-
Notifications
You must be signed in to change notification settings - Fork 0
110 lines (99 loc) · 4.09 KB
/
ci-spring-boot-container-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
name: Container scan
on:
workflow_call:
inputs:
image-name:
description: Name of Docker image
required: false
type: string
image-pack:
description: Docker image pack of builder-jammy-tiny, builder-jammy-base or builder-jammy-full
default: builder-jammy-tiny
required: false
type: string
registry-url:
description: Image/Container Registery URL
default: "my-local-registery"
required: false
type: string
java-version:
description: Main version of java
default: "11"
required: false
type: string
container-scan-offline-mode:
description: Container-scan is default download updated CVE definitions via Trivy, enable offline on download problems
default: false
type: boolean
setup-npm-auth:
description: Configure private NPM registry authentication
default: false
required: false
type: boolean
application-path:
default: "./"
required: false
type: string
jobs:
build-and-scan-image:
runs-on: ubuntu-latest
env:
REPOSITORY-NAME: ${{ github.event.repository.name }}
DOCKLE_HOST: "unix:///var/run/docker.sock"
TRIVY_OFFLINE_SCAN: ${{ inputs.container-scan-offline-mode }}
steps:
- name: Set image tag
id: set-image-tag
run: echo "image-tag=$(date +'%Y-%m-%d-%H%M')-${GITHUB_SHA::8}" >> "$GITHUB_OUTPUT"
- name: Set image name
id: set-image-name
run: |
echo "image-name=${{ inputs.registry-url }}/${{ inputs.image-name || env.REPOSITORY-NAME }}" >> "$GITHUB_OUTPUT"
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # [email protected]
- name: Set up JDK ${{ inputs.java-version }}
uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # [email protected]
with:
distribution: "liberica"
java-version: ${{ inputs.java-version }}
- name: Configure private NPM registry authentication
if: ${{ inputs.setup-npm-auth == true }}
uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # [email protected]
with:
node-version: '20.x'
registry-url: 'https://npm.pkg.github.com'
scope: '@felleslosninger'
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Cache Maven packages
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # [email protected]
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Maven environment setup
uses: s4u/maven-settings-action@64e42c454dbd42ef6370ac8539685755aedd205b # [email protected]
with:
servers: |
[{
"id": "github-oidc-sdk",
"username": "${{ secrets.MAVEN_USER }}",
"password": "${{ secrets.MAVEN_PASSWORD }}"
},
{
"id": "github",
"username": "${{ secrets.MAVEN_USER }}",
"password": "${{ secrets.MAVEN_PASSWORD }}"
}]
- name: Build image with Maven (skips tests)
run: mvn -DskipTests -B spring-boot:build-image --file ${{ inputs.application-path }}pom.xml -Dspring-boot.build-image.imageName=${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }} -Dspring-boot.build-image.builder=paketobuildpacks/${{ inputs.image-pack }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # [email protected]
id: trivy-primary
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1
with:
image-ref: "${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }}"
exit-code: "1"
severity: "CRITICAL,HIGH"