test: issues/#3 #6

Workflow file for this run

.github/workflows/producer-ci.yaml at 9dae963

	name: Producer-CI
	on:
	push:
	branches:
	- main
	- feat/issues/#3
	paths:
	- '03-producer/**' # Any change in this path, make trigger build action.
	- '.github/workflows/producer-ci.yaml'

	env:
	REPO_APP: 'mqtt-producer'
	BUILD_CONTEXT: './03-producer'
	SLACK_CHANNEL: 'builds-and-ci'
	SLACK_MSG_COLOR: '#0092ff'
	COMMITER_NAME: 'AutoCommit'
	VULN_SEVERITY: 'CRITICAL,HIGH'
	VULN_TYPE: 'os,library'
	VULN_FORMAT: 'table'
	VULN_TIMEOUT_SCAN: '2m0s'
	VULN_SCANNERS: 'vuln,secret,misconfig,license'
	VULN_IGNORED_LIC: 'MIT' # MIT,LGPL,MPL-2.0
	VULN_EXIT_CODE: 1 # 0=pipeline continue 1=pipeline finish.
	TRIVY_DISABLE_VEX_NOTICE: true
	TRIVY_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'


	jobs:
	Producer-CI_build-docker-image:
	runs-on: ubuntu-latest
	permissions:
	contents: write # get the default GITHUB_TOKEN write permission to commit and push the changed files back to the repository.
	security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
	actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
	issues: write # to create new issues in workflows

	steps:

	- name: Checkout
	uses: actions/checkout@v3

	- name: Login to Docker Hub
	uses: docker/login-action@v2
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v2


	- name: Show last version of docker-hub image
	id: last_version_remote_file
	run: \|
	LastVersion=$(curl -s "https://hub.docker.com/v2/repositories/jpradoar/${{ env.REPO_APP }}/tags/?page_size=2" \| jq -r '.results[].name'\|sort -M\|grep -v latest\|tail -1)
	echo "LAST_VERSION=$LastVersion " >> "$GITHUB_OUTPUT"

	- name: Generate new version with semantic version
	id: nversion
	uses: jpradoar/[email protected]
	with:
	COMMIT_MSG: ${{ github.event.head_commit.message }}
	VERSION: ${{ steps.last_version_remote_file.outputs.LAST_VERSION }}


	- name: Build and push
	uses: docker/build-push-action@v4
	with:
	context: ${{ env.BUILD_CONTEXT }}
	push: true
	tags: ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }}


	- name: Install trivy last version
	run: \|
	sudo apt-get install wget apt-transport-https gnupg lsb-release
	wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key \| sudo apt-key add -
	echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main \| sudo tee -a /etc/apt/sources.list.d/trivy.list
	sudo apt-get update
	sudo apt-get install trivy


	- name: search for vulnerabilities
	id: trivy_scan
	continue-on-error: true
	run: \|
	rm -rf ./vuln_scans/${{ env.REPO_APP }}_vuln_scan.table
	trivy image \
	--scanners ${{ env.VULN_SCANNERS }} \
	--severity ${{ env.VULN_SEVERITY }} \
	--timeout ${{ env.VULN_TIMEOUT_SCAN }} \
	--pkg-types ${{ env.VULN_TYPE }} \
	--license-full \
	--ignored-licenses ${{ env.VULN_IGNORED_LIC }} \
	--format ${{ env.VULN_FORMAT }} \
	--exit-code ${{ env.VULN_EXIT_CODE }} \
	--db-repository ${{ env.TRIVY_REPOSITORY }} \
	--ignore-unfixed \
	-o ./vuln_scans/${{ env.REPO_APP }}_vuln_scan.table \
	'${{ secrets.DOCKERHUB_USERNAME }}/${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }}'


	- name: show vulnerability report
	if: ${{ steps.trivy_scan.outcome == 'failure' }}
	run: \|
	cat ./vuln_scans/${{ env.REPO_APP }}_vuln_scan.table

	- name: validate if exist vuln
	if: ${{ steps.trivy_scan.outcome == 'failure' }}
	run: \|
	echo "### See detailed vuln scan in: " > /tmp/vuln_info.md
	echo "<br> ![](https://custom-icon-badges.demolab.com/badge/Vulnerability-detected-red.svg) <br>" >> /tmp/vuln_info.md
	echo " * Vulnerability report: [vuln_scans/${{ env.REPO_APP }}_vuln_scan](https://github.com/${{ github.repository }}/blob/${{ github.ref_name }}/vuln_scans/${{ env.REPO_APP }}_vuln_scan.table)" >> /tmp/vuln_info.md
	echo " * Vulnerability detected in commit: ${{ github.sha }}" >> /tmp/vuln_info.md

	- name: Upload vuln scan report
	uses: EndBug/add-and-commit@v9
	with:
	message: 'AutoCommit: upload vuln scan report'
	add: './vuln_scans/${{ env.REPO_APP }}_vuln_scan.table'

	- name: Vulnerability detected - Create issue
	if: ${{ steps.trivy_scan.outcome == 'failure' }}
	run: \|
	body="New vulnerability detected on vuln_scans/${{ env.REPO_APP }}_vuln_scan.table"
	gh issue create \
	--repo ${{ github.repository }} \
	--title ":skull: [vuln] vulnerability detected on image ${{ env.REPO_APP }} " \
	--body-file '/tmp/vuln_info.md' \
	--assignee "jpradoar" \
	--label bug --label vulnerability
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}


	- name: Slack docker build Notification
	uses: rtCamp/action-slack-notify@v2
	env:
	SLACK_CHANNEL: ${{ env.SLACK_CHANNEL }}
	SLACK_COLOR: ${{ env.SLACK_MSG_COLOR }}
	SLACK_MESSAGE: 'URL: https://hub.docker.com/repository/docker/${{ secrets.DOCKERHUB_USERNAME }}/${{ env.REPO_APP }}'
	SLACK_TITLE: ':rocket: GithubAction Build docker image: [ ${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }} ]'
	SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}


	- name: Slack Vulnerability Notification
	if: ${{ steps.trivy_scan.outcome == 'failure' }}
	uses: rtCamp/action-slack-notify@v2
	env:
	SLACK_CHANNEL: ${{ env.SLACK_CHANNEL }}
	SLACK_COLOR: ${{ env.SLACK_MSG_COLOR }}
	SLACK_MESSAGE: 'URL: https://hub.docker.com/repository/docker/${{ secrets.DOCKERHUB_USERNAME }}/${{ env.REPO_APP }}'
	SLACK_TITLE: ':skull: Vulnerability detected in: [ ${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }} ]'
	SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

test: issues/#3 #6

Workflow file

test: issues/#3 #6

Jobs

Run details

Workflow file for this run