Security #35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| schedule: | |
| - cron: '0 5 * * 1-5' | |
| workflow_dispatch: | |
| jobs: | |
| scan-code: | |
| name: Scan code | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout project | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Trivy source code | |
| id: trivy_source_code | |
| uses: aquasecurity/trivy-action@0.33.1 | |
| with: | |
| scan-type: fs | |
| scan-ref: . | |
| scanners: vuln | |
| severity: CRITICAL,HIGH | |
| format: sarif | |
| output: trivy-results.sarif | |
| ignore-unfixed: true | |
| limit-severities-for-sarif: true | |
| - name: Upload Trivy source code report | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| category: source-code | |
| scan-docker: | |
| name: Scan Docker ${{ matrix.platform }} | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| platform: [ 'linux/amd64', 'linux/arm64' ] | |
| steps: | |
| - name: Checkout project | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@v5 | |
| with: | |
| java-version: '21' | |
| distribution: 'temurin' | |
| - name: Cache Gradle packages | |
| uses: actions/cache@v5 | |
| with: | |
| path: ~/.gradle/caches | |
| key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }} | |
| restore-keys: ${{ runner.os }}-gradle | |
| - name: Build | |
| run: ./gradlew build -x test --info | |
| - name: Metadata | |
| id: metadata | |
| run: | | |
| platform_slug=$(echo ${{ matrix.platform }} | sed 's/\//-/g') | |
| echo platform_slug=$platform_slug >> $GITHUB_OUTPUT | |
| echo image_name=michelin/kafkactl:$platform_slug-jar >> $GITHUB_OUTPUT | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Docker build | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: .docker/jar.Dockerfile | |
| platforms: ${{ matrix.platform }} | |
| push: false | |
| load: true | |
| tags: ${{ steps.metadata.outputs.image_name }} | |
| env: | |
| DOCKER_BUILD_SUMMARY: false | |
| - name: Trivy Docker image | |
| uses: aquasecurity/trivy-action@0.33.1 | |
| with: | |
| scan-type: image | |
| image-ref: ${{ steps.metadata.outputs.image_name }} | |
| scanners: vuln | |
| severity: CRITICAL,HIGH | |
| format: sarif | |
| output: trivy-results.sarif | |
| ignore-unfixed: true | |
| limit-severities-for-sarif: true | |
| - name: Upload Trivy Docker image report | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| category: docker-image-${{ steps.metadata.outputs.platform_slug }} | |
| build-native: | |
| name: Build Native Image ${{ matrix.platform }} | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| os: [ 'ubuntu-latest', 'ubuntu-24.04-arm' ] | |
| include: | |
| - os: 'ubuntu-latest' | |
| platform: 'linux-amd64' | |
| - os: 'ubuntu-24.04-arm' | |
| platform: 'linux-arm64' | |
| steps: | |
| - name: Checkout project | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up GraalVM | |
| uses: graalvm/setup-graalvm@v1 | |
| with: | |
| distribution: 'graalvm' | |
| java-version: '21' | |
| native-image-musl: ${{ matrix.os == 'ubuntu-latest' }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Cache Gradle packages | |
| uses: actions/cache@v5 | |
| with: | |
| path: ~/.gradle/caches | |
| key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }} | |
| restore-keys: ${{ runner.os }}-gradle | |
| - name: Build | |
| run: ./gradlew nativeCompile ${{ matrix.os == 'ubuntu-latest' && '-Pmusl' || '' }} | |
| - name: Metadata | |
| id: metadata | |
| run: echo current_version=$(echo $(./gradlew properties --no-daemon --console=plain -q | grep "^version:" | awk '{printf $2}')) >> $GITHUB_OUTPUT | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: kafkactl-${{ matrix.platform }} | |
| path: build/native/nativeCompile/kafkactl-${{ steps.metadata.outputs.current_version }} | |
| scan-docker-native: | |
| name: Scan Docker Native Image ${{ matrix.platform }} | |
| runs-on: ubuntu-latest | |
| needs: build-native | |
| strategy: | |
| matrix: | |
| platform: [ 'linux/amd64', 'linux/arm64' ] | |
| steps: | |
| - name: Checkout project | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download native artifact | |
| uses: actions/download-artifact@v7 | |
| with: | |
| pattern: kafkactl-linux-* | |
| path: build/native/nativeCompile | |
| - name: Metadata | |
| id: metadata | |
| run: | | |
| platform_slug=$(echo ${{ matrix.platform }} | sed 's/\//-/g') | |
| echo platform_slug=$platform_slug >> $GITHUB_OUTPUT | |
| echo image_name=michelin/kafkactl:$platform_slug >> $GITHUB_OUTPUT | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Docker build | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: .docker/Dockerfile | |
| platforms: ${{ matrix.platform }} | |
| push: false | |
| load: true | |
| tags: ${{ steps.metadata.outputs.image_name }} | |
| env: | |
| DOCKER_BUILD_SUMMARY: false | |
| - name: Trivy Docker image | |
| uses: aquasecurity/trivy-action@0.33.1 | |
| with: | |
| scan-type: image | |
| image-ref: ${{ steps.metadata.outputs.image_name }} | |
| scanners: vuln | |
| severity: CRITICAL,HIGH | |
| format: sarif | |
| output: trivy-results.sarif | |
| ignore-unfixed: true | |
| limit-severities-for-sarif: true | |
| - name: Upload Trivy Docker image report | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| category: docker-image-native-${{ steps.metadata.outputs.platform_slug }} |