.github/workflows/on-main-merge.yaml

name: On Main Merge
run-name: On Main Merge
on:
  push:
    branches:
      - main

env:
  SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
  ECR_REGISTRY: 117000019572.dkr.ecr.us-east-1.amazonaws.com
  ECR_REPOSITORY: hello
  IMAGE_TAG: latest

jobs:
  generate-oss-sarif:
    permissions: write-all
    name: Generates Open Source vulnerabilities findings
    runs-on: ubuntu-22.04
    steps:
      - 
        uses: actions/checkout@v3
      - 
        name: Run Snyk to check for Open Source vulnerabilities
        uses: snyk/actions/node@master
        continue-on-error: true # To make sure that SARIF upload gets called
        with:
          args: ./src --sarif-file-output=oss-snyk.sarif
      - 
        name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: oss-snyk.sarif
          category: oss
  
  generate-code-sarif:
    needs: generate-oss-sarif
    permissions: write-all
    name: Generates SAST vulnerabilities findings
    runs-on: ubuntu-22.04
    steps:
      - 
        uses: actions/checkout@v3
      -
        uses: snyk/actions/setup@master
      - 
        name: Run Snyk to check for Static Application Security Testing Findings
        run: snyk code test ./src --sarif-file-output=code-snyk.sarif
        continue-on-error: true # To make sure that SARIF upload gets called
      - 
        name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: code-snyk.sarif
          category: code
      
  generate-container-sarif:
    needs: generate-code-sarif
    permissions: write-all
    name: Generates Container vulnerabilities findings
    runs-on: ubuntu-latest
    steps:
    - 
      uses: actions/checkout@v3
    - 
      name: Build the container image
      run: docker build -t raphabot/hello:test src/
    - 
      name: Run Snyk to check container image for vulnerabilities
      continue-on-error: true # To make sure that SARIF upload gets called
      uses: snyk/actions/docker@master
      with:
        image: raphabot/hello:test
        args: --file=src/Dockerfile
    - 
      name: Upload result to GitHub Code Scanning
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: snyk.sarif
        category: container
 
  generate-k8s-sarif:
    needs: generate-container-sarif
    permissions: write-all
    name: Generates Kubernetes misconfigurations findings
    runs-on: ubuntu-latest
    steps:
      - 
        uses: actions/checkout@v3
      - 
        name: Run Snyk to check Kubernetes Artificat misconfigurations
        continue-on-error: true # To make sure that SARIF upload gets called
        uses: snyk/actions/iac@master 
        with:
          args: ./kube --sarif-file-output=k8s-snyk.sarif
      - 
        name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: k8s-snyk.sarif
          category: k8s-artificat
  
  generate-terraform-sarif:
    needs: generate-k8s-sarif
    permissions: write-all
    name: Generates Terraform misconfiguration findings
    runs-on: ubuntu-latest
    steps:
      - 
        uses: actions/checkout@v3
      - 
        name: Run Snyk to check AWS misconfigurations in Terraform IaC
        continue-on-error: true # To make sure that SARIF upload gets called
        uses: snyk/actions/iac@master 
        with:
          args: cloud-infra/main.tf --sarif-file-output=cloud-infra-snyk.sarif
      - 
        name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: cloud-infra-snyk.sarif
          category: cloud-infra

  generate-sbom:
    needs: generate-terraform-sarif
    name: Generates Container SBOM
    runs-on: ubuntu-22.04
    steps:
      - 
        uses: actions/checkout@v3
      -
        uses: snyk/actions/setup@master
      # - 
      #   name: Run Snyk to generate SBOM
      #   run: snyk sbom --format=cyclonedx1.4+json --json-file-output SBOM.json
      -
        name: Run Snyk to generate SBOM
        run: echo "Not available in Free Tier."

  container-build:
    needs: generate-sbom
    name: Container Image Build and Push
    runs-on: ubuntu-22.04
    steps:
      - 
        uses: actions/checkout@v3
      - 
        name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1
      - 
        name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1
      - 
        name: Build, tag, and push image to Amazon ECR
        run: |
          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG src/
          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG

  deploy:
    needs: container-build
    name: Redeploys the Pod using the latest image
    runs-on: ubuntu-22.04
    steps:
      -
        name: Deployment
        run: echo "To do."