generated from testifysec/demo-repo
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit f8e77cc
Showing
12 changed files
with
274 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
permissions: | ||
id-token: write # This is required for requesting the JWT | ||
contents: read # This is required for actions/checkout | ||
|
||
name: pipeline | ||
|
||
on: | ||
push: | ||
branches: | ||
- 'main' | ||
|
||
jobs: | ||
build-image: | ||
runs-on: ubuntu-latest | ||
|
||
permissions: | ||
packages: write | ||
id-token: write # This is required for requesting the JWT | ||
contents: read # This is required for actions/checkout | ||
|
||
steps: | ||
- name: Docker meta | ||
id: meta | ||
uses: docker/metadata-action@v5 | ||
with: | ||
images: ghcr.io/${{ github.repository }}/swf | ||
|
||
- name: Docker Login | ||
uses: docker/login-action@v3 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Setup Buildx | ||
uses: docker/setup-buildx-action@v3 | ||
|
||
- name: Checkout Code | ||
uses: actions/checkout@v4.1.1 | ||
|
||
- name: Build Image | ||
shell: bash | ||
run: | | ||
docker buildx build -t ${{ steps.meta.outputs.tags }} --push . | ||
- name: Generate SBOM | ||
shell: bash | ||
run: | | ||
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin | ||
syft ${{ steps.meta.outputs.tags }} --source-name=pkg:oci/${{ github.repository }} -o cyclonedx-json --file sbom.cdx.json | ||
- name: Upload SBOM | ||
uses: actions/upload-artifact@v4.3.3 | ||
with: | ||
name: sbom | ||
path: sbom.cdx.json |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
permissions: | ||
id-token: write # This is required for requesting the JWT | ||
contents: read # This is required for actions/checkout | ||
|
||
name: vex | ||
|
||
on: | ||
workflow_dispatch | ||
|
||
jobs: | ||
generate-vex: | ||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- name: Setup Go | ||
uses: actions/setup-go@v5.0.0 | ||
with: | ||
go-version: 1.22.x | ||
- run: go install github.com/openvex/vexctl@latest | ||
|
||
- name: Checkout Code | ||
uses: actions/checkout@v4.1.1 | ||
|
||
- name: Generate VEX | ||
uses: testifysec/witness-run-action@reusable-workflow # v0.2.0 | ||
with: | ||
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" | ||
step: gen-vex | ||
attestations: "environment git github vex" | ||
command: | | ||
/bin/sh -c 'vexctl create --product="pkg:oci/${{ github.repository }}@main" --vuln="CVE-2023-45285" --status="not_affected" --justification="inline_mitigations_already_exist" --file="./openvex.json"' | ||
- name: Upload VEX | ||
uses: actions/upload-artifact@v4.3.3 | ||
with: | ||
name: vex | ||
path: openvex.json |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
FROM cgr.dev/chainguard/go@sha256:605d81422aba573c17bfd6029a217e94a9575179a98355a99acbb6e028ca883b AS builder | ||
|
||
ARG TARGETPLATFORM | ||
ARG TARGETOS | ||
ARG TARGETARCH | ||
ARG TARGETVARIANT="" | ||
ARG LDFLAGS | ||
|
||
ENV GO111MODULE=on \ | ||
CGO_ENABLED=0 \ | ||
GOOS=${TARGETOS} \ | ||
GOARCH=${TARGETARCH} \ | ||
GOARM=${TARGETVARIANT} | ||
|
||
WORKDIR /build | ||
|
||
COPY . . | ||
|
||
RUN go build -o bin/software | ||
|
||
FROM golang:alpine3.18 | ||
|
||
COPY --from=builder /build/bin/software /software | ||
|
||
ENTRYPOINT ["/software"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
# demo-repo | ||
|
||
## Welcome to a JUDGE On-boarding Demo | ||
|
||
This is a template repository that is best used to create your own repo to customize. | ||
|
||
## "Typical" workflow experience (WIP) | ||
|
||
1. Take a look at the pipeline.yaml to see what the current build process looks like. It's a simple Docker build of a container image with a subsequent SBOM generation step. | ||
2. Next look at PR1 | ||
3. Next look at PR2 | ||
4. Finally kick off the manual VEX workflow. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
module github.com/demo-john/demo-repo/swf | ||
|
||
