Skip to content

fix: Update repo to work with cstar cluster #2

fix: Update repo to work with cstar cluster

fix: Update repo to work with cstar cluster #2

Workflow file for this run

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow checks out code, builds an image, performs a container image
# vulnerability scan with Trivy tool, and integrates the results with GitHub Advanced Security
# code scanning feature.
name: Container Scan
on:
push:
branches: [ "develop", "uat", "main" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "develop", "uat", "main" ]
schedule:
- cron: '00 07 * * *'
permissions:
contents: read
env:
DOCKERFILE: Dockerfile.multistage
jobs:
BuildAndScan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
outputs:
CVE_CRITICAL: ${{env.CVE_CRITICAL}}
CVE_HIGH: ${{env.CVE_HIGH}}
CVE_MEDIUM: ${{env.CVE_MEDIUM}}
steps:
- name: Checkout the code
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
- name: Build the app image
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
with:
push: false
context: .
file: src/main/docker/${{ env.DOCKERFILE }}
platforms: linux/amd64
tags: localbuild/testimage:latest
build-args:
GH_USER=${{ secrets.GIT_USER }}
secrets: |
"gh_token=${{ secrets.GIT_PAT }}"
- name: Run the Trivy scan action itself with GitHub Advanced Security code scanning integration enabled
id: scan
uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # v0.22.0
with:
image-ref: "localbuild/testimage:latest"
format: 'sarif'
output: 'results.sarif'
- name: Upload Anchore Scan Report
uses: github/codeql-action/upload-sarif@9550da953dd3b29aedf76cd635101e48eae5eebd # CodeQL Bundle v2.17.4
with:
sarif_file: 'results.sarif'
- name: CVE Description escaped extraction and print
run: |
SCAN_RESULTS=$(jq -r 'try .runs[0].tool.driver.rules | map(.help.text) | join("\\n")' results.sarif)
echo "CVE_CRITICAL=$(echo $SCAN_RESULTS | grep -o CRITICAL | wc -l)" >> $GITHUB_ENV
echo "CVE_HIGH=$(echo $SCAN_RESULTS | grep -o HIGH | wc -l)" >> $GITHUB_ENV
echo "CVE_MEDIUM=$(echo $SCAN_RESULTS | grep -o MEDIUM | wc -l)" >> $GITHUB_ENV
echo $SCAN_RESULTS
- name: Fails if CVE HIGH or CRITICAL are detected
id: cve-threshold
if: env.CVE_HIGH > 0 || env.CVE_CRITICAL > 0
run: exit 1