Test, lint and build PHP base Image on Shared Core ECR #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test, lint and build PHP base Image on Shared Core ECR | |
| run-name: Test, lint and build PHP base Image on Shared Core ECR | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| jobs: | |
| php-base-image-build: | |
| runs-on: ubuntu-latest | |
| env: | |
| AWS_REGION : ${{ vars.DVSA_AWS_REGION }} #Change to reflect your Region | |
| AWS_ACCOUNT_ID: ${{ vars.AWS_ACCOUNT_ID_SHAREDCOREECR }} | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Lint check on dockerfile | |
| run: | | |
| jq -c '.[]' build.json | while read -r results; do | |
| build=$(echo "$results" | jq -r '.build') | |
| repoName=$(echo "$results" | jq -r '.repoName') | |
| dockerFile=$(echo "$results" | jq -r '.dockerFile') | |
| if [ "$build" == "true" ]; then | |
| #docker run --rm --privileged -v `pwd`:/root/ projectatomic/dockerfile-lint dockerfile_lint -f build/$repoName/$dockerFile | |
| docker run --rm -i hadolint/hadolint hadolint -t error - < build/$repoName/$dockerFile | |
| else | |
| echo "Not linting - $repoName, build parameter equal to false" | |
| fi | |
| done | |
| #falfast - credential configuration only to detect failure on PR | |
| - name: Configure AWS credentials from Test account | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.DEV_AWS_ROLE }} | |
| aws-region: ${{ vars.DVSA_AWS_REGION }} | |
| role-session-name: GitHub_to_AWS_via_FederatedOIDC | |
| #failfast - credential configuration only to detect failure on PR | |
| - name: Login to Shared Core ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| with: | |
| mask-password: 'true' | |
| #Action can not be used, no good way to loop through action on Github yet | |
| - name: Install snyk cli | |
| run: | | |
| npm install -g snyk | |
| - name: Build the Docker image | |
| run: | | |
| SHA=$(git rev-parse --short HEAD) | |
| # Iterate over JSON objects in build.json | |
| jq -c '.[]' build.json | while read -r results; do | |
| repoName=$(echo "$results" | jq -r '.repoName') | |
| dockerFile=$(echo "$results" | jq -r '.dockerFile') | |
| tag=$(echo "$results" | jq -r '.tag') | |
| build=$(echo "$results" | jq -r '.build') | |
| if [ "$build" == "true" ]; then | |
| echo "Building $repoName ..." | |
| buildTag="$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$repoName:$tag-$SHA" | |
| docker build -t "$buildTag" --file "./build/$repoName/$dockerFile" build/. | |
| else | |
| echo "Not building - $repoName, build parameter equal to false" | |
| fi | |
| done | |
| - name: snyk scan api image | |
| run: | | |
| SHA=$(git rev-parse --short HEAD) | |
| # Iterate over JSON objects in build.json | |
| jq -c '.[]' build.json | while read -r results; do | |
| repoName=$(echo "$results" | jq -r '.repoName') | |
| tag=$(echo "$results" | jq -r '.tag') | |
| build=$(echo "$results" | jq -r '.build') | |
| if [ "$build" == "true" ]; then | |
| snyk container test $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$repoName:$tag-$SHA --severity-threshold=critical | |
| else | |
| echo "Not scanning - $repoName, build parameter equal to false" | |
| fi | |
| done | |
| continue-on-error: true # critical vulnerability found fix and remove this tag | |