go 1.21.1 | ||
|
||
require github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ= | ||
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
package main | ||
|
||
import ( | ||
"github.com/common-nighthawk/go-figure" | ||
) | ||
|
||
func Hello() string { | ||
return "Hello Demo!" | ||
} | ||
|
||
func main() { | ||
myFigure := figure.NewFigure(Hello(), "starwars", true) | ||
myFigure.Print() | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
package main | ||
|
||
import ( | ||
"testing" | ||
) | ||
|
||
func TestHello(t *testing.T) { | ||
got := Hello() | ||
want := "Hello KubeCon!" | ||
|
||
if got != want { | ||
t.Errorf("got %q want %q", got, want) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
permissions: | ||
id-token: write # This is required for requesting the JWT | ||
contents: read # This is required for actions/checkout | ||
|
||
name: pipeline | ||
|
||
on: | ||
push: | ||
branches: | ||
- 'main' | ||
|
||
jobs: | ||
build-image: | ||
runs-on: ubuntu-latest | ||
|
||
permissions: | ||
packages: write | ||
id-token: write # This is required for requesting the JWT | ||
contents: read # This is required for actions/checkout | ||
|
||
steps: | ||
- name: Docker meta | ||
id: meta | ||
uses: docker/metadata-action@v5 | ||
with: | ||
images: ghcr.io/${{ github.repository }}/swf | ||
|
||
- name: Docker Login | ||
uses: docker/login-action@v3 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Setup Buildx | ||
uses: docker/setup-buildx-action@v3 | ||
|
||
- name: Checkout Code | ||
uses: actions/checkout@v4.1.1 | ||
|
||
- name: Build Image | ||
uses: testifysec/witness-run-action@reusable-workflow # v0.2.0 | ||
with: | ||
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" | ||
step: build-image | ||
attestations: "environment git github slsa" | ||
command: /bin/sh -c "docker buildx build -t ${{ steps.meta.outputs.tags }} --push ." | ||
|
||
- name: Generate SBOM | ||
uses: testifysec/witness-run-action@reusable-workflow # v0.2.0 | ||
with: | ||
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" | ||
step: gen-sbom | ||
attestations: "environment git github sbom" | ||
command: | | ||
/bin/sh -c "curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.7.0 && \ | ||
syft ${{ steps.meta.outputs.tags }} --source-name=pkg:oci/${{ github.repository }} -o cyclonedx-json --file sbom.cdx.json" | ||
- name: Upload SBOM | ||
uses: actions/upload-artifact@v4.3.3 | ||
with: | ||
name: sbom | ||
path: sbom.cdx.json |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
FROM cgr.dev/chainguard/go@sha256:605d81422aba573c17bfd6029a217e94a9575179a98355a99acbb6e028ca883b AS builder | ||
|
||
ARG TARGETPLATFORM | ||
ARG TARGETOS | ||
ARG TARGETARCH | ||
ARG TARGETVARIANT="" | ||
ARG LDFLAGS | ||
|
||
ENV GO111MODULE=on \ | ||
CGO_ENABLED=0 \ | ||
GOOS=${TARGETOS} \ | ||
GOARCH=${TARGETARCH} \ | ||
GOARM=${TARGETVARIANT} | ||
|
||
WORKDIR /build | ||
|
||
COPY . . | ||
|
||
RUN go build -o bin/software | ||
|
||
FROM cgr.dev/chainguard/static@sha256:676e989769aa9a5254fbfe14abb698804674b91c4d574bb33368d87930c5c472 | ||
|
||
COPY --from=builder /build/bin/software /software | ||
|
||
ENTRYPOINT ["/software"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
#!/bin/sh | ||
|
||
# Create the first PR | ||
git checkout -b enable-witness main | ||
cp ./pr-1/pipeline.yml ./.github/workflows/pipeline.yml | ||
git add ./.github/workflows/pipeline.yml | ||
git commit -m "Enable witness" | ||
git push origin enable-witness | ||
gh pr create --base main --head enable-witness --fill | ||
|
||
# Create the second PR | ||
git checkout -b reduce-cves main | ||
cp ./pr-2/Dockerfile ./Dockerfile | ||
git add ./Dockerfile | ||
git commit -m "Reduce CVEs" | ||
git push origin reduce-cves | ||
gh pr create --base main --head reduce-cves --fill | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
#!/bin/bash | ||
|
||
gh repo delete --confirm |