JasonRivers · pgmac · Apr 21, 2020 · Mar 10, 2024 · Mar 10, 2024 · Mar 11, 2024
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "docker" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/anchore-syft.yml b/.github/workflows/anchore-syft.yml
@@ -0,0 +1,70 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow checks out code, builds an image, performs a container image
+# scan with Anchore's Syft tool, and uploads the results to the GitHub Dependency
+# submission API.
+
+# For more information on the Anchore sbom-action usage
+# and parameters, see https://github.com/anchore/sbom-action. For more
+# information about the Anchore SBOM tool, Syft, see
+# https://github.com/anchore/syft
+name: Anchore Syft SBOM scan
+
+on:
+  workflow_dispatch:
+  workflow_run:
+    workflows: [ "Build my Nagios image and push to my registry" ]
+    types: [ completed ]
+  # push:
+  #   tags:
+  #     - "*.*.*"
+
+jobs:
+  Anchore-Build-Scan:
+    permissions:
+      contents: write # required to upload to the Dependency submission API
+      id-token: write
+      attestations: write
+      actions: read
+    runs-on: self-hosted
+    steps:
+    - name: Set the image version
+      id: vars
+      run: echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
+
+    - name: Scan the image and upload dependency results
+      uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a
+      with:
+        #image: macro.int.pgmac.net:5000/nagios:${{ inputs.tags || steps.vars.outputs.tag }}
+        path: ./
+        format: cyclonedx-json
+        output-file: syft-sbom.json
+        artifact-name: syft-sbom.json
+        upload-artifact: true
+        dependency-snapshot: true
+
+    - name: SHA256 hash the SBoM
+      id: sha256
+      run: echo "SHA256=$(sha256sum syft-sbom.json | cut -d ' ' -f1)" >> $GITHUB_ENV
+
+    - name: Attest the SBoM
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-name: macro.int.pgmac.net:5000/Docker-Nagios/syft-sbom.json
+        subject-digest: sha256:${{ env.SHA256 }}
+        show-summary: true
+        push-to-registry: false
+
+    - name: Upload SBoM to Dependency Track
+      uses: DependencyTrack/[email protected]
+      with:
+        serverHostname: 'dtrack.int.pgmac.net'
+        protocol: 'https'
+        apiKey: ${{ secrets.DT_APIKEY }}
+        projectName: Docker-Nagios
+        projectVersion: ${{ inputs.tags || steps.vars.outputs.tag }}
+        bomFilename: 'syft-sbom.json'
+        autoCreate: true
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -0,0 +1,117 @@
+name: Build my Nagios image and push to my registry
+
+on:
+  push:
+    tags:
+      - "*.*.*"
+  workflow_dispatch:
+jobs:
+  build-n-push:
+    permissions:
+      id-token: write
+      attestations: write
+      actions: read
+      contents: write
+    runs-on: self-hosted
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set the image version
+        id: vars
+        run: echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
+
+      - name: Build the Docker image
+        run: docker build . --file Dockerfile --tag macro.int.pgmac.net:5000/nagios:${{ inputs.tags || steps.vars.outputs.tag }}
+
+      - name: Push to my internal registry
+        run: docker push macro.int.pgmac.net:5000/nagios:${{ inputs.tags || steps.vars.outputs.tag }}
+
+      - name: Run Syft SBoM scan
+        uses: anchore/[email protected]
+        with:
+          image: macro.int.pgmac.net:5000/nagios:${{ inputs.tags || steps.vars.outputs.tag }}
+          format: cyclonedx-json
+          output-file: syft-sbom.json
+          artifact-name: syft-sbom.json
+
+      - name: Upload SBoM to GitHub Artifact storage
+        uses: actions/upload-artifact@v4
+        with:
+          name: syft-sbom.json
+          path: "syft-sbom.json"
+          retention-days: 2
+          overwrite: true
+
+      - name: SHA256 hash the SBoM
+        id: sha256
+        run: echo "SHA256=$(sha256sum syft-sbom.json | cut -d ' ' -f1)" >> $GITHUB_ENV
+
+      - name: Attest the SBoM
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: macro.int.pgmac.net:5000/Docker-Nagios/syft-sbom.json
+          subject-digest: sha256:${{ env.SHA256 }}
+          show-summary: true
+          push-to-registry: false
+
+      - name: Upload SBoM to Dependency Track
+        uses: DependencyTrack/[email protected]
+        with:
+          serverhostname: "dtrack.int.pgmac.net"
+          protocol: "https"
+          apikey: ${{ secrets.DT_APIKEY }}
+          project: ${{ secrets.DT_PROJECT_UUID }}
+          bomfilename: "syft-sbom.json"
+          autocreate: false
+
+      - name: Exit code failure
+        if: failure()
+        run: |
+          echo "colour=danger" >> $GITHUB_ENV
+          echo "icon=🛑" >> $GITHUB_ENV
+
+      - name: Exit code cancelled
+        if: cancelled()
+        run: |
+          echo "colour=warning" >> $GITHUB_ENV
+          echo "icon=⚠" >> $GITHUB_ENV
+
+      - name: Exit code success
+        if: success()
+        run: |
+          echo "colour=good" >> $GITHUB_ENV
+          echo "icon=✅" >> $GITHUB_ENV
+
+      - name: Send Slack message
+        uses: slackapi/[email protected]
+        with:
+          payload: |
+            {
+              "channel": "builds",
+              "attachments": [
+                {
+                  "mrkdwn_in": ["text", "pretext"],
+                  "fallback": ${{ toJSON(join(github.event.commits.*.message, '<br>') || ':point_right: Manually triggered') }},
+                  "color": "${{ env.colour || 'grey' }}",
+                  "pretext": "${{ env.icon || '?' }} ${{ github.workflow }} (${{ github.ref_name }}) #${{ github.run_number }}",
+                  "author_name": "${{ github.triggering_actor || github.actor }}",
+                  "title": "${{ github.workflow }}",
+                  "title_link": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}",
+                  "text": ${{ toJSON(join(github.event.commits.*.message, '\n') || ':point_right: Manually triggered') }}
+                },
+                {
+                  "blocks": [
+                    {
+                      "type": "section",
+                      "text": {
+                        "type": "mrkdwn",
+                        "text": "<${{ github.event.pull_request.html_url || github.event.head_commit.url || github.server_url }}|View commit>"
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -0,0 +1,18 @@
+name: Build a bill of materials ... and scan it
+
+on:
+  push:
+    branches: ["master"]
+
+  workflow_dispatch:
+
+jobs:
+  sbom:
+    uses: pgmac-net/pg-actions/.github/workflows/sbom.yml@main
+    secrets: inherit
+    permissions:
+      attestations: write
+      contents: write
+      security-events: write
+      id-token: write
+      actions: read