-
Notifications
You must be signed in to change notification settings - Fork 0
156 lines (130 loc) · 6.22 KB
/
producer-ci.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
name: Producer-CI
on:
push:
branches:
- main
- feat/issues/#3
paths:
- '03-producer/**' # Any change in this path, make trigger build action.
- '.github/workflows/producer-ci.yaml'
env:
REPO_APP: 'mqtt-producer'
BUILD_CONTEXT: './03-producer'
SLACK_CHANNEL: 'builds-and-ci'
SLACK_MSG_COLOR: '#0092ff'
COMMITER_NAME: 'AutoCommit'
VULN_SEVERITY: 'CRITICAL,HIGH'
VULN_TYPE: 'os,library'
VULN_FORMAT: 'table'
VULN_TIMEOUT_SCAN: '2m0s'
VULN_SCANNERS: 'vuln,secret,misconfig,license'
VULN_IGNORED_LIC: 'MIT' # MIT,LGPL,MPL-2.0
VULN_EXIT_CODE: 1 # 0=pipeline continue 1=pipeline finish.
TRIVY_DISABLE_VEX_NOTICE: true
TRIVY_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
jobs:
Producer-CI_build-docker-image:
runs-on: ubuntu-latest
# Give the default GITHUB_TOKEN write permission to commit and push the changed files back to the repository.
permissions:
contents: write # get the default GITHUB_TOKEN write permission to commit and push the changed files back to the repository.
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
issues: write # to create new issues in workflows
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Show last version of docker-hub image
id: last_version_remote_file
run: |
LastVersion=$(curl -s "https://hub.docker.com/v2/repositories/jpradoar/${{ env.REPO_APP }}/tags/?page_size=2" | jq -r '.results[].name'|sort -M|grep -v latest|tail -1)
echo "LAST_VERSION=$LastVersion " >> "$GITHUB_OUTPUT"
- name: Generate new version with semantic version
id: nversion
uses: jpradoar/[email protected]
with:
COMMIT_MSG: ${{ github.event.head_commit.message }}
VERSION: ${{ steps.last_version_remote_file.outputs.LAST_VERSION }}
- name: Build and push
uses: docker/build-push-action@v4
with:
context: ${{ env.BUILD_CONTEXT }}
push: true
tags: ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }}
- name: Install trivy last version
run: |
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
- name: search for vulnerabilities
id: trivy_scan
continue-on-error: true
run: |
rm -rf ./vuln_scans/${{ env.REPO_APP }}_vuln_scan.table
trivy image \
--scanners ${{ env.VULN_SCANNERS }} \
--severity ${{ env.VULN_SEVERITY }} \
--timeout ${{ env.VULN_TIMEOUT_SCAN }} \
--pkg-types ${{ env.VULN_TYPE }} \
--license-full \
--ignored-licenses ${{ env.VULN_IGNORED_LIC }} \
--format ${{ env.VULN_FORMAT }} \
--exit-code ${{ env.VULN_EXIT_CODE }} \
--db-repository ${{ env.TRIVY_REPOSITORY }} \
--ignore-unfixed \
-o ./vuln_scans/${{ env.REPO_APP }}_vuln_scan.table \
'${{ secrets.DOCKERHUB_USERNAME }}/${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }}'
- name: show vulnerability report
if: ${{ steps.trivy_scan.outcome == 'failure' }}
run: |
cat ./vuln_scans/${{ env.REPO_APP }}_vuln_scan.table
- name: validate if exist vuln
if: ${{ steps.trivy_scan.outcome == 'failure' }}
run: |
echo "### See detailed vuln scan in: " > /tmp/vuln_info.md
echo "<br>  <br>" >> /tmp/vuln_info.md
echo " * Vulnerability report: [vuln_scans/${{ env.REPO_APP }}_vuln_scan](https://github.com/${{ github.repository }}/blob/${{ github.ref_name }}/vuln_scans/${{ env.REPO_APP }}_vuln_scan.table)" >> /tmp/vuln_info.md
echo " * Vulnerability detected in commit: ${{ github.sha }}" >> /tmp/vuln_info.md
- name: Upload vuln scan report
uses: EndBug/add-and-commit@v9
with:
message: 'AutoCommit: upload vuln scan report'
add: './vuln_scans/${{ env.REPO_APP }}_vuln_scan.table'
- name: Vulnerability detected - Create issue
if: ${{ steps.trivy_scan.outcome == 'failure' }}
run: |
body="New vulnerability detected on vuln_scans/${{ env.REPO_APP }}_vuln_scan.table"
gh issue create \
--repo ${{ github.repository }} \
--title ":skull: [vuln] vulnerability detected on image ${{ env.REPO_APP }} " \
--body-file '/tmp/vuln_info.md' \
--assignee "jpradoar" \
--label bug --label vulnerability
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Slack docker build Notification
uses: rtCamp/action-slack-notify@v2
env:
SLACK_CHANNEL: ${{ env.SLACK_CHANNEL }}
SLACK_COLOR: ${{ env.SLACK_MSG_COLOR }}
SLACK_MESSAGE: 'URL: https://hub.docker.com/repository/docker/${{ secrets.DOCKERHUB_USERNAME }}/${{ env.REPO_APP }}'
SLACK_TITLE: ':rocket: GithubAction Build docker image: [ ${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }} ]'
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
- name: Slack Vulnerability Notification
if: ${{ steps.trivy_scan.outcome == 'failure' }}
uses: rtCamp/action-slack-notify@v2
env:
SLACK_CHANNEL: ${{ env.SLACK_CHANNEL }}
SLACK_COLOR: ${{ env.SLACK_MSG_COLOR }}
SLACK_MESSAGE: 'URL: https://hub.docker.com/repository/docker/${{ secrets.DOCKERHUB_USERNAME }}/${{ env.REPO_APP }}'
SLACK_TITLE: ':skull: Vulnerability detected in: [ ${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }} ]'
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}