ci: Update Security analysis workflow
This commit is contained in:
Carlos Álvaro
46
.github/workflows/build-and-test.yml
vendored
46
.github/workflows/build-and-test.yml
vendored
@@ -170,49 +170,3 @@ jobs:
|
|||||||
run: |
|
run: |
|
||||||
docker stop saltstack_master registry
|
docker stop saltstack_master registry
|
||||||
docker image rm ${IMAGE_NAME}
|
docker image rm ${IMAGE_NAME}
|
||||||
|
|
||||||
security-analysis:
|
|
||||||
name: Security analysis
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
needs: build
|
|
||||||
steps:
|
|
||||||
- name: Download Docker registry data from build job
|
|
||||||
uses: actions/download-artifact@v2
|
|
||||||
with:
|
|
||||||
name: docker-registry-data
|
|
||||||
path: ${{ env.REGISTRY_PATH }}
|
|
||||||
|
|
||||||
- name: Enable Docker experimental
|
|
||||||
run: |
|
|
||||||
# Enable docker daemon experimental support.
|
|
||||||
echo '{"experimental": true}' | sudo tee /etc/docker/daemon.json
|
|
||||||
sudo systemctl restart docker
|
|
||||||
# Install QEMU multi-architecture support for docker buildx.
|
|
||||||
docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
|
|
||||||
|
|
||||||
- name: Start Docker registry
|
|
||||||
run: |
|
|
||||||
docker run -d -p 5000:5000 -v ${REGISTRY_PATH}:/var/lib/registry --name registry registry:2
|
|
||||||
|
|
||||||
- name: Import Docker images
|
|
||||||
run: |
|
|
||||||
RETRY_MAX=5
|
|
||||||
for i in $(seq 1 $RETRY_MAX); do
|
|
||||||
[ "$i" != "1" ] && echo "Retrying docker pull"
|
|
||||||
docker pull --platform linux/amd64 ${IMAGE_NAME} && break
|
|
||||||
echo "Command failed with code $?"
|
|
||||||
done
|
|
||||||
|
|
||||||
- name: Run Trivy vulnerability scanner
|
|
||||||
uses: aquasecurity/trivy-action@master
|
|
||||||
with:
|
|
||||||
image-ref: ${{ env.IMAGE_NAME }}
|
|
||||||
format: 'template'
|
|
||||||
template: '@/contrib/sarif.tpl'
|
|
||||||
output: 'trivy-results.sarif'
|
|
||||||
severity: 'HIGH,CRITICAL'
|
|
||||||
|
|
||||||
- name: Upload Trivy scan results to GitHub Security tab
|
|
||||||
uses: github/codeql-action/upload-sarif@v1
|
|
||||||
with:
|
|
||||||
sarif_file: 'trivy-results.sarif'
|
|
||||||
|
|||||||
28
.github/workflows/publish.yml
vendored
28
.github/workflows/publish.yml
vendored
@@ -91,31 +91,3 @@ jobs:
|
|||||||
cache-to: type=local,dest=${{ env.CACHE_PATH }}
|
cache-to: type=local,dest=${{ env.CACHE_PATH }}
|
||||||
push: true
|
push: true
|
||||||
tags: ${{ steps.metadata.outputs.tags }}
|
tags: ${{ steps.metadata.outputs.tags }}
|
||||||
|
|
||||||
security-analysis:
|
|
||||||
name: Security analysis
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
needs: publish
|
|
||||||
steps:
|
|
||||||
- name: Prepare metadata
|
|
||||||
id: metadata
|
|
||||||
run: |
|
|
||||||
IMAGE_REF="${IMAGE_NAME}:${GITHUB_REF_NAME:-latest}"
|
|
||||||
echo ::set-output name=image_ref::${IMAGE_REF}
|
|
||||||
|
|
||||||
- name: Import Docker images
|
|
||||||
