Skip to content

test: issues/#3

test: issues/#3 #7

Workflow file for this run

name: Producer-CI
on:
push:
branches:
- main
- feat/issues/#3
paths:
- '03-producer/**' # Any change in this path, make trigger build action.
- '.github/workflows/producer-ci.yaml'
env:
REPO_APP: 'mqtt-producer'
BUILD_CONTEXT: './03-producer'
SLACK_CHANNEL: 'builds-and-ci'
SLACK_MSG_COLOR: '#0092ff'
COMMITER_NAME: 'AutoCommit'
VULN_SEVERITY: 'CRITICAL,HIGH'
VULN_TYPE: 'os,library'
VULN_FORMAT: 'table'
VULN_TIMEOUT_SCAN: '2m0s'
VULN_SCANNERS: 'vuln,secret,misconfig,license'
VULN_IGNORED_LIC: 'MIT' # MIT,LGPL,MPL-2.0
VULN_EXIT_CODE: 1 # 0=pipeline continue 1=pipeline finish.
TRIVY_DISABLE_VEX_NOTICE: true
TRIVY_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
jobs:
Producer-CI_build-docker-image:
runs-on: ubuntu-latest
permissions:
contents: write # get the default GITHUB_TOKEN write permission to commit and push the changed files back to the repository.
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
issues: write # to create new issues in workflows
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Show last version of docker-hub image
id: last_version_remote_file
run: |
LastVersion=$(curl -s "https://hub.docker.com/v2/repositories/jpradoar/${{ env.REPO_APP }}/tags/?page_size=2" | jq -r '.results[].name'|sort -M|grep -v latest|tail -1)
echo "LAST_VERSION=$LastVersion " >> "$GITHUB_OUTPUT"
- name: Generate new version with semantic version
id: nversion
uses: jpradoar/[email protected]
with:
COMMIT_MSG: ${{ github.event.head_commit.message }}
VERSION: ${{ steps.last_version_remote_file.outputs.LAST_VERSION }}
- name: Build and push
uses: docker/build-push-action@v4
with:
context: ${{ env.BUILD_CONTEXT }}
push: true
tags: ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }}
- name: Install trivy last version
run: |
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
- name: search for vulnerabilities
id: trivy_scan
continue-on-error: true
run: |
rm -rf ./vuln_scans/${{ env.REPO_APP }}_vuln_scan.table
trivy image \
--scanners ${{ env.VULN_SCANNERS }} \
--severity ${{ env.VULN_SEVERITY }} \
--timeout ${{ env.VULN_TIMEOUT_SCAN }} \
--pkg-types ${{ env.VULN_TYPE }} \
--license-full \
--ignored-licenses ${{ env.VULN_IGNORED_LIC }} \
--format ${{ env.VULN_FORMAT }} \
--exit-code ${{ env.VULN_EXIT_CODE }} \
--db-repository ${{ env.TRIVY_REPOSITORY }} \
--ignore-unfixed \
-o ./vuln_scans/${{ env.REPO_APP }}_vuln_scan.table \
'${{ secrets.DOCKERHUB_USERNAME }}/${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }}'
- name: show vulnerability report
if: ${{ steps.trivy_scan.outcome == 'failure' }}
run: |
cat ./vuln_scans/${{ env.REPO_APP }}_vuln_scan.table
- name: validate if exist vuln
if: ${{ steps.trivy_scan.outcome == 'failure' }}
run: |
echo "### See detailed vuln scan in: " > /tmp/vuln_info.md
echo "<br> ![](https://custom-icon-badges.demolab.com/badge/Vulnerability-detected-red.svg) <br>" >> /tmp/vuln_info.md
echo " * Vulnerability report: [vuln_scans/${{ env.REPO_APP }}_vuln_scan](https://github.com/${{ github.repository }}/blob/${{ github.ref_name }}/vuln_scans/${{ env.REPO_APP }}_vuln_scan.table)" >> /tmp/vuln_info.md
echo " * Vulnerability detected in commit: ${{ github.sha }}" >> /tmp/vuln_info.md
- name: update data
if: ${{ steps.trivy_scan.outcome == 'failure' }}
run: |
git pull
- name: Upload vuln scan report
uses: EndBug/add-and-commit@v9
with:
message: 'AutoCommit: upload vuln scan report'
add: './vuln_scans/${{ env.REPO_APP }}_vuln_scan.table'
- name: Vulnerability detected - Create issue
if: ${{ steps.trivy_scan.outcome == 'failure' }}
run: |
body="New vulnerability detected on vuln_scans/${{ env.REPO_APP }}_vuln_scan.table"
gh issue create \
--repo ${{ github.repository }} \
--title ":skull: [vuln] vulnerability detected on image ${{ env.REPO_APP }} " \
--body-file '/tmp/vuln_info.md' \
--assignee "jpradoar" \
--label bug --label vulnerability
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Slack docker build Notification
uses: rtCamp/action-slack-notify@v2
env:
SLACK_CHANNEL: ${{ env.SLACK_CHANNEL }}
SLACK_COLOR: ${{ env.SLACK_MSG_COLOR }}
SLACK_MESSAGE: 'URL: https://hub.docker.com/repository/docker/${{ secrets.DOCKERHUB_USERNAME }}/${{ env.REPO_APP }}'
SLACK_TITLE: ':rocket: GithubAction Build docker image: [ ${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }} ]'
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
- name: Slack Vulnerability Notification
if: ${{ steps.trivy_scan.outcome == 'failure' }}
uses: rtCamp/action-slack-notify@v2
env:
SLACK_CHANNEL: ${{ env.SLACK_CHANNEL }}
SLACK_COLOR: ${{ env.SLACK_MSG_COLOR }}
SLACK_MESSAGE: 'URL: https://hub.docker.com/repository/docker/${{ secrets.DOCKERHUB_USERNAME }}/${{ env.REPO_APP }}'
SLACK_TITLE: ':skull: Vulnerability detected in: [ ${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }} ]'
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}