On Main Merge #18

Workflow file for this run

.github/workflows/on-main-merge.yaml at 82169aa

	name: On Main Merge
	run-name: On Main Merge
	on:
	push:
	branches:
	- main

	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	ECR_REGISTRY: 117000019572.dkr.ecr.us-east-1.amazonaws.com
	ECR_REPOSITORY: hello
	IMAGE_TAG: latest

	jobs:
	generate-oss-sarif:
	permissions: write-all
	name: Generates Open Source vulnerabilities findings
	runs-on: ubuntu-22.04
	steps:
	-
	uses: actions/checkout@v3
	-
	name: Run Snyk to check for Open Source vulnerabilities
	uses: snyk/actions/node@master
	continue-on-error: true # To make sure that SARIF upload gets called
	with:
	args: ./src --sarif-file-output=oss-snyk.sarif
	-
	name: Upload result to GitHub Code Scanning
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: oss-snyk.sarif
	category: oss

	generate-code-sarif:
	needs: generate-oss-sarif
	permissions: write-all
	name: Generates SAST vulnerabilities findings
	runs-on: ubuntu-22.04
	steps:
	-
	uses: actions/checkout@v3
	-
	uses: snyk/actions/setup@master
	-
	name: Run Snyk to check for Static Application Security Testing Findings
	run: snyk code test ./src --sarif-file-output=code-snyk.sarif
	continue-on-error: true # To make sure that SARIF upload gets called
	-
	name: Upload result to GitHub Code Scanning
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: code-snyk.sarif
	category: code

	generate-container-sarif:
	needs: generate-code-sarif
	permissions: write-all
	name: Generates Container vulnerabilities findings
	runs-on: ubuntu-latest
	steps:
	-
	uses: actions/checkout@v3
	-
	name: Build the container image
	run: docker build -t raphabot/hello:test src/
	-
	name: Run Snyk to check container image for vulnerabilities
	continue-on-error: true # To make sure that SARIF upload gets called
	uses: snyk/actions/docker@master
	with:
	image: raphabot/hello:test
	args: --file=src/Dockerfile
	-
	name: Upload result to GitHub Code Scanning
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: snyk.sarif
	category: container

	generate-k8s-sarif:
	needs: generate-container-sarif
	permissions: write-all
	name: Generates Kubernetes misconfigurations findings
	runs-on: ubuntu-latest
	steps:
	-
	uses: actions/checkout@v3
	-
	name: Run Snyk to check Kubernetes Artificat misconfigurations
	continue-on-error: true # To make sure that SARIF upload gets called
	uses: snyk/actions/iac@master
	with:
	args: ./kube --sarif-file-output=k8s-snyk.sarif
	-
	name: Upload result to GitHub Code Scanning
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: k8s-snyk.sarif
	category: k8s-artificat

	generate-terraform-sarif:
	needs: generate-k8s-sarif
	permissions: write-all
	name: Generates Terraform misconfiguration findings
	runs-on: ubuntu-latest
	steps:
	-
	uses: actions/checkout@v3
	-
	name: Run Snyk to check AWS misconfigurations in Terraform IaC
	continue-on-error: true # To make sure that SARIF upload gets called
	uses: snyk/actions/iac@master
	with:
	args: cloud-infra/main.tf --sarif-file-output=cloud-infra-snyk.sarif
	-
	name: Upload result to GitHub Code Scanning
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: cloud-infra-snyk.sarif
	category: cloud-infra

	generate-sbom:
	needs: generate-terraform-sarif
	name: Generates Container SBOM
	runs-on: ubuntu-22.04
	steps:
	-
	uses: actions/checkout@v3
	-
	uses: snyk/actions/setup@master
	# -
	# name: Run Snyk to generate SBOM
	# run: snyk sbom --format=cyclonedx1.4+json --json-file-output SBOM.json
	-
	name: Run Snyk to generate SBOM
	run: echo "Not available in Free Tier."

	container-build:
	needs: generate-sbom
	name: Container Image Build and Push
	runs-on: ubuntu-22.04
	steps:
	-
	uses: actions/checkout@v3
	-
	name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v2
	with:
	aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
	aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	aws-region: us-east-1
	-
	name: Login to Amazon ECR
	id: login-ecr
	uses: aws-actions/amazon-ecr-login@v1
	-
	name: Build, tag, and push image to Amazon ECR
	run: \|
	docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG src/
	docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG

	deploy:
	needs: container-build
	name: Redeploys the Pod using the latest image
	runs-on: ubuntu-22.04
	steps:
	-
	name: Deployment
	run: echo "To do."

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

On Main Merge #18

Workflow file

On Main Merge #18

Jobs

Run details

Workflow file for this run