diff --git a/.github/workflows/frontend-build-image-and-scan.yml b/.github/workflows/frontend-build-image-and-scan.yml new file mode 100644 index 0000000..7dee89d --- /dev/null +++ b/.github/workflows/frontend-build-image-and-scan.yml @@ -0,0 +1,97 @@ +on: + workflow_call: + +jobs: + frontend-build-image-and-scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Build frontend image + run: docker build --file prod.Dockerfile --tag ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }} . + - name: Run Trivy vulnerability image scanner + # Third-party action, pin to commit SHA! + # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions + uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db + with: + image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }} + format: "sarif" + output: "trivy-results.sarif" + - name: Check trivy results + run: | + if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then + echo "Vulnerabilities found" + exit 1 + else + echo "No significant vulnerabilities found" + exit 0 + fi + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code.. + with: + sarif_file: "trivy-results.sarif" + - name: Run Trivy vulnerability file scanner + # Third-party action, pin to commit SHA! + # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions + uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db + with: + scan-type: "fs" + scan-ref: "./frontend" + skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283 + format: "sarif" + output: "trivy-results.sarif" + - name: Check trivy results + run: | + if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then + echo "Vulnerabilities found" + exit 1 + else + echo "No significant vulnerabilities found" + exit 0 + fi + - name: Upload Trivy file scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code.. + with: + sarif_file: "trivy-results.sarif" + category: trivy-fs-scan + - name: Generate cosign vulnerability scan record + # Third-party action, pin to commit SHA! + # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions + uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db + with: + image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }} + format: "cosign-vuln" + output: "vuln-frontend.json" + - name: Upload cosign vulnerability scan record + uses: actions/upload-artifact@v4 + with: + name: "vuln-frontend.json" + path: "vuln-frontend.json" + if-no-files-found: error + - name: Save image + run: | + mkdir /tmp/images + docker save -o /tmp/images/frontend-image.tar ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }} + - uses: actions/cache@v4 + with: + path: /tmp/images + key: docker-frontend-images-cache-${{ env.RUN_ID }} + restore-keys: docker-frontend-images-cache-${{ env.RUN_ID }} + - name: Send status to Slack + # Third-party action, pin to commit SHA! + # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions + uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 + if: ${{ failure() && github.ref == 'refs/heads/main' }} + with: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} \ No newline at end of file diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index ab42ad6..9b8b0f9 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -35,101 +35,11 @@ jobs: frontend-build-image-and-scan: if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }} - runs-on: ubuntu-latest + uses: ./.github/workflows/frontend-build-image-and-scan.yml + secrets: inherit permissions: contents: read security-events: write - steps: - - uses: actions/checkout@v4 - - name: Build frontend image - run: docker build --file prod.Dockerfile --tag ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }} . - - name: Run Trivy vulnerability image scanner - # Third-party action, pin to commit SHA! - # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions - uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 - env: - TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db - TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db - with: - image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }} - format: "sarif" - output: "trivy-results.sarif" - - name: Check trivy results - run: | - if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then - echo "Vulnerabilities found" - exit 1 - else - echo "No significant vulnerabilities found" - exit 0 - fi - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code.. - with: - sarif_file: "trivy-results.sarif" - - name: Run Trivy vulnerability file scanner - # Third-party action, pin to commit SHA! - # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions - uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 - env: - TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db - TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db - with: - scan-type: "fs" - scan-ref: "./frontend" - skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283 - format: "sarif" - output: "trivy-results.sarif" - - name: Check trivy results - run: | - if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then - echo "Vulnerabilities found" - exit 1 - else - echo "No significant vulnerabilities found" - exit 0 - fi - - name: Upload Trivy file scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code.. - with: - sarif_file: "trivy-results.sarif" - category: trivy-fs-scan - - name: Generate cosign vulnerability scan record - # Third-party action, pin to commit SHA! - # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions - uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 - env: - TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db - TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db - with: - image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }} - format: "cosign-vuln" - output: "vuln-frontend.json" - - name: Upload cosign vulnerability scan record - uses: actions/upload-artifact@v4 - with: - name: "vuln-frontend.json" - path: "vuln-frontend.json" - if-no-files-found: error - - name: Save image - run: | - mkdir /tmp/images - docker save -o /tmp/images/frontend-image.tar ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }} - - uses: actions/cache@v4 - with: - path: /tmp/images - key: docker-frontend-images-cache-${{ env.RUN_ID }} - restore-keys: docker-frontend-images-cache-${{ env.RUN_ID }} - - name: Send status to Slack - # Third-party action, pin to commit SHA! - # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions - uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 - if: ${{ failure() && github.ref == 'refs/heads/main' }} - with: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} push-frontend-image-to-registry: runs-on: ubuntu-latest