diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker-build.yaml similarity index 60% rename from .github/workflows/docker.yaml rename to .github/workflows/docker-build.yaml index eeb280e..c9c14e8 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker-build.yaml @@ -1,15 +1,13 @@ -name: docker +name: docker-build on: push: tags: - 'v*' - schedule: - - cron: "0 0 * * *" env: REGISTRY: docker.io - IMAGE_NAME: ${{ github.repository }} + IMAGE_NAME: 42crunch/scand-manager jobs: docker: @@ -18,9 +16,6 @@ jobs: - name: Checkout uses: actions/checkout@v3 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 @@ -37,9 +32,6 @@ jobs: uses: docker/metadata-action@v4 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: | - # set latest tag for default branch - type=raw,value=latest,enable={{is_default_branch}} - name: Build and export to Docker uses: docker/build-push-action@v4 @@ -47,21 +39,23 @@ jobs: context: . load: true tags: ${{ steps.meta.outputs.tags }} + cache-from: type=gha + cache-to: type=gha,mode=max - - name: Scan cves - id: docker-scout - uses: docker/scout-action@dd36f5b0295baffa006aa6623371f226cc03e506 + name: Scan image + id: scan + uses: Azure/container-scan@v0 with: - command: cves - image: ${{ steps.meta.outputs.tags }} - dockerhub-user: ${{ secrets.DOCKER_USERNAME }} - dockerhub-password: ${{ secrets.DOCKER_PASSWORD }} + image-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest + severity-threshold: CRITICAL + run-quality-checks: true - name: Build and push - if: ${{ success() && (github.event_name != 'schedule') }} + if: success() uses: docker/build-push-action@v4 with: context: . - platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta.outputs.tags }} + cache-from: type=gha + cache-to: type=gha,mode=max diff --git a/.github/workflows/docker-scan.yaml b/.github/workflows/docker-scan.yaml new file mode 100644 index 0000000..28ab8fc --- /dev/null +++ b/.github/workflows/docker-scan.yaml @@ -0,0 +1,42 @@ +name: docker-scan + +on: + schedule: + - cron: '30 2 * * *' + +env: + REGISTRY: docker.io + IMAGE_NAME: 42crunch/scand-manager + +jobs: + docker: + runs-on: ubuntu-latest + steps: + - + name: Scan image + id: scan + uses: Azure/container-scan@v0 + with: + image-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest + severity-threshold: CRITICAL + run-quality-checks: true + - + name: Send mail + if: failure() + run: | + cat < email.txt + From: No Reply + To: Security + Subject: Container Scan Report of ${{ github.repository }} + Date: $(date) + + $(cat ${{ steps.scan.outputs.scan-report-path }}) + $(cat ${{ steps.scan.outputs.check-run-url }}) + EOF + + curl \ + --ssl-reqd smtp://smtp.gmail.com \ + --mail-from no-reply@42crunch.com \ + --mail-rcpt security@42crunch.com \ + --upload-file email.txt \ + --user ${{ secrets.MAIL_USERNAME }}:${{ secrets.MAIL_PASSWORD }}