chaos/docker-salt-master
Archived
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #37 from cdalvaro/feat/add_security_analysis

Browse Source 
ci/cd: Add security analysis step
This commit is contained in:
Carlos D. Álvaro
2020-10-01 09:00:23 +02:00
committed by GitHub
parent 1b862039dc 67012ccb2f
commit e04015df50
2 changed files with 69 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
.github/workflows/build-and-test.yml vendored
View File

@@ -113,3 +113,43 @@ jobs:
run: | run: |
docker stop saltstack_master registry docker stop saltstack_master registry
docker image rm ${IMAGE_NAME} docker image rm ${IMAGE_NAME}
security-analysis:
name: Security analysis
runs-on: ubuntu-latest
needs: build
steps:
- name: Download Docker registry data from build job
uses: actions/download-artifact@v2
with:
name: docker-registry-data
path: ${{ env.REGISTRY_PATH }}
- name: Enable Docker experimental
run: |
# Enable docker daemon experimental support.
echo '{"experimental": true}' | sudo tee /etc/docker/daemon.json
sudo systemctl restart docker
# Install QEMU multi-architecture support for docker buildx.
docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
- name: Start Docker registry
run: |
docker run -d -p 5000:5000 -v ${REGISTRY_PATH}:/var/lib/registry --name registry registry:2
- name: Import Docker images
run: docker pull --platform linux/amd64 ${IMAGE_NAME}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.IMAGE_NAME }}
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'HIGH,CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'trivy-results.sarif'

29
.github/workflows/publish.yml vendored
View File

@@ -88,3 +88,32 @@ jobs:
cache-to: type=local,dest=${{ env.CACHE_PATH }} cache-to: type=local,dest=${{ env.CACHE_PATH }}
push: true push: true
tags: ${{ steps.metadata.outputs.tags }} tags: ${{ steps.metadata.outputs.tags }}
security-analysis:
name: Security analysis
runs-on: ubuntu-latest
needs: publish
if: github.event_name == 'release'
steps:
- name: Prepare metadata
id: metadata
run: |
IMAGE_REF="${IMAGE_NAME}:${GITHUB_REF_NAME:-latest}"
echo ::set-output name=image_ref::${IMAGE_REF}
- name: Import Docker images
run: docker pull ${{ steps.metadata.outputs.image_ref }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.metadata.outputs.image_ref }}
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'HIGH,CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'trivy-results.sarif'