Skip to content

Commit

Permalink
pref(voluner): add image check before merging [frontend][backend][stub]
Browse files Browse the repository at this point in the history
  • Loading branch information
@guzhongren
guzhongren committed Feb 1, 2024
1 parent fdc64ac commit 969fc5e
Showing 1 changed file with 40 additions and 29 deletions.
69 changes: 40 additions & 29 deletions .github/workflows/BuildAndDeploy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -253,6 +253,45 @@ jobs:
# echo "BuildKite build failed. Cannot merge the PR."
# exit 1
# fi
images-backend:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v4

- name: Build and tag
run: |
docker build -t frontend:latest ./ -f ./ops/infra/Dockerfile.frontend
docker build -t backend:latest ./ -f ./ops/infra/Dockerfile.backend
docker build -t stub:latest ./ -f ./ops/infra/Dockerfile.stub
- name: Run Trivy vulnerability scanner for frontend
uses: aquasecurity/trivy-action@master
with:
image-ref: frontned:latest
format: "table"
exit-code: "1"
ignore-unfixed: true
severity: "CRITICAL,HIGH"
trivyignores: ".trivyignore"
- name: Run Trivy vulnerability scanner for backend
uses: aquasecurity/trivy-action@master
with:
image-ref: backend:latest
format: "table"
exit-code: "1"
ignore-unfixed: true
severity: "CRITICAL,HIGH"
trivyignores: ".trivyignore"
- name: Run Trivy vulnerability scanner for stub
uses: aquasecurity/trivy-action@master
with:
image-ref: stub:latest
format: "table"
exit-code: "1"
ignore-unfixed: true
severity: "CRITICAL,HIGH"
trivyignores: ".trivyignore"
deploy-infra:
if: ${{ github.ref == 'refs/heads/main' }}
needs:
Expand All @@ -265,6 +304,7 @@ jobs:
- backend-check
- deny-dot-star-check
- security-check
- images-backend
- shellcheck
- credential-check
- frontend-license-check
Expand Down Expand Up @@ -328,15 +368,6 @@ jobs:
docker build -t $REGISTRY/$REPOSITORY:latest ./ -f ./ops/infra/Dockerfile.backend
docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG ./ -f ./ops/infra/Dockerfile.backend
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.login-ecr.outputs.registry }}/heartbeat_backend:latest
format: "table"
exit-code: "1"
ignore-unfixed: true
severity: "CRITICAL,HIGH"
trivyignores: ".trivyignore"
# - name: Push for Backend
# env:
# REGISTRY: ${{ steps.login-ecr.outputs.registry }}
Expand Down Expand Up @@ -377,16 +408,6 @@ jobs:
docker build -t $REGISTRY/$REPOSITORY:latest ./ -f ./ops/infra/Dockerfile.frontend
docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG ./ -f ./ops/infra/Dockerfile.frontend
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.login-ecr.outputs.registry }}/heartbeat_frontend:latest
format: "table"
exit-code: "1"
ignore-unfixed: true
severity: "CRITICAL,HIGH"
trivyignores: ".trivyignore"

# - name: Push for Frontend
# env:
# REGISTRY: ${{ steps.login-ecr.outputs.registry }}
Expand Down Expand Up @@ -428,16 +449,6 @@ jobs:
docker build -t $REGISTRY/$REPOSITORY:latest ./ -f ./ops/infra/Dockerfile.stub
docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG ./ -f ./ops/infra/Dockerfile.stub
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.login-ecr.outputs.registry }}/heartbeat_stub:latest
format: "table"
exit-code: "1"
ignore-unfixed: true
severity: "CRITICAL,HIGH"
trivyignores: ".trivyignore"

# - name: Push for MockServer
# if: ${{ contains(github.event.head_commit.message, '[stub]') }}
# env:
Expand Down

0 comments on commit 969fc5e

Please sign in to comment.