test: issues/#3 #4
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Producer-CI | |
on: | |
push: | |
branches: | |
- main | |
- feat/issues/#3 | |
paths: | |
- '03-producer/**' # Any change in this path, make trigger build action. | |
- '.github/workflows/producer-ci.yaml' | |
env: | |
REPO_APP: 'mqtt-producer' | |
BUILD_CONTEXT: './03-producer' | |
SLACK_CHANNEL: 'builds-and-ci' | |
SLACK_MSG_COLOR: '#0092ff' | |
COMMITER_NAME: 'AutoCommit' | |
VULN_SEVERITY: 'CRITICAL,HIGH' | |
VULN_TYPE: 'os,library' | |
VULN_FORMAT: 'table' | |
VULN_TIMEOUT_SCAN: '2m0s' | |
VULN_SCANNERS: 'vuln,secret,misconfig,license' | |
VULN_IGNORED_LIC: 'MIT' # MIT,LGPL,MPL-2.0 | |
VULN_EXIT_CODE: 1 # 0=pipeline continue 1=pipeline finish. | |
TRIVY_DISABLE_VEX_NOTICE: true | |
TRIVY_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2' | |
jobs: | |
Producer-CI_build-docker-image: | |
runs-on: ubuntu-latest | |
# Give the default GITHUB_TOKEN write permission to commit and push the changed files back to the repository. | |
permissions: | |
contents: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Login to Docker Hub | |
uses: docker/login-action@v2 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Show last version of docker-hub image | |
id: last_version_remote_file | |
run: | | |
LastVersion=$(curl -s "https://hub.docker.com/v2/repositories/jpradoar/${{ env.REPO_APP }}/tags/?page_size=2" | jq -r '.results[].name'|sort -M|grep -v latest|tail -1) | |
echo "LAST_VERSION=$LastVersion " >> "$GITHUB_OUTPUT" | |
- name: Generate new version with semantic version | |
id: nversion | |
uses: jpradoar/[email protected] | |
with: | |
COMMIT_MSG: ${{ github.event.head_commit.message }} | |
VERSION: ${{ steps.last_version_remote_file.outputs.LAST_VERSION }} | |
- name: Build and push | |
uses: docker/build-push-action@v4 | |
with: | |
context: ${{ env.BUILD_CONTEXT }} | |
push: true | |
tags: ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }} | |
- name: Install trivy last version | |
run: | | |
sudo apt-get install wget apt-transport-https gnupg lsb-release | |
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - | |
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list | |
sudo apt-get update | |
sudo apt-get install trivy | |
- name: search for vulnerabilities | |
id: trivy_scan | |
continue-on-error: true | |
run: | | |
rm -rf ./vuln_scans/${{ env.REPO_APP }}_vuln_scan.table | |
trivy image \ | |
--scanners ${{ env.VULN_SCANNERS }} \ | |
--severity ${{ env.VULN_SEVERITY }} \ | |
--timeout ${{ env.VULN_TIMEOUT_SCAN }} \ | |
--pkg-types ${{ env.VULN_TYPE }} \ | |
--license-full \ | |
--ignored-licenses ${{ env.VULN_IGNORED_LIC }} \ | |
--format ${{ env.VULN_FORMAT }} \ | |
--exit-code ${{ env.VULN_EXIT_CODE }} \ | |
--db-repository ${{ env.TRIVY_REPOSITORY }} \ | |
--ignore-unfixed \ | |
-o ./vuln_scans/${{ env.REPO_APP }}_vuln_scan.table \ | |
'${{ secrets.DOCKERHUB_USERNAME }}/${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }}' | |
- name: show vulnerability report | |
if: ${{ steps.trivy_scan.outcome == 'failure' }} | |
run: | | |
cat ./vuln_scans/${{ env.REPO_APP }}_vuln_scan.table | |
- name: validate if exist vuln | |
if: ${{ steps.trivy_scan.outcome == 'failure' }} | |
run: | | |
echo "### See detailed vuln scan in: " > /tmp/vuln_info.md | |
echo "<br> ![](https://custom-icon-badges.demolab.com/badge/Vulnerability-detected-red.svg) <br>" >> /tmp/vuln_info.md | |
echo " * Vulnerability report: [vuln_scans/${{ env.REPO_APP }}_vuln_scan](https://github.com/${{ github.repository }}/blob/${{ github.ref_name }}/vuln_scans/${{ env.REPO_APP }}_vuln_scan.table)" >> /tmp/vuln_info.md | |
echo " * Vulnerability detected in commit: ${{ github.sha }}" >> /tmp/vuln_info.md | |
- name: Upload vuln scan report | |
uses: EndBug/add-and-commit@v9 | |
with: | |
message: 'AutoCommit: upload vuln scan report' | |
add: './vuln_scans/${{ env.REPO_APP }}_vuln_scan.table' | |
- name: Vulnerability detected - Create issue | |
if: ${{ steps.trivy_scan.outcome == 'failure' }} | |
run: | | |
body="New vulnerability detected on vuln_scans/${{ env.REPO_APP }}_vuln_scan.table" | |
gh issue create \ | |
--repo ${{ github.repository }} \ | |
--title ":skull: [vuln] vulnerability detected on image ${{ env.REPO_APP }} " \ | |
--body-file '/tmp/vuln_info.md' \ | |
--assignee "jpradoar" \ | |
--label bug --label vulnerability | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Slack docker build Notification | |
uses: rtCamp/action-slack-notify@v2 | |
env: | |
SLACK_CHANNEL: ${{ env.SLACK_CHANNEL }} | |
SLACK_COLOR: ${{ env.SLACK_MSG_COLOR }} | |
SLACK_MESSAGE: 'URL: https://hub.docker.com/repository/docker/${{ secrets.DOCKERHUB_USERNAME }}/${{ env.REPO_APP }}' | |
SLACK_TITLE: ':rocket: GithubAction Build docker image: [ ${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }} ]' | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
- name: Slack Vulnerability Notification | |
if: ${{ steps.trivy_scan.outcome == 'failure' }} | |
uses: rtCamp/action-slack-notify@v2 | |
env: | |
SLACK_CHANNEL: ${{ env.SLACK_CHANNEL }} | |
SLACK_COLOR: ${{ env.SLACK_MSG_COLOR }} | |
SLACK_MESSAGE: 'URL: https://hub.docker.com/repository/docker/${{ secrets.DOCKERHUB_USERNAME }}/${{ env.REPO_APP }}' | |
SLACK_TITLE: ':skull: Vulnerability detected in: [ ${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }} ]' | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |