From 7d74ef968263450b0f6b8fc8e10098aa5862fe19 Mon Sep 17 00:00:00 2001 From: 030 Date: Tue, 19 Dec 2023 11:50:14 +0100 Subject: [PATCH] build: Replace separate hadolint, dockle and trivy by one workflow. --- .github/workflows/docker.yml | 34 +++++++-------------------------- .github/workflows/dockerhub.yml | 32 +++++++++++++++++++++++++++++++ .github/workflows/dockle.yml | 16 ---------------- .github/workflows/hadolint.yml | 12 ------------ .github/workflows/trivy.yml | 32 ------------------------------- Dockerfile | 4 ++-- 6 files changed, 41 insertions(+), 89 deletions(-) create mode 100644 .github/workflows/dockerhub.yml delete mode 100644 .github/workflows/dockle.yml delete mode 100644 .github/workflows/hadolint.yml delete mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index b81e57ca..8cccc130 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -1,32 +1,12 @@ --- name: Docker -'on': - push: - tags: - - '*' +'on': push jobs: - release: - runs-on: ubuntu-latest + docker: + runs-on: ubuntu-20.04 steps: - - name: Set up QEMU - uses: docker/setup-qemu-action@v3.0.0 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3.0.0 - - name: Login to DockerHub - uses: docker/login-action@v3.0.0 + - uses: actions/checkout@v4.1.1 + - uses: schubergphilis/mcaf-mcvs-docker-action@v0.1.1 with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: version - id: version - run: echo ::set-output name=version::${GITHUB_REF#refs/tags/} - - name: Build and push - id: docker_build - uses: docker/build-push-action@v5.1.0 - with: - push: true - tags: utrecht/n3dr:${{ steps.version.outputs.version }} - build-args: | - VERSION=${{ github.ref }} - - name: Image digest - run: echo ${{ steps.docker_build.outputs.digest }} + dockle-accept-key: libcrypto3,libssl3 + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml new file mode 100644 index 00000000..b81e57ca --- /dev/null +++ b/.github/workflows/dockerhub.yml @@ -0,0 +1,32 @@ +--- +name: Docker +'on': + push: + tags: + - '*' +jobs: + release: + runs-on: ubuntu-latest + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3.0.0 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3.0.0 + - name: Login to DockerHub + uses: docker/login-action@v3.0.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: version + id: version + run: echo ::set-output name=version::${GITHUB_REF#refs/tags/} + - name: Build and push + id: docker_build + uses: docker/build-push-action@v5.1.0 + with: + push: true + tags: utrecht/n3dr:${{ steps.version.outputs.version }} + build-args: | + VERSION=${{ github.ref }} + - name: Image digest + run: echo ${{ steps.docker_build.outputs.digest }} diff --git a/.github/workflows/dockle.yml b/.github/workflows/dockle.yml deleted file mode 100644 index 2a38d8eb..00000000 --- a/.github/workflows/dockle.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -name: Dockle -'on': push -jobs: - dive: - runs-on: ubuntu-latest - name: Analyze image using dockle - steps: - - uses: actions/checkout@v4.1.1 - - name: Build image - run: docker build -t utrecht/n3dr:${{ github.sha }} . - - uses: goodwithtech/dockle-action@v0.1.2 - with: - image: utrecht/n3dr:${{ github.sha }} - ignore: CIS-DI-0005,CIS-DI-0006 - accept-key: libcrypto3,libssl3 diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml deleted file mode 100644 index 44c144d7..00000000 --- a/.github/workflows/hadolint.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -name: Hadolint -'on': push -jobs: - dive: - runs-on: ubuntu-latest - name: Analyze image using hadolint - steps: - - uses: actions/checkout@v4.1.1 - - uses: hadolint/hadolint-action@v1.6.0 - with: - dockerfile: Dockerfile diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml deleted file mode 100644 index e8609c6d..00000000 --- a/.github/workflows/trivy.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -name: Trivy -'on': push -jobs: - build: - name: Build - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4.1.1 - - name: Build an image from Dockerfile - run: | - docker build -t utrecht/n3dr:${{ github.sha }} . - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.14.0 - with: - image-ref: 'utrecht/n3dr:${{ github.sha }}' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' - trivyignores: .trivyignore - - name: Run Trivy vulnerability scanner in fs mode - uses: aquasecurity/trivy-action@0.14.0 - with: - scan-type: 'fs' - scan-ref: '.' - exit-code: '1' - ignore-unfixed: true - severity: 'CRITICAL,HIGH' - trivyignores: .trivyignore diff --git a/Dockerfile b/Dockerfile index cf45f832..616858da 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,7 +14,7 @@ COPY --from=builder /etc/passwd /etc/passwd COPY --from=builder /n3dr /usr/local/bin/n3dr COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ RUN apk add --no-cache \ - libcrypto3=3.1.4-r1 \ - libssl3=3.1.4-r1 + libcrypto3=~3 \ + libssl3=~3 USER n3dr ENTRYPOINT ["n3dr"]