From 4c50337d701e599211cfa8f9fcd74dce7dc638a4 Mon Sep 17 00:00:00 2001 From: tamalerhino Date: Sat, 19 Oct 2024 14:24:51 -0500 Subject: [PATCH] changed to github conatiner repo --- .github/workflows/ci.yml | 129 ++++++++++++++++++++------------------- 1 file changed, 67 insertions(+), 62 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 764cd99..b62b5c6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,4 +1,4 @@ -name: CI Pipeline +name: Container Security Lab on: push: @@ -6,112 +6,117 @@ on: - main pull_request: +env: + IMAGE_NAME: ${{ github.event.repository.name }} + VERSION: 'latest' + jobs: codeql: name: Run CodeQL SAST runs-on: ubuntu-latest permissions: security-events: write + steps: - name: Checkout Code uses: actions/checkout@v3 - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: javascript - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - + uses: github/codeql-action/autobuild@v3 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - - build: - name: Build Docker Image + uses: github/codeql-action/analyze@v3 + + build-push: + name: Build and Push Container Image runs-on: ubuntu-latest needs: codeql + steps: - - name: Checkout Code + - name: Checkout uses: actions/checkout@v3 - - name: Set up Docker Buildx + id: buildx uses: docker/setup-buildx-action@v2 - - - name: Log in to DockerHub + - name: Set up cosign + uses: sigstore/cosign-installer@main + - name: Login to GitHub Container Registry uses: docker/login-action@v2 with: + registry: ghcr.io username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and Push Docker Image - run: | - docker build -t ${{ secrets.DOCKER_USERNAME }}/container-security-lab:latest . - docker push ${{ secrets.DOCKER_USERNAME }}/container-security-lab:latest +#NODE image does not have a public key, but i will leave this here as an example of how to validate a base image. +# - name: Verify base image +# run: | +# cosign dockerfile verify --base-image-only --key https://github.com/GoogleContainerTools/distroless Dockerfile + + - name: Publish container image + uses: docker/build-push-action@v3 + with: + push: true + builder: ${{ steps.buildx.outputs.name }} + context: . + file: ./Dockerfile + platforms: linux/amd64 + tags: | + ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} + labels: | + org.opencontainers.image.title=${{ github.event.repository.name }} + org.opencontainers.image.description=${{ github.event.repository.description }} + org.opencontainers.image.url=${{ github.event.repository.html_url }} + org.opencontainers.image.revision=${{ github.sha }} + org.opencontainers.image.version=${{ env.VERSION }} trivy: name: Run Trivy Scan runs-on: ubuntu-latest - needs: build + needs: build-push steps: - - name: Checkout Code - uses: actions/checkout@v3 - - name: Install Trivy - run: | - sudo apt-get install wget - wget https://github.com/aquasecurity/trivy/releases/download/v0.40.0/trivy_0.40.0_Linux-64bit.deb - sudo dpkg -i trivy_0.40.0_Linux-64bit.deb - - - name: Run Trivy Scan - run: | - trivy image ${{ secrets.DOCKER_USERNAME }}/container-security-lab:latest + uses: aquasecurity/trivy-action@0.20.0 + with: + image-ref: 'ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' sign: - name: Sign Docker Image with Cosign + name: Sign Container Image with Cosign runs-on: ubuntu-latest needs: trivy steps: - - name: Checkout Code - uses: actions/checkout@v3 - - name: Install Cosign + uses: sigstore/cosign-installer@main + - name: Sign Container Image run: | - curl -LO https://github.com/sigstore/cosign/releases/download/v1.13.1/cosign-linux-amd64 - chmod +x cosign-linux-amd64 - sudo mv cosign-linux-amd64 /usr/local/bin/cosign - - - name: Write signing key to disk - run: | - echo $KEY > cosign.key + cosign sign --key env://COSIGN_KEY ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} shell: bash - env: - KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} - - - name: Sign Docker Image env: - COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - run: | - cosign sign --key cosign.key ${{ secrets.DOCKER_USERNAME }}/container-security-lab:latest + COSIGN_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} + COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} - validate-signature: - name: Validate Docker Image Signature + validate-container: + name: Validate Container Image runs-on: ubuntu-latest needs: sign steps: - - name: Checkout Code - uses: actions/checkout@v3 - - - name: Install Cosign + - name: Check images run: | - curl -LO https://github.com/sigstore/cosign/releases/download/v1.13.1/cosign-linux-amd64 - chmod +x cosign-linux-amd64 - sudo mv cosign-linux-amd64 /usr/local/bin/cosign - - - name: Verify Image Signature - run: | - cosign verify ${{ secrets.DOCKER_USERNAME }}/container-security-lab:latest + docker buildx imagetools inspect ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} + docker pull ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} + cosign verify --key env://COSIGN_PUB_KEY ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} + - uses: anchore/sbom-action@v0 + with: + image: ghcr.io/${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} + env: + COSIGN_PUB_KEY: ${{secrets.COSIGN_PUBLIC_KEY}}