From c020db43e9edd5293f0234d0a242bdd250eba5df Mon Sep 17 00:00:00 2001 From: Ben van B <030@users.noreply.github.com> Date: Tue, 19 Dec 2023 12:02:46 +0100 Subject: [PATCH] build: Replace separate hadolint, dockle and trivy by one workflow. (#417) --- .github/workflows/docker.yml | 34 +++++++-------------------------- .github/workflows/dockerhub.yml | 32 +++++++++++++++++++++++++++++++ .github/workflows/dockle.yml | 16 ---------------- .github/workflows/hadolint.yml | 12 ------------ .github/workflows/trivy.yml | 32 ------------------------------- .trivyignore | 1 - Dockerfile | 4 ++-- 7 files changed, 41 insertions(+), 90 deletions(-) create mode 100644 .github/workflows/dockerhub.yml delete mode 100644 .github/workflows/dockle.yml delete mode 100644 .github/workflows/hadolint.yml delete mode 100644 .github/workflows/trivy.yml delete mode 100644 .trivyignore diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index b81e57ca..8cccc130 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -1,32 +1,12 @@ --- name: Docker -'on': - push: - tags: - - '*' +'on': push jobs: - release: - runs-on: ubuntu-latest + docker: + runs-on: ubuntu-20.04 steps: - - name: Set up QEMU - uses: docker/setup-qemu-action@v3.0.0 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3.0.0 - - name: Login to DockerHub - uses: docker/login-action@v3.0.0 + - uses: actions/checkout@v4.1.1 + - uses: schubergphilis/mcaf-mcvs-docker-action@v0.1.1 with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: version - id: version - run: echo ::set-output name=version::${GITHUB_REF#refs/tags/} - - name: Build and push - id: docker_build - uses: docker/build-push-action@v5.1.0 - with: - push: true - tags: utrecht/n3dr:${{ steps.version.outputs.version }} - build-args: | - VERSION=${{ github.ref }} - - name: Image digest - run: echo ${{ steps.docker_build.outputs.digest }} + dockle-accept-key: libcrypto3,libssl3 + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml new file mode 100644 index 00000000..3ddffca0 --- /dev/null +++ b/.github/workflows/dockerhub.yml @@ -0,0 +1,32 @@ +--- +name: Dockerhub +'on': + push: + tags: + - '*' +jobs: + release: + runs-on: ubuntu-latest + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3.0.0 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3.0.0 + - name: Login to DockerHub + uses: docker/login-action@v3.0.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: version + id: version + run: echo ::set-output name=version::${GITHUB_REF#refs/tags/} + - name: Build and push + id: docker_build + uses: docker/build-push-action@v5.1.0 + with: + push: true + tags: utrecht/n3dr:${{ steps.version.outputs.version }} + build-args: | + VERSION=${{ github.ref }} + - name: Image digest + run: echo ${{ steps.docker_build.outputs.digest }} diff --git a/.github/workflows/dockle.yml b/.github/workflows/dockle.yml deleted file mode 100644 index 2a38d8eb..00000000 --- a/.github/workflows/dockle.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -name: Dockle -'on': push -jobs: - dive: - runs-on: ubuntu-latest - name: Analyze image using dockle - steps: - - uses: actions/checkout@v4.1.1 - - name: Build image - run: docker build -t utrecht/n3dr:${{ github.sha }} . - - uses: goodwithtech/dockle-action@v0.1.2 - with: - image: utrecht/n3dr:${{ github.sha }} - ignore: CIS-DI-0005,CIS-DI-0006 - accept-key: libcrypto3,libssl3 diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml deleted file mode 100644 index 44c144d7..00000000 --- a/.github/workflows/hadolint.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -name: Hadolint -'on': push -jobs: - dive: - runs-on: ubuntu-latest - name: Analyze image using hadolint - steps: - - uses: actions/checkout@v4.1.1 - - uses: hadolint/hadolint-action@v1.6.0 - with: - dockerfile: Dockerfile diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml deleted file mode 100644 index e8609c6d..00000000 --- a/.github/workflows/trivy.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -name: Trivy -'on': push -jobs: - build: - name: Build - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4.1.1 - - name: Build an image from Dockerfile - run: | - docker build -t utrecht/n3dr:${{ github.sha }} . - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.14.0 - with: - image-ref: 'utrecht/n3dr:${{ github.sha }}' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' - trivyignores: .trivyignore - - name: Run Trivy vulnerability scanner in fs mode - uses: aquasecurity/trivy-action@0.14.0 - with: - scan-type: 'fs' - scan-ref: '.' - exit-code: '1' - ignore-unfixed: true - severity: 'CRITICAL,HIGH' - trivyignores: .trivyignore diff --git a/.trivyignore b/.trivyignore deleted file mode 100644 index a1cc6963..00000000 --- a/.trivyignore +++ /dev/null @@ -1 +0,0 @@ -#CVE-2023-5363 diff --git a/Dockerfile b/Dockerfile index cf45f832..616858da 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,7 +14,7 @@ COPY --from=builder /etc/passwd /etc/passwd COPY --from=builder /n3dr /usr/local/bin/n3dr COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ RUN apk add --no-cache \ - libcrypto3=3.1.4-r1 \ - libssl3=3.1.4-r1 + libcrypto3=~3 \ + libssl3=~3 USER n3dr ENTRYPOINT ["n3dr"]