-
Notifications
You must be signed in to change notification settings - Fork 14
62 lines (58 loc) · 2.21 KB
/
pr.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
on: pull_request
name: pull request checks
jobs:
dockerfilelint:
name: dockerfile lint
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: hadolint
uses: burdzwastaken/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
HADOLINT_ACTION_DOCKERFILE_FOLDER: .
dockerbuild:
name: docker build
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: extract tag
id: vars
run: echo ::set-output name=alpine_version::$(grep '^FROM alpine' Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2)
- name: docker build
run: docker build . --file Dockerfile --tag image:${{ steps.vars.outputs.alpine_version }}
- name: save docker image for cache
run: mkdir -p image/ && docker save -o image/image.tar image:${{ steps.vars.outputs.alpine_version }}
- name: cache docker image
uses: actions/[email protected]
with:
path: image/
key: ${{ runner.os }}-docker-${{ github.sha }}
dockerscan:
name: docker security scan
runs-on: ubuntu-latest
needs: dockerbuild
steps:
- uses: actions/[email protected]
- name: extract tag
id: vars
run: echo ::set-output name=alpine_version::$(grep '^FROM alpine' Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2)
- name: load cached docker image
uses: actions/[email protected]
with:
path: image/
key: ${{ runner.os }}-docker-${{ github.sha }}
- name: load cached docker container
run: docker load -i image/image.tar
- name: cached scan db
uses: actions/[email protected]
with:
path: vulndb/
key: trivy-vulndb
- name: Install Trivy
run: |
trivyRelease="$(curl -s "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/' | cut -d 'v' -f 2)"
wget https://github.com/aquasecurity/trivy/releases/download/v${trivyRelease}/trivy_${trivyRelease}_Linux-64bit.tar.gz
tar zxvf trivy_${trivyRelease}_Linux-64bit.tar.gz
- name: Scan
run: ./trivy --exit-code 1 --no-progress --severity HIGH,CRITICAL,MEDIUM --cache-dir vulndb/ image:${{ steps.vars.outputs.alpine_version }}