changed to github conatiner repo

.github/workflows/ci.yml

@@ -1,117 +1,122 @@
-name: CI Pipeline
+name: Container Security Lab
 
 on:
   push:
     branches:
       - main
   pull_request:
 
+env:
+  IMAGE_NAME: ${{ github.event.repository.name }}
+  VERSION: 'latest'
+
 jobs:
   codeql:
     name: Run CodeQL SAST
     runs-on: ubuntu-latest
     permissions:
       security-events: write
+
     steps:
       - name: Checkout Code
         uses: actions/checkout@v3
-
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         with:
           languages: javascript
-
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
-
+        uses: github/codeql-action/autobuild@v3
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
-  
-  build:
-    name: Build Docker Image
+        uses: github/codeql-action/analyze@v3
+
+  build-push:
+    name: Build and Push Container Image
     runs-on: ubuntu-latest
     needs: codeql
+
     steps:
-      - name: Checkout Code
+      - name: Checkout
         uses: actions/checkout@v3
-
       - name: Set up Docker Buildx
+        id: buildx
         uses: docker/setup-buildx-action@v2
-
-      - name: Log in to DockerHub
+      - name: Set up cosign
+        uses: sigstore/cosign-installer@main
+      - name: Login to GitHub Container Registry
         uses: docker/login-action@v2
         with:
+          registry: ghcr.io
           username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build and Push Docker Image
-        run: |
-          docker build -t ${{ secrets.DOCKER_USERNAME }}/container-security-lab:latest .
-          docker push ${{ secrets.DOCKER_USERNAME }}/container-security-lab:latest
+#NODE image does not have a public key, but i will leave this here as an example of how to validate a base image.
+#      - name: Verify base image
+#        run: |          
+#          cosign dockerfile verify --base-image-only --key https://github.com/GoogleContainerTools/distroless Dockerfile
+
+      - name: Publish container image
+        uses: docker/build-push-action@v3
+        with:
+          push: true
+          builder: ${{ steps.buildx.outputs.name }}
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64
+          tags: |
+            ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
+          labels: |
+            org.opencontainers.image.title=${{ github.event.repository.name }}
+            org.opencontainers.image.description=${{ github.event.repository.description }}
+            org.opencontainers.image.url=${{ github.event.repository.html_url }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.version=${{ env.VERSION }}
 
   trivy:
     name: Run Trivy Scan
     runs-on: ubuntu-latest
-    needs: build
+    needs: build-push
 
     steps:
-      - name: Checkout Code
-        uses: actions/checkout@v3
-
       - name: Install Trivy
-        run: |
-          sudo apt-get install wget
-          wget https://github.com/aquasecurity/trivy/releases/download/v0.40.0/trivy_0.40.0_Linux-64bit.deb
-          sudo dpkg -i trivy_0.40.0_Linux-64bit.deb
-
-      - name: Run Trivy Scan
-        run: |
-          trivy image ${{ secrets.DOCKER_USERNAME }}/container-security-lab:latest
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
 
   sign:
-    name: Sign Docker Image with Cosign
+    name: Sign Container Image with Cosign
     runs-on: ubuntu-latest
     needs: trivy
 
     steps:
-      - name: Checkout Code
-        uses: actions/checkout@v3
-
       - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+      - name: Sign Container Image
         run: |
-          curl -LO https://github.com/sigstore/cosign/releases/download/v1.13.1/cosign-linux-amd64
-          chmod +x cosign-linux-amd64
-          sudo mv cosign-linux-amd64 /usr/local/bin/cosign
-          
-      - name: Write signing key to disk
-        run:  |
-          echo $KEY > cosign.key
+            cosign sign --key env://COSIGN_KEY ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
         shell: bash
-        env: 
-          KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-
-      - name: Sign Docker Image
         env:
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-        run: |
-          cosign sign --key cosign.key ${{ secrets.DOCKER_USERNAME }}/container-security-lab:latest
+          COSIGN_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
 
-  validate-signature:
-    name: Validate Docker Image Signature
+  validate-container:
+    name: Validate Container Image
     runs-on: ubuntu-latest
     needs: sign
 
     steps:
-      - name: Checkout Code
-        uses: actions/checkout@v3
-
-      - name: Install Cosign
+      - name: Check images
         run: |
-          curl -LO https://github.com/sigstore/cosign/releases/download/v1.13.1/cosign-linux-amd64
-          chmod +x cosign-linux-amd64
-          sudo mv cosign-linux-amd64 /usr/local/bin/cosign
-
-      - name: Verify Image Signature
-        run: |
-          cosign verify ${{ secrets.DOCKER_USERNAME }}/container-security-lab:latest
+          docker buildx imagetools inspect ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
+          docker pull ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
+          cosign verify --key env://COSIGN_PUB_KEY ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} 
+      - uses: anchore/sbom-action@v0
+        with:
+          image: ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
+        env:
+          COSIGN_PUB_KEY: ${{secrets.COSIGN_PUBLIC_KEY}}