From c043381c5c4a2219ce9d5d8e782c6c0c2f16d7a1 Mon Sep 17 00:00:00 2001 From: Jose Matsuda Date: Thu, 10 Aug 2023 11:21:31 -0400 Subject: [PATCH 01/10] feat(workflows): integrate dockle --- .github/workflows/build.yml | 12 +++++++++++- .github/workflows/publish.yml | 12 +++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 66c5d5a..4cf833d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -50,4 +50,14 @@ jobs: - name: Aqua Security Trivy image scan run: | curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }} - trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL \ No newline at end of file + trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL + + # Run Dockle + - name: Run dockle + uses: goodwithtech/dockle-action@main + with: + image: localhost:5000/${{ matrix.image }}:${{ github.sha }} + format: 'list' + exit-code: '1' + exit-level: 'fatal' + ignore: 'DKL-DI-0006' \ No newline at end of file diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index e4b74fb..f43ee08 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -65,7 +65,17 @@ jobs: run: | curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }} trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL - + + # Run Dockle + - name: Run dockle + uses: goodwithtech/dockle-action@main + with: + image: localhost:5000/${{ matrix.image }}:${{ github.sha }} + format: 'list' + exit-code: '1' + exit-level: 'fatal' + ignore: 'DKL-DI-0006' + # Container build and push to a Azure Container registry (ACR) - run: | docker pull localhost:5000/${{ matrix.image }}:${{ github.sha }} From e50303af02b0a19c2bd4d5fd5367f25cbc01239b Mon Sep 17 00:00:00 2001 From: Jose Matsuda Date: Fri, 11 Aug 2023 05:45:14 -0400 Subject: [PATCH 02/10] test fix for build --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4cf833d..c90117a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,6 +26,8 @@ jobs: build: env: TRIVY_VERSION: "v0.43.1" + #https://github.com/aquasecurity/trivy/issues/2432#issuecomment-1172432975 + DOCKLE_HOST: "unix:///var/run/docker.sock" needs: listimages strategy: fail-fast: false From e05bd2070ef4dfda03149adaff1af96545eec6d4 Mon Sep 17 00:00:00 2001 From: Jose Matsuda Date: Fri, 11 Aug 2023 05:50:47 -0400 Subject: [PATCH 03/10] test moving around --- .github/workflows/build.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c90117a..7c8aeda 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -48,12 +48,6 @@ jobs: docker rmi localhost:5000/${{ matrix.image }}:${{ github.sha }} docker image prune - # Scan image for vulnerabilities - - name: Aqua Security Trivy image scan - run: | - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }} - trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL - # Run Dockle - name: Run dockle uses: goodwithtech/dockle-action@main @@ -62,4 +56,11 @@ jobs: format: 'list' exit-code: '1' exit-level: 'fatal' - ignore: 'DKL-DI-0006' \ No newline at end of file + ignore: 'DKL-DI-0006' + + # Scan image for vulnerabilities + - name: Aqua Security Trivy image scan + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }} + trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL + From cea547fe11d5609ab7932ab644572715a84810bd Mon Sep 17 00:00:00 2001 From: Jose Matsuda Date: Fri, 11 Aug 2023 06:14:31 -0400 Subject: [PATCH 04/10] test2 --- .github/workflows/build.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7c8aeda..023a3b4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -28,6 +28,9 @@ jobs: TRIVY_VERSION: "v0.43.1" #https://github.com/aquasecurity/trivy/issues/2432#issuecomment-1172432975 DOCKLE_HOST: "unix:///var/run/docker.sock" + # https://github.com/goodwithtech/dockle#self-hosted-registry-basicauth + #DOCKLE_USERNAME: USERNAME + #DOCKLE_PASSWORD: PASSWORD needs: listimages strategy: fail-fast: false @@ -45,9 +48,14 @@ jobs: - run: | docker build -f ${{ matrix.image }}/Dockerfile -t localhost:5000/${{ matrix.image }}:${{ github.sha }} ${{ matrix.image }} docker push localhost:5000/${{ matrix.image }}:${{ github.sha }} - docker rmi localhost:5000/${{ matrix.image }}:${{ github.sha }} docker image prune + # Scan image for vulnerabilities + - name: Aqua Security Trivy image scan + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }} + trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL + # Run Dockle - name: Run dockle uses: goodwithtech/dockle-action@main @@ -56,11 +64,4 @@ jobs: format: 