-
Notifications
You must be signed in to change notification settings - Fork 0
189 lines (163 loc) · 6.4 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
name: Build and push image📦
on:
workflow_dispatch:
# schedule:
# - cron: "00 12 1 * *"
# push:
# branches: ["main"]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
APP_VERSION: 1.27.4
jobs:
build:
if: github.actor == 'ammnt'
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
id-token: write
security-events: write
attestations: write
steps:
- name: Checkout repository🧱
uses: actions/checkout@v4.2.0
- name: Install cosign🔒
uses: sigstore/cosign-installer@v3.6.0
- name: Setup Docker buildx🛠️
uses: docker/setup-buildx-action@v3.6.1
- name: Log into GHCR🔑
uses: docker/login-action@v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Log into Docker Hub🔑
uses: docker/login-action@v3.3.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Extract Docker metadata🔬
id: meta
uses: docker/metadata-action@v5.5.1
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build the Docker image⛓️
id: build
uses: docker/build-push-action@v6.9.0
with:
provenance: false
context: .
platforms: linux/amd64
load: ${{ github.event_name != 'pull_request' }}
tags: ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Analyze image with Docker Scout💊
uses: docker/scout-action@v1.14.0
with:
command: cves,sbom
image: ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }}
sarif-file: sarif.output.json
summary: false
- name: Upload Docker Scout report📊
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sarif.output.json
- name: Analyze image with Trivy💊
uses: aquasecurity/trivy-action@0.24.0
with:
image-ref: ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }}
scan-type: image
format: "github"
output: "dependency-results.sbom.json"
severity: "MEDIUM,HIGH,CRITICAL"
scanners: "vuln"
github-pat: ${{ secrets.GH_TOKEN }}
- name: Upload Trivy report📊
uses: actions/upload-artifact@v4.4.0
with:
name: trivy-sbom-report
path: "${{ github.workspace }}/dependency-results.sbom.json"
retention-days: 20
- name: Analyze image with Grype💊
id: anchore
uses: anchore/scan-action@v4.1.2
with:
image: ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }}
fail-build: false
severity-cutoff: critical
- name: Upload Grype report📊
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.anchore.outputs.sarif }}
- name: Analyze image with Syft💊
uses: anchore/sbom-action@v0.17.2
with:
syft-version: v1.13.0
image: ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }}
artifact-name: image.spdx.json
dependency-snapshot: false
- name: Analyze image with Snyk💊
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }}
args: --file=Dockerfile
- name: Upload Snyk report📊
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
- name: Analyze image with Clair💊
run: |
docker run -d --name db arminc/clair-db
sleep 15
docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan
sleep 1
DOCKER_GATEWAY=$(docker network inspect bridge --format "{{range .IPAM.Config}}{{.Gateway}}{{end}}")
wget -qO clair-scanner https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 && chmod +x clair-scanner
./clair-scanner --ip="$DOCKER_GATEWAY" ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }} || exit 0
- name: Slim the Docker image🚀
uses: kitabisa/docker-slim-action@v1.1.2
env:
DSLIM_HTTP_PROBE: false
with:
target: ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }}
tag: ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }}
overwrite: true
- name: Explore the Docker image with Dive🔍
timeout-minutes: 2
env:
CI: true
run: |
wget -q https://github.com/wagoodman/dive/releases/download/v0.12.0/dive_0.12.0_linux_amd64.tar.gz
tar xvzf dive_0.12.0_linux_amd64.tar.gz -C /usr/local/bin
dive --ci-config "${{ github.workspace }}/.dive-ci/" ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }}
- name: Test the Docker image🧪
run: |
docker run -d --rm -p 127.0.0.1:8080:8080/tcp ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }}
curl -v http://127.0.0.1:8080 || exit 1
- name: Push the Docker images to registries💾
run: |
docker tag ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }} ghcr.io/ammnt/freenginx:latest
docker tag ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }} ammnt/freenginx:${{ env.APP_VERSION }}
docker tag ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }} ammnt/freenginx:latest
docker push ghcr.io/ammnt/freenginx --all-tags
docker push ammnt/freenginx --all-tags
DIGEST=$(docker images --no-trunc --quiet ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }})
echo "DIGEST=$DIGEST" >> $GITHUB_ENV
- name: Attestation the Docker image📍
uses: actions/attest-build-provenance@v1.4.3
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ env.DIGEST }}
push-to-registry: false
- name: Sign the published Docker image🔐
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ env.DIGEST }}
cosign sign docker.io/${{ env.IMAGE_NAME }}@${{ env.DIGEST }}