-
Notifications
You must be signed in to change notification settings - Fork 0
122 lines (110 loc) · 3.56 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
name: Container Security Lab
on:
push:
branches:
- main
pull_request:
env:
IMAGE_NAME: ${{ github.event.repository.name }}
VERSION: 'latest'
jobs:
codeql:
name: Run CodeQL SAST
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: javascript-typescript
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:javascript-typescript"
build-push:
name: Build and Push Container Image
runs-on: ubuntu-latest
needs: codeql
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3
- name: Login to Dockerhub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and Publish Container Image
uses: docker/build-push-action@v3
with:
push: true
builder: ${{ steps.buildx.outputs.name }}
context: .
file: ./Dockerfile
platforms: linux/amd64
tags: |
${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
trivy:
name: Run Trivy Scan
runs-on: ubuntu-latest
needs: build-push
steps:
- name: Install Trivy
uses: aquasecurity/[email protected]
with:
image-ref: '${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
sign:
name: Sign Container Image with Cosign
runs-on: ubuntu-latest
needs: trivy
steps:
- name: Login to Dockerhub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Install Cosign
uses: sigstore/[email protected]
- name: Sign Container Image
run: |
cosign sign --yes --key env://COSIGN_KEY ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
shell: bash
env:
COSIGN_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
validate-container:
name: Validate Container Image
runs-on: ubuntu-latest
needs: sign
steps:
- name: Install Cosign
uses: sigstore/[email protected]
- name: Write public key to disk
run: 'echo "$KEY" > cosign.key'
shell: bash
env:
KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
- name: Check images
run: |
docker buildx imagetools inspect ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
docker pull ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
cosign verify --key cosign.key ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
- uses: anchore/sbom-action@v0
with:
image: ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
format: cyclonedx
upload-artifact-retention: 30
env:
COSIGN_KEY: ${{secrets.COSIGN_PUBLIC_KEY}}