Version Tag' | |
| required: true | |
| default: '0.1.4' | |
| jobs: | |
| patch: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| images: | |
| - "ghcr.io/drasi-project/source-change-router:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/source-change-dispatcher:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/source-query-api:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/source-debezium-reactivator:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/source-gremlin-proxy:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/source-sql-proxy:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/source-cosmosdb-reactivator:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/source-dataverse-reactivator:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/source-dataverse-proxy:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/source-eventhub-reactivator:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/source-eventhub-reactivator:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/api:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/kubernetes-provider:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/query-container-query-host:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/query-container-publish-api:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/query-container-view-svc:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/reaction-result:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/reaction-signalr:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/reaction-dataverse:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/reaction-debezium:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/reaction-debug:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/reaction-eventgrid:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/reaction-gremlin:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/reaction-storagequeue:${{ github.event.inputs.tag }}" | |
| - "ghcr.io/drasi-project/reaction-storedproc:${{ github.event.inputs.tag }}" | |
| steps: | |
| - name: Generate Trivy Report | |
| uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1 | |
| with: | |
| scan-type: "image" | |
| format: "json" | |
| output: "report.json" | |
| ignore-unfixed: true | |
| severity: 'HIGH,CRITICAL' | |
| vuln-type: "os" | |
| image-ref: ${{ matrix.images }} | |
| env: | |
| TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db | |
| # check whether there are any OS package vulnerabilities | |
| - name: Check vulnerability count | |
| id: vuln_count | |
| run: | | |
| report_file="report.json" | |
| vuln_count=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' "$report_file") | |
| echo "Vulnerability count: $vuln_count" | |
| echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT | |
| # copa action will only run if there are vulnerabilities | |
| - name: Run Copa action | |
| if: steps.vuln_count.outputs.vuln_count != '0' | |
| id: copa | |
| # using main for testing purposes | |
| # use a tag (such as v1 or v1.0.1) at a bare minimum | |
| # recommendation is to pin to a digest for security and stability | |
| # and rely on dependabot for digest/version updates | |
| uses: project-copacetic/copa-action@main | |
| with: | |
| image: ${{ matrix.images }} | |
| image-report: "report.json" | |
| patched-tag: "${{ github.event.inputs.tag }}" | |
| timeout: "5m" # optional, default is 5m | |
| output: vex.json # optional | |
| # copa-version: "0.6.0" # optional, default is latest | |
| # buildkit-version: "v0.12.4" # optional, default is latest | |
| # custom-socket: "/var/run/buildkit/buildkitd.sock" # optional, used for custom socket address | |
| # see https://github.com/docker/login-action#usage for other registries | |
| - name: Login to GHCR | |
| if: steps.copa.conclusion == 'success' | |
| id: login | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Push patched image | |
| if: steps.login.conclusion == 'success' | |
| run: | | |
| # retag if needed | |
| docker tag ${{ steps.copa.outputs.patched-image }} ghcr.io/drasi-project/reaction-result:${{ github.event.inputs.tag }} | |
| docker push ghcr.io/drasi-project/reaction-result:${{ github.event.inputs.tag }} |