Skip to content
Container Security Lab

Update ci.yml #10

Sign in to view logs

Update ci.yml

Update ci.yml #10

Workflow file for this run

.github/workflows/ci.yml at dfbd6f5
name: Container Security Lab
on:
push:
branches:
- main
pull_request:
env:
IMAGE_NAME: ${{ github.event.repository.name }}
VERSION: 'latest'
jobs:
codeql:
name: Run CodeQL SAST
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: javascript
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
build-push:
name: Build and Push Container Image
runs-on: ubuntu-latest
needs: codeql
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2
- name: Login to Dockerhub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and Publish Container Image
uses: docker/build-push-action@v3
with:
push: true
builder: ${{ steps.buildx.outputs.name }}
context: .
file: ./Dockerfile
platforms: linux/amd64
tags: |
${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
trivy:
name: Run Trivy Scan
runs-on: ubuntu-latest
needs: build-push
steps:
- name: Install Trivy
uses: aquasecurity/[email protected]
with:
image-ref: '${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
sign:
name: Sign Container Image with Cosign
runs-on: ubuntu-latest
needs: trivy
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@main
- name: Sign Container Image
run: |
cosign sign --yes --key env://COSIGN_KEY ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
shell: bash
env:
COSIGN_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
validate-container:
name: Validate Container Image
runs-on: ubuntu-latest
needs: sign
steps:
- name: Check images
run: |
docker buildx imagetools inspect ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
docker pull ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
cosign verify --key env://COSIGN_PUB_KEY ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
- uses: anchore/sbom-action@v0
with:
image: ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
env:
COSIGN_PUB_KEY: ${{secrets.COSIGN_PUBLIC_KEY}}