run: docker pull ${{ steps.metadata.outputs.image_ref }}
|
|
||||||
|
|
||||||
- name: Run Trivy vulnerability scanner
|
|
||||||
uses: aquasecurity/trivy-action@master
|
|
||||||
with:
|
|
||||||
image-ref: ${{ steps.metadata.outputs.image_ref }}
|
|
||||||
format: 'template'
|
|
||||||
template: '@/contrib/sarif.tpl'
|
|
||||||
output: 'trivy-results.sarif'
|
|
||||||
severity: 'HIGH,CRITICAL'
|
|
||||||
|
|
||||||
- name: Upload Trivy scan results to GitHub Security tab
|
|
||||||
uses: github/codeql-action/upload-sarif@v1
|
|
||||||
with:
|
|
||||||
sarif_file: 'trivy-results.sarif'
|
|
||||||
|
|||||||
40
.github/workflows/security-analysis.yml
vendored
40
.github/workflows/security-analysis.yml
vendored
@@ -1,6 +1,10 @@
|
|||||||
name: Security analysis
|
name: Security analysis
|
||||||
|
|
||||||
on:
|
on:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
pull_request:
|
||||||
schedule:
|
schedule:
|
||||||
- cron: '0 0 * * 1'
|
- cron: '0 0 * * 1'
|
||||||
|
|
||||||
@@ -8,9 +12,45 @@ jobs:
|
|||||||
security-analysis:
|
security-analysis:
|
||||||
name: Trivy scan
|
name: Trivy scan
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
env:
|
||||||
|
CACHE_PATH: /tmp/.buildx-cache
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
|
- name: Checkout repository
|
||||||
|
if: github.event_name != 'schedule'
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
|
||||||
|
- name: Set up QEMU
|
||||||
|
if: github.event_name != 'schedule'
|
||||||
|
uses: docker/setup-qemu-action@v1
|
||||||
|
|
||||||
|
- name: Set up Docker Buildx
|
||||||
|
if: github.event_name != 'schedule'
|
||||||
|
uses: docker/setup-buildx-action@v1
|
||||||
|
|
||||||
|
- name: Cache Docker layers
|
||||||
|
if: github.event_name != 'schedule'
|
||||||
|
uses: actions/cache@v2.1.4
|
||||||
|
with:
|
||||||
|
path: ${{ env.CACHE_PATH }}
|
||||||
|
key: ${{ runner.os }}-buildx-${{ github.sha }}
|
||||||
|
restore-keys: |
|
||||||
|
${{ runner.os }}-buildx-
|
||||||
|
|
||||||
|
- name: Build docker-salt-master image
|
||||||
|
if: github.event_name != 'schedule'
|
||||||
|
uses: docker/build-push-action@v2
|
||||||
|
with:
|
||||||
|
context: .
|
||||||
|
file: ./Dockerfile
|
||||||
|
cache-from: |
|
||||||
|
type=local,src=${{ env.CACHE_PATH }}
|
||||||
|
ghcr.io/cdalvaro/docker-salt-master:${{ github.sha }}
|
||||||
|
cache-to: type=local,dest=${{ env.CACHE_PATH }}
|
||||||
|
push: false
|
||||||
|
|
||||||
- name: Download and tag latest image
|
- name: Download and tag latest image
|
||||||
|
if: github.event_name == 'schedule'
|
||||||
run: |
|
run: |
|
||||||
docker pull ghcr.io/cdalvaro/docker-salt-master:latest
|
docker pull ghcr.io/cdalvaro/docker-salt-master:latest
|
||||||
docker tag ghcr.io/cdalvaro/docker-salt-master:latest ghcr.io/cdalvaro/docker-salt-master:${{ github.sha }}
|
docker tag ghcr.io/cdalvaro/docker-salt-master:latest ghcr.io/cdalvaro/docker-salt-master:${{ github.sha }}
|
||||||
|
|||||||
Reference in New Issue
Block a user