Skip to content

Commit

Permalink
Merge pull request #19 from GeorgeDavis-Ibexlabs/dev
Browse files Browse the repository at this point in the history 
Merge change from `dev` into `main`
  • Loading branch information
@GeorgeDavis-Ibexlabs
GeorgeDavis-Ibexlabs authored Sep 12, 2024
2 parents c937519 + 9346b81 commit d7003b7
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 32 deletions.
71 changes: 39 additions & 32 deletions .github/workflows/build-ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ permissions:
security-events: write

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
jobs:
iac-scan:
# The type of runner that the job will run on
runs-on: ubuntu-latest
Expand Down Expand Up @@ -58,6 +58,20 @@ jobs:
if: steps.changed-files.outputs.any_changed == 'true'
uses: docker/setup-buildx-action@v3

- name: Log in to Docker Hub
if: steps.changed-files.outputs.any_changed == 'true'
uses: docker/[email protected]
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Extract metadata (tags, labels) for Docker
if: steps.changed-files.outputs.any_changed == 'true'
id: meta
uses: docker/[email protected]
with:
images: georgedavisibexlabs/publish-sarif-to-jira

- name: Build Docker image
if: steps.changed-files.outputs.any_changed == 'true'
uses: docker/[email protected]
Expand All @@ -66,16 +80,17 @@ jobs:
file: Dockerfile
push: false
# sbom: true
tags: georgedavisibexlabs/publish-sarif-to-jira:build
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}

- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
if: steps.changed-files.outputs.any_changed == 'true'
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
format: 'github'
output: 'dependency-results.sbom.json'
image-ref: '.'
scan-type: "fs"
format: "github"
output: "dependency-results.sbom.json"
image-ref: "georgedavisibexlabs/publish-sarif-to-jira:main"
github-pat: ${{ secrets.GITHUB_TOKEN }}

- name: Upload trivy SBOM as a Github artifact
Expand All @@ -86,30 +101,22 @@ jobs:
path: trivy-dependency-results.sbom.json
retention-days: 30

- name: List Docker Containers
if: steps.changed-files.outputs.any_changed == 'true'
run: 'docker ps -a'
- name: Run Trivy Image scanner
uses: aquasecurity/[email protected]
with:
scan-type: "image"
image-ref: "georgedavisibexlabs/publish-sarif-to-jira:main"
limit-severities-for-sarif: true
trivy-config: .github/config/trivy-sarif.yaml

- name: List Docker Images
if: steps.changed-files.outputs.any_changed == 'true'
run: 'docker images'

# - name: Run Trivy Image scanner
# uses: aquasecurity/[email protected]
# with:
# scan-type: 'image'
# image-ref: 'georgedavisibexlabs/publish-sarif-to-jira'
# limit-severities-for-sarif: true
# trivy-config: .github/config/trivy-sarif.yaml

# - name: Upload Trivy Image scan results
# uses: actions/[email protected]
# with:
# name: trivy-image-scan-results
# path: trivy-image-scan-results.sarif
# retention-days: 30

# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v3
# with:
# sarif_file: 'trivy-image-scan-results.sarif'
- name: Upload Trivy Image scan results
uses: actions/[email protected]
with:
name: trivy-image-scan-results
path: trivy-image-scan-results.sarif
retention-days: 30

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-image-scan-results.sarif"
5 changes: 5 additions & 0 deletions .github/workflows/docker-publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,11 @@ on:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:

permissions:
actions: read
contents: read
security-events: write

jobs:
push_to_registry:
name: Push Docker image to Docker Hub
Expand Down

0 comments on commit d7003b7

Please sign in to comment.