'list' exit-code: '1' exit-level: 'fatal' - ignore: 'DKL-DI-0006' - - # Scan image for vulnerabilities - - name: Aqua Security Trivy image scan - run: | - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }} - trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL - + ignore: 'DKL-DI-0006' \ No newline at end of file From 240f13c2ea812b10a83e78f4f6cf432c34add23c Mon Sep 17 00:00:00 2001 From: Jose Matsuda Date: Fri, 11 Aug 2023 06:20:56 -0400 Subject: [PATCH 05/10] test w/o --- .github/workflows/build.yml | 5 ----- .github/workflows/publish.yml | 1 - 2 files changed, 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 023a3b4..bd5902e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,11 +26,6 @@ jobs: build: env: TRIVY_VERSION: "v0.43.1" - #https://github.com/aquasecurity/trivy/issues/2432#issuecomment-1172432975 - DOCKLE_HOST: "unix:///var/run/docker.sock" - # https://github.com/goodwithtech/dockle#self-hosted-registry-basicauth - #DOCKLE_USERNAME: USERNAME - #DOCKLE_PASSWORD: PASSWORD needs: listimages strategy: fail-fast: false diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f43ee08..60b44ec 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -57,7 +57,6 @@ jobs: - run: | docker build -f ${{ matrix.image }}/Dockerfile -t localhost:5000/${{ matrix.image }}:${{ github.sha }} ${{ matrix.image }} docker push localhost:5000/${{ matrix.image }}:${{ github.sha }} - docker rmi localhost:5000/${{ matrix.image }}:${{ github.sha }} docker image prune # Scan image for vulnerabilities From 63aff09eeec474bdebd64364c9933502312c0d6d Mon Sep 17 00:00:00 2001 From: Jose Matsuda Date: Fri, 11 Aug 2023 06:23:29 -0400 Subject: [PATCH 06/10] change exit to 0 --- .github/workflows/build.yml | 2 +- .github/workflows/publish.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index bd5902e..be1b85f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -57,6 +57,6 @@ jobs: with: image: localhost:5000/${{ matrix.image }}:${{ github.sha }} format: 'list' - exit-code: '1' + exit-code: '0' exit-level: 'fatal' ignore: 'DKL-DI-0006' \ No newline at end of file diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 60b44ec..af75cc8 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -71,7 +71,7 @@ jobs: with: image: localhost:5000/${{ matrix.image }}:${{ github.sha }} format: 'list' - exit-code: '1' + exit-code: '0' exit-level: 'fatal' ignore: 'DKL-DI-0006' From f57f72903a01b61d4bbc2077fe269edbdee84588 Mon Sep 17 00:00:00 2001 From: Jose Matsuda Date: Fri, 11 Aug 2023 06:24:26 -0400 Subject: [PATCH 07/10] change exit codes --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index be1b85f..bd5902e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -57,6 +57,6 @@ jobs: with: image: localhost:5000/${{ matrix.image }}:${{ github.sha }} format: 'list' - exit-code: '0' + exit-code: '1' exit-level: 'fatal' ignore: 'DKL-DI-0006' \ No newline at end of file From aa2e6f55ab0cc9b2ab99889096ce7339ac805589 Mon Sep 17 00:00:00 2001 From: "Jose Manuel (Ito)" Date: Thu, 17 Aug 2023 14:48:55 -0400 Subject: [PATCH 08/10] Update build.yml --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index bd5902e..98c0711 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -57,6 +57,6 @@ jobs: with: image: localhost:5000/${{ matrix.image }}:${{ github.sha }} format: 'list' - exit-code: '1' + exit-code: '0' exit-level: 'fatal' - ignore: 'DKL-DI-0006' \ No newline at end of file + ignore: 'DKL-DI-0006' From 73bbc4d29a5fe7928d3a78151af14f1769c9ed10 Mon Sep 17 00:00:00 2001 From: "Jose Manuel (Ito)" Date: Mon, 21 Aug 2023 12:57:35 -0400 Subject: [PATCH 09/10] Update publish.yml --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index af75cc8..60b44ec 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -71,7 +71,7 @@ jobs: with: image: localhost:5000/${{ matrix.image }}:${{ github.sha }} format: 'list' - exit-code: '0' + exit-code: '1' exit-level: 'fatal' ignore: 'DKL-DI-0006' From 476bed387af4f148e4c38d5539b5835957682dfe Mon Sep 17 00:00:00 2001 From: "Jose Manuel (Ito)" Date: Mon, 21 Aug 2023 13:14:38 -0400 Subject: [PATCH 10/10] Update publish.yml --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 60b44ec..af75cc8 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -71,7 +71,7 @@ jobs: with: image: localhost:5000/${{ matrix.image }}:${{ github.sha }} format: 'list' - exit-code: '1' + exit-code: '0' exit-level: 'fatal' ignore: 'DKL-DI-0006'