Skip to content

Add IAC job #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kerobero merged 29 commits into from
Sep 25, 2025
Merged

Add IAC job #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
21ce7d1
Add iac job
kerobero Sep 24, 2025
c42684b
Add build job
kerobero Sep 24, 2025
e84689c
Add package-lock.json
kerobero Sep 24, 2025
1b18b6c
Debug variables
kerobero Sep 24, 2025
77c068f
Set image in build job
kerobero Sep 24, 2025
71dd2c3
Add another docker job
kerobero Sep 24, 2025
888def9
Test login docker
kerobero Sep 24, 2025
3b1ec2f
Login to ghcr
kerobero Sep 24, 2025
0c12026
Login to ghcr
kerobero Sep 24, 2025
41a08c5
Minor fix
kerobero Sep 24, 2025
bda3fcc
Minor fix
kerobero Sep 24, 2025
947e46b
Minor fix
kerobero Sep 24, 2025
8cd2732
Minor fix
kerobero Sep 24, 2025
ec98229
Minor fix
kerobero Sep 24, 2025
4f1f74f
Minor fix
kerobero Sep 24, 2025
1a1b080
Minor fix
kerobero Sep 24, 2025
2d79884
Minor fix
kerobero Sep 24, 2025
9a2bf58
Test publish
kerobero Sep 25, 2025
ff03ca1
Test publish
kerobero Sep 25, 2025
854a951
Test publish
kerobero Sep 25, 2025
6b376aa
Test publish
kerobero Sep 25, 2025
480132f
Test publish
kerobero Sep 25, 2025
9ff7624
Test publish
kerobero Sep 25, 2025
0240dbc
Test publish
kerobero Sep 25, 2025
a5dc515
Test publish
kerobero Sep 25, 2025
4ee9c09
Test publish
kerobero Sep 25, 2025
655ec0b
Test publish
kerobero Sep 25, 2025
80ab0b1
Test publish
kerobero Sep 25, 2025
ccec587
Minor fixes
kerobero Sep 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 40 additions & 4 deletions .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ env:
# Parámetros de despliegue local
IMAGE_NAME: demo-app
IMAGE_TAG: local
KIND_CLUSTER: kind-devsecops
KIND_CLUSTER: kind
SERVICE_RELEASE_NAME: demo

jobs:
Expand All @@ -32,7 +32,7 @@ jobs:
# ──────────────────────────────────────────────────────────────────────────────
secrets:
name: Secrets scanning (Gitleaks)
runs-on: self-hosted
runs-on: ubuntu-latest
steps:
- name: Clean gitleaks
run: rm -f /tmp/gitleaks.tmp
Expand All @@ -47,11 +47,11 @@ jobs:

sast:
name: SAST (Semgrep)
runs-on: self-hosted
runs-on: ubuntu-latest
needs: [secrets]
steps:
- uses: actions/checkout@v4
- name: Semgrep (no bloqueante)
- name: self-hosted (no bloqueante)
run: |
docker run --rm -v "$PWD:/src" returntocorp/semgrep:latest \
semgrep scan --config p/ci --config .semgrep
Expand All @@ -61,3 +61,39 @@ jobs:
semgrep scan --config p/ci --config .semgrep --sarif -o semgrep.sarif || true
- uses: github/codeql-action/upload-sarif@v3
with: { sarif_file: semgrep.sarif }

# ──────────────────────────────────────────────────────────────────────────────
# IaC + Build + SBOM
# ──────────────────────────────────────────────────────────────────────────────
# iac:
# name: IaC scan (Checkov)
# runs-on: ubuntu-latest
# needs: [sast]
# steps:
# - uses: actions/checkout@v4
# - name: Checkov (K8s/Terraform)
# uses: bridgecrewio/checkov-action@master
# with:
# directory: .
# quiet: true
# soft_fail: false # pon true si no quieres bloquear (no recomendado)


build:
name: Build + SBOM
runs-on: ubuntu-latest
needs: [sast]
steps:
- uses: actions/checkout@v4
- name: Build imagen de la app objetivo
run: |
cd "${APP_DIR}"
docker build -t ${IMAGE_NAME}:${IMAGE_TAG} .
echo ${IMAGE_NAME}
echo ${IMAGE_TAG}
- name: SBOM (Syft)
uses: anchore/sbom-action@v0
with:
image: demo-app:local
artifact-name: sbom.spdx.json # queda como artefacto del job

Loading