demo : clean up CVEs #57
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and push lecture5 image | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - features/lecture5-2 | |
| pull_request: | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: austriandatalab/cleaner | |
| jobs: | |
| build-and-push-image: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| packages: write | |
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| - name: Login to the Container registry | |
| uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=tag | |
| type=ref,event=pr | |
| type=match,pattern=\d.\d.\d.* | |
| type=sha | |
| - name: Build an image from Dockerfile | |
| run: | | |
| make generate_certs | |
| docker build -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} -f Dockerfile5 . | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}' | |
| format: 'sarif' | |
| #format: 'table' | |
| #output: 'stdout' | |
| output: 'trivy-results.sarif' | |
| exit-code: '1' | |
| #ignore-unfixed: true | |
| severity: 'CRITICAL,HIGH' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| - name: Scan the image and upload dependency results | |
| uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a | |
| with: | |
| image: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}' | |
| artifact-name: image.spdx.json | |
| dependency-snapshot: true | |
| - name: Push the image if scan passes | |
| run: | | |
| docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} | |
| # env: | |
| # # This is where you will need to introduce the Snyk API token created with your Snyk account | |
| # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| # - name: Snyk Container monitor | |
| # run: snyk container monitor '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}' --file=Dockerfile2 | |
| # # Push the Snyk Code results into GitHub Code Scanning tab | |
| # - name: Upload result to GitHub Code Scanning | |
| # uses: github/codeql-action/upload-sarif@v2 | |
| # with: | |
| # sarif_file: snyk-code.sarif | |
| # - name: Build and push Docker image | |
| # uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc | |
| # with: | |
| # context: . | |
| # push: true | |
| # tags: ${{ steps.meta.outputs.tags }} | |
| # labels: ${{ steps.meta.outputs.labels }} |