Added automated security scanning

serversideup · Dec 11, 2024 · 6207a21 · 6207a21
1 parent 177a853
commit 6207a21
Show file tree

Hide file tree

Showing 3 changed files with 111 additions and 10 deletions.
diff --git a/.github/workflows/action_publish-images-security-updates.yml b/.github/workflows/action_publish-images-security-updates.yml
@@ -0,0 +1,76 @@
+name: Docker Publish (Security Updates)
+
+on:
+  workflow_dispatch:
+    inputs:
+      force_build:
+        description: 'Force build even if no vulnerabilities found'
+        type: boolean
+        default: false
+      skip_scan:
+        description: 'Skip vulnerability scanning (for testing)'
+        type: boolean
+        default: false
+  schedule:
+    - cron: '0 0 * * *'  # Daily at midnight UTC
+
+jobs:
+  scan-vulnerabilities:
+    runs-on: ubuntu-24.04
+    outputs:
+      has_vulnerabilities: ${{ steps.scan.outputs.has_vulnerabilities || inputs.force_build }}
+    steps:
+      - uses: actions/checkout@v4
+      - id: scan
+        if: inputs.skip_scan != true
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          scan-type: 'fs'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'
+          scanners: 'vuln'
+          hide-progress: true
+
+      # Set default output if scanning is skipped
+      - if: inputs.skip_scan
+        run: echo "has_vulnerabilities=true" >> $GITHUB_OUTPUT
+
+  get-latest-release:
+    runs-on: ubuntu-24.04
+    outputs:
+      release_version: ${{ steps.get-version.outputs.release_version }}
+    steps:
+      - name: Get Latest Release
+        id: get-version
+        run: |
+          LATEST_RELEASE=$(curl -s https://api.github.com/repos/${{ github.repository }}/releases/latest | jq -r .tag_name)
+          echo "release_version=${LATEST_RELEASE}" >> "$GITHUB_OUTPUT"
+
+  build-security-updates:
+    needs: [scan-vulnerabilities, get-latest-release]
+    if: needs.scan-vulnerabilities.outputs.has_vulnerabilities == 'true'
+    uses: ./.github/workflows/service_docker-build-and-publish.yml
+    secrets: inherit
+    with:
+      release_type: 'security'
+      ref_type: 'tag'
+      version: "${{ needs.get-latest-release.outputs.release_version }}"
+
+  notify:
+    needs: [build-security-updates]
+    runs-on: ubuntu-24.04
+    if: always()
+    steps:
+      - name: Notify on success
+        if: needs.build-security-updates.result == 'success'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            github.rest.issues.create({
+              owner: context.repo.owner,
+              repo: context.repo.name,
+              title: '🔒 Security updates applied',
+              body: 'Security updates were automatically applied to the latest images.'
+            })
diff --git a/.github/workflows/service_docker-build-and-publish.yml b/.github/workflows/service_docker-build-and-publish.yml
@@ -8,7 +8,21 @@ on:
         required: true
         description: 'Release type (latest, beta, edge, dev, etc)'
         default: 'edge'
-
+      version:
+        type: string
+        required: false
+        description: 'Version to build (e.g. 1.0.0)'
+        default: "${{ github.ref_name }}"
+      ref_type:
+        type: string
+        required: false
+        description: 'Trigger type (tag or branch)'
+        default: "${{ github.ref_type }}"
+      ref:
+        type: string
+        required: false
+        description: 'Ref to build (e.g. v1.0.0)'
+        default: ''
 jobs:
 
   build-and-push:
@@ -39,9 +53,9 @@ jobs:
       - name: Set REPOSITORY_BUILD_VERSION
         id: set_version
         run: |
-          if [ "${{ github.ref_type }}" == "tag" ]; then
+          if [ "${{ inputs.ref_type }}" == "tag" ]; then
             echo "🚀 Setting REPOSITORY_BUILD_VERSION to Tag"
-            echo "REPOSITORY_BUILD_VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
+            echo "REPOSITORY_BUILD_VERSION=${{ inputs.version }}-${{ github.run_id }}" >> $GITHUB_ENV
           else
             echo "👨‍🔬 Setting REPOSITORY_BUILD_VERSION to GIT Short SHA and GitHub Run ID"
             SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-7)
@@ -50,10 +64,10 @@ jobs:
 
       - name: "📦 Assemble the Docker Tags"
         run: |
-          if [ "${{ github.ref_type }}" == "tag" ]; then
+          if [ "${{ inputs.ref_type }}" == "tag" ]; then
             bash build.sh \
               --release-type ${{ inputs.release_type }} \
-              --version ${{ github.ref_name }} \
+              --version ${{ inputs.version }} \
               --print-tags-only
           else
             bash build.sh \

diff --git a/build.sh b/build.sh
@@ -81,11 +81,22 @@ generate_tags() {
         local minor=$(echo "$VERSION" | cut -d. -f2)
         local patch=$(echo "$VERSION" | cut -d. -f3)
 
-        # Add all version tags
-        add_tag "v${major}.${minor}.${patch}"  # v3.0.1
-        add_tag "v${major}.${minor}"           # v3.0
-        add_tag "v${major}"                    # v3
-
+        # Validate version components
+        if [ -z "$major" ] || [ -z "$minor" ] || [ -z "$patch" ]; then
+            echo "Error: Invalid version format. Expected format: v1.2.3" >&2
+            return 1
+        fi
+
+        if [ "$RELEASE_TYPE" = "security" ]; then
+            # Only update major and minor version tags for security updates
+            add_tag "v${major}"                    # v3
+            add_tag "v${major}.${minor}"           # v3.0
+        else
+            # Add all version tags for regular releases
+            add_tag "v${major}.${minor}.${patch}"  # v3.0.1
+            add_tag "v${major}.${minor}"           # v3.0
+            add_tag "v${major}"                    # v3
+        fi
     fi
 
     # Add release type tag