forked from adamjtaylor/htan-artist
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Rixing Xu
committed
Jul 27, 2023
1 parent
ce655f3
commit a0d66d0
Showing
2 changed files
with
74 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,6 @@ on: | |
| push: | ||
| branches: | ||
| - 'dsl2' | ||
| - 'orca-249-push-to-ghcr' | ||
| paths: | ||
| - 'docker/**' | ||
| - '.github/workflows/ci.yml' | ||
|
|
@@ -13,8 +12,6 @@ env: | |
| # Use docker.io for Docker Hub if empty | ||
| REGISTRY: ghcr.io | ||
| IMAGE_NAME: ${{ github.repository }} | ||
| # Use `latest` as the tag to compare to if empty, assuming that it's already pushed | ||
| COMPARE_TAG: latest | ||
|
|
||
| jobs: | ||
| docker: | ||
|
|
@@ -52,23 +49,11 @@ jobs: | |
| type=sha | ||
| latest | ||
| #- name: Build and push to GHCR | ||
| # uses: docker/build-push-action@v4 | ||
| # with: | ||
| # context: ./docker | ||
| # file: ./docker/Dockerfile | ||
| # push: true | ||
| # tags: ${{ steps.metadata.outputs.tags }} | ||
| # labels: ${{ steps.metadata.outputs.labels }} | ||
|
|
||
| - name: Docker Scout | ||
| id: docker-scout | ||
| uses: docker/[email protected] | ||
| - name: Build and push to GHCR | ||
| uses: docker/build-push-action@v4 | ||
| with: | ||
| command: recommendations, compare | ||
| image: ${{ steps.metadata.outputs.tags }} | ||
| to-latest: true | ||
| ignore-unchanged: true | ||
| only-severities: critical,high | ||
| dockerhub-user: ${{ github.actor }} | ||
| dockerhub-password: ${{ secrets.GITHUB_TOKEN }} | ||
| context: ./docker | ||
| file: ./docker/Dockerfile | ||
| push: true | ||
| tags: ${{ steps.metadata.outputs.tags }} | ||
| labels: ${{ steps.metadata.outputs.labels }} | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| name: Scan image | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - 'dsl2' | ||
| - 'orca-249-push-to-ghcr' | ||
|
|
||
| env: | ||
| # Use docker.io for Docker Hub if empty | ||
| REGISTRY: ghcr.io | ||
| IMAGE_NAME: ${{ github.repository }} | ||
| IMAGE_TAG: latest | ||
| # Use `latest` as the tag to compare to if empty, assuming that it's already pushed | ||
| COMPARE_TAG: latest | ||
|
|
||
| jobs: | ||
| trivy-edge: | ||
| name: Run Trivy vulnerability scanner | ||
| runs-on: ubuntu-latest | ||
| continue-on-error: true | ||
|
|
||
| steps: | ||
| - name: Login to GitHub Container Registry | ||
| uses: docker/login-action@v2 | ||
| with: | ||
| registry: ${{ env.REGISTRY }} | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Pull the image | ||
| run: | | ||
| docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} | ||
| # Deliberately chosen master here to keep up-to-date. | ||
| - name: Run Trivy vulnerability scanner for any major issues | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} | ||
| ignore-unfixed: true | ||
| severity: 'CRITICAL,HIGH' | ||
| limit-severities-for-sarif: true | ||
| format: template | ||
| template: '@/contrib/sarif.tpl' | ||
| output: trivy-results-${{ env.IMAGE_NAME }}-${{ env.IMAGE_TAG }}.sarif | ||
|
|
||
| # Show all detected issues. | ||
| # Note this will show a lot more, including major un-fixed ones. | ||
| - name: Run Trivy vulnerability scanner for local output | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} | ||
| format: table | ||
|
|
||
| - name: Upload Trivy scan results to GitHub Security tab | ||
| uses: github/codeql-action/upload-sarif@v2 | ||
| with: | ||
| sarif_file: trivy-results-${{ env.IMAGE_NAME }}-${{ env.IMAGE_TAG }}.sarif | ||
| category: ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} image | ||
| wait-for-processing: true | ||
|
|
||
| - name: Detain results for debug if needed | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| name: trivy-results-${{ env.IMAGE_NAME }}-${{ env.IMAGE_TAG }}.sarif | ||
| path: trivy-results-${{ env.IMAGE_NAME }}-${{ env.IMAGE_TAG }}.sarif | ||
| if-no-files-found: error |