nodejs-goof-insights/.github/workflows/snyk-cd.yaml at 11ef1542cb1938dd729bf7088376a1c74c4f3298 · iuriikogan-snyk/nodejs-goof-insights · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: Snyk CD Action
# Requires DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets
on:
  workflow_dispatch:
  pull_request:
    branches:
      - main
    types: [closed]

env:
  IMAGE_NAME: nodejs-goof-insights
  IMAGE_TAG: v2.0.0
  SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

jobs:
  build:
    if: ${{ github.event.pull_request.merged }}
    name: Build and push
    runs-on: ubuntu-latest

    steps:
      - name: Checkout Repo
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          push: true
          platforms: linux/amd64
          tags: ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Snyk SBOM generate
        run: |
          npm install snyk -g
          snyk auth --auth-type=token $SNYK_TOKEN
          snyk container sbom --format=spdx2.3+json \
          ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} > bom.spdx.json
        continue-on-error: true

        # Install Notation CLI for signing artifacts (https://github.com/notaryproject/notation)
      - name: Install Notation, generate a cert and sign the image
        run: |
          curl -LO https://github.com/notaryproject/notation/releases/download/v1.2.0/notation_1.2.0\_linux_amd64.tar.gz
          sudo tar xvzf notation_1.2.0_linux_amd64.tar.gz -C /usr/bin/ notation

          notation cert generate-test --default "wabbit-networks.io"

          notation sign "docker.io/${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}" \
          -u ${{ secrets.DOCKERHUB_USERNAME }} -p ${{ secrets.DOCKERHUB_PASSWORD}}

      - name: Push SBOM and Signature to Registry
        # Push SBOM and signature to registry using ORAS (https://oras.land/docs/installation)
        run: |
          curl -LO "https://github.com/oras-project/oras/releases/download/v1.2.0/oras_1.2.0_linux_amd64.tar.gz"
          sudo tar -xvzf oras_1.2.0_linux_amd64.tar.gz -C /usr/bin/ oras

          echo ${{ secrets.DOCKERHUB_PASSWORD }} | oras login docker.io -u ${{ secrets.DOCKERHUB_USERNAME }} --password-stdin

          oras attach "docker.io/${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}" \
          --artifact-type application/spdx+json \
          bom.spdx.json

      - name: Snyk Container Monitor
        run: |
          snyk container monitor "${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}" \
          --file=Dockerfile --exclude-app-vulns --platform=linux/amd64 \
          --tags="component=pkg:${{ github.repository }}@${{ github.ref_name }}" \
          --org=${{ secrets.SNYK_ORG_ID }} --target-reference=${{ github.repository }}

        continue-on-error: true