chaos/docker-salt-master
Archived
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ci: Update Security analysis workflow

Browse Source
This commit is contained in:
Carlos Álvaro
2021-03-13 20:59:01 +01:00
parent 828092ad75
commit ccf7a04053
3 changed files with 40 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
.github/workflows/build-and-test.yml vendored
View File

@@ -170,49 +170,3 @@ jobs:
run: |
docker stop saltstack_master registry
docker image rm ${IMAGE_NAME}
security-analysis:
name: Security analysis
runs-on: ubuntu-latest
needs: build
steps:
- name: Download Docker registry data from build job
uses: actions/download-artifact@v2
with:
name: docker-registry-data
path: ${{ env.REGISTRY_PATH }}
- name: Enable Docker experimental
run: |
# Enable docker daemon experimental support.
echo '{"experimental": true}' | sudo tee /etc/docker/daemon.json
sudo systemctl restart docker
# Install QEMU multi-architecture support for docker buildx.
docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
- name: Start Docker registry
run: |
docker run -d -p 5000:5000 -v ${REGISTRY_PATH}:/var/lib/registry --name registry registry:2
- name: Import Docker images
run: |
RETRY_MAX=5
for i in $(seq 1 $RETRY_MAX); do
[ "$i" != "1" ] && echo "Retrying docker pull"
docker pull --platform linux/amd64 ${IMAGE_NAME} && break
echo "Command failed with code $?"
done
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.IMAGE_NAME }}
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'HIGH,CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'trivy-results.sarif'

28
.github/workflows/publish.yml vendored
View File

@@ -91,31 +91,3 @@ jobs:
cache-to: type=local,dest=${{ env.CACHE_PATH }}
push: true
tags: ${{ steps.metadata.outputs.tags }}
security-analysis:
name: Security analysis
runs-on: ubuntu-latest
needs: publish
steps:
- name: Prepare metadata
id: metadata
run: |
IMAGE_REF="${IMAGE_NAME}:${GITHUB_REF_NAME:-latest}"
echo ::set-output name=image_ref::${IMAGE_REF}
- name: Import Docker images
run: docker pull ${{ steps.metadata.outputs.image_ref }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.metadata.outputs.image_ref }}
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'HIGH,CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'trivy-results.sarif'

40
.github/workflows/security-analysis.yml vendored
View File

@@ -1,6 +1,10 @@
name: Security analysis
on:
push:
branches:
- main
pull_request:
schedule:
- cron: '0 0 * * 1'
@@ -8,9 +12,45 @@ jobs:
security-analysis:
name: Trivy scan
runs-on: ubuntu-latest
env:
CACHE_PATH: /tmp/.buildx-cache
steps:
- name: Checkout repository
if: github.event_name != 'schedule'
uses: actions/checkout@v2
- name: Set up QEMU
if: github.event_name != 'schedule'
uses: docker/setup-qemu-action@v1
- name: Set up Docker Buildx
if: github.event_name != 'schedule'
uses: docker/setup-buildx-action@v1
- name: Cache Docker layers
if: github.event_name != 'schedule'
uses: actions/cache@v2.1.4
with:
path: ${{ env.CACHE_PATH }}
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Build docker-salt-master image
if: github.event_name != 'schedule'
uses: docker/build-push-action@v2
with:
context: .
file: ./Dockerfile
cache-from: |
type=local,src=${{ env.CACHE_PATH }}
ghcr.io/cdalvaro/docker-salt-master:${{ github.sha }}
cache-to: type=local,dest=${{ env.CACHE_PATH }}
push: false
- name: Download and tag latest image
if: github.event_name == 'schedule'
run: |
docker pull ghcr.io/cdalvaro/docker-salt-master:latest
docker tag ghcr.io/cdalvaro/docker-salt-master:latest ghcr.io/cdalvaro/docker-salt-master:${{ github.sha }}