-
-
Notifications
You must be signed in to change notification settings - Fork 0
168 lines (134 loc) · 6.22 KB
/
producer-ci.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
name: Producer-CI
on:
push:
branches:
- main
paths:
- '03-producer/**'
- '.github/workflows/producer-ci.yaml'
env:
REPO_APP: 'mqtt-producer'
BUILD_CONTEXT: './03-producer'
#
SLACK_CHANNEL: 'builds-and-ci'
SLACK_MSG_COLOR: '#0092ff'
COMMITER_NAME: 'AutoCommit'
VULN_SEVERITY: 'CRITICAL'
VULN_TYPE: 'os,library'
VULN_FORMAT: 'table'
VULN_TIMEOUT_SCAN: '2m0s'
VULN_SCANNERS: 'vuln,secret,misconfig,license'
VULN_IGNORED_LIC: 'MIT' # MIT,LGPL,MPL-2.0
VULN_EXIT_CODE: 1
TRIVY_DISABLE_VEX_NOTICE: true
TRIVY_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
jobs:
Producer-CI_build-docker-image:
runs-on: ubuntu-latest
permissions:
contents: write # get the default GITHUB_TOKEN write permission to commit and push the changed files back to the repository.
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
issues: write # to create new issues in workflows
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: 'jpradoar'
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Show last version of docker-hub image
id: last_version_remote_file
run: |
LastVersion=$(curl -s "https://hub.docker.com/v2/repositories/jpradoar/${{ env.REPO_APP }}/tags/?page_size=2" | jq -r '.results[].name'|sort -M|grep -v latest|tail -1)
echo "LAST_VERSION=$LastVersion " >> "$GITHUB_OUTPUT"
- name: Generate new version with semantic version
id: nversion
uses: jpradoar/ga-semanticversion@v1.0.0
with:
COMMIT_MSG: ${{ github.event.head_commit.message }}
VERSION: ${{ steps.last_version_remote_file.outputs.LAST_VERSION }}
- name: Build and push
uses: docker/build-push-action@v4
with:
context: ${{ env.BUILD_CONTEXT }}
push: true
tags: jpradoar/${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }}
- name: Install trivy last version
run: |
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
- name: search for vulnerabilities
id: trivy_scan
continue-on-error: true
run: |
rm -rf ./vuln_scans/${{ env.REPO_APP }}_vuln_scan.table
trivy image \
--scanners ${{ env.VULN_SCANNERS }} \
--severity ${{ env.VULN_SEVERITY }} \
--timeout ${{ env.VULN_TIMEOUT_SCAN }} \
--pkg-types ${{ env.VULN_TYPE }} \
--license-full \
--ignored-licenses ${{ env.VULN_IGNORED_LIC }} \
--format ${{ env.VULN_FORMAT }} \
--exit-code ${{ env.VULN_EXIT_CODE }} \
--db-repository ${{ env.TRIVY_REPOSITORY }} \
--ignore-unfixed \
-o ./vuln_scans/${{ env.REPO_APP }}_vuln_scan.table \
'jpradoar/${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }}'
- name: show vulnerability report
if: ${{ steps.trivy_scan.outcome == 'failure' }}
run: |
cat ./vuln_scans/${{ env.REPO_APP }}_vuln_scan.table
- name: validate if exist vuln
if: ${{ steps.trivy_scan.outcome == 'failure' }}
run: |
echo "### See detailed information in: " > /tmp/vuln_info.md
echo "<br>  <br>" >> /tmp/vuln_info.md
echo " * Detected in image: [${{ env.REPO_APP }}](https://hub.docker.com/repository/docker/jpradoar/${{ env.REPO_APP }}/general)" >> /tmp/vuln_info.md
echo " * Detected in commit: ${{ github.sha }}" >> /tmp/vuln_info.md
echo " * Vulnerability report: [vuln_report](https://github.com/jpradoar/event-driven-architecture/blob/main/vuln_scans/${{ env.REPO_APP }}_vuln_scan.table)" >> /tmp/vuln_info.md
- name: update data
if: ${{ steps.trivy_scan.outcome == 'failure' }}
run: |
git pull
- name: Upload vuln scan report
uses: EndBug/add-and-commit@v9
with:
message: 'AutoCommit: upload vuln scan report'
add: './vuln_scans/${{ env.REPO_APP }}_vuln_scan.table'
- name: Vulnerability detected - Create issue
if: ${{ steps.trivy_scan.outcome == 'failure' }}
run: |
body="New vulnerability detected on vuln_scans/${{ env.REPO_APP }}_vuln_scan.table"
gh issue create \
--repo ${{ github.repository }} \
--title ":skull: [vuln] vulnerability detected on image ${{ env.REPO_APP }} " \
--body-file '/tmp/vuln_info.md' \
--assignee "jpradoar" \
--label bug --label vulnerability
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Slack docker build Notification
uses: rtCamp/action-slack-notify@v2
env:
SLACK_CHANNEL: ${{ env.SLACK_CHANNEL }}
SLACK_COLOR: ${{ env.SLACK_MSG_COLOR }}
SLACK_MESSAGE: 'URL: https://hub.docker.com/repository/docker/jpradoar/${{ env.REPO_APP }}'
SLACK_TITLE: ':rocket: GithubAction Build docker image: [ ${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }} ]'
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
- name: Slack Vulnerability Notification
if: ${{ steps.trivy_scan.outcome == 'failure' }}
uses: rtCamp/action-slack-notify@v2
env:
SLACK_CHANNEL: ${{ env.SLACK_CHANNEL }}
SLACK_COLOR: ${{ env.SLACK_MSG_COLOR }}
SLACK_MESSAGE: 'URL: https://hub.docker.com/repository/docker/jpradoar/${{ env.REPO_APP }}'
SLACK_TITLE: ':skull: Vulnerability detected in: [ ${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }} ]'
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}