Skip to content

Commit

Permalink
Merge branch 'main' into DAT-17511
Browse files Browse the repository at this point in the history
  • Loading branch information
sayaliM0412 authored Jul 29, 2024
2 parents 045d62d + cd836a9 commit 5b6c019
Show file tree
Hide file tree
Showing 4 changed files with 132 additions and 42 deletions.
15 changes: 9 additions & 6 deletions .github/workflows/create-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:

update-dockerfiles:
env:
LPM_VERSION: "0.2.6"
LPM_VERSION: "0.2.7"
name: "Update Dockerfiles"
runs-on: ubuntu-latest
outputs:
Expand Down Expand Up @@ -155,6 +155,7 @@ jobs:

update-official-repo:
name: "Update Official Docker Repo"
needs: update-dockerfiles
runs-on: ubuntu-latest
env:
GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }}
Expand All @@ -163,8 +164,10 @@ jobs:
- name: Extract major.minor version
id: extract_version
run: |
VERSION="${{ inputs.liquibaseVersion }}"
VERSION="${{ needs.update-dockerfiles.outputs.liquibaseVersion }}"
echo "MAJOR_MINOR=${VERSION%.*}" >> $GITHUB_ENV
echo "VERSION: $VERSION"
echo "MAJOR_MINOR: ${VERSION%.*}"
- name: Check out liquibase/official-images
uses: actions/checkout@v4
Expand All @@ -179,12 +182,12 @@ jobs:
echo "Architectures: arm64v8, amd64" >> library/liquibase
echo "GitRepo: https://github.com/liquibase/docker.git" >> library/liquibase
echo "" >> library/liquibase
echo "Tags: ${{ env.MAJOR_MINOR }}, ${{ inputs.liquibaseVersion }}, latest" >> library/liquibase
echo "Tags: ${{ env.MAJOR_MINOR }}, ${{ needs.update-dockerfiles.outputs.liquibaseVersion }}, latest" >> library/liquibase
echo "GitFetch: refs/heads/main" >> library/liquibase
echo "GitCommit: ${{ github.sha }}" >> library/liquibase
echo "File: Dockerfile" >> library/liquibase
echo "" >> library/liquibase
echo "Tags: ${{ env.MAJOR_MINOR }}-alpine, ${{ inputs.liquibaseVersion }}-alpine, alpine" >> library/liquibase
echo "Tags: ${{ env.MAJOR_MINOR }}-alpine, ${{ needs.update-dockerfiles.outputs.liquibaseVersion }}-alpine, alpine" >> library/liquibase
echo "GitFetch: refs/heads/main" >> library/liquibase
echo "GitCommit: ${{ github.sha }}" >> library/liquibase
echo "File: Dockerfile.alpine" >> library/liquibase
Expand All @@ -195,7 +198,7 @@ jobs:
else
git config user.name "liquibot"
git config user.email "[email protected]"
git commit -m "Update library/liquibase to ${{ inputs.liquibaseVersion }}"
git commit -m "Update library/liquibase to ${{ needs.update-dockerfiles.outputs.liquibaseVersion }}"
git push https://liquibot:[email protected]/liquibase/official-images.git
fi
Expand All @@ -208,7 +211,7 @@ jobs:
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/repos/docker-library/official-images/pulls \
-d '{
"title": "Update library/liquibase to ${{ inputs.liquibaseVersion }}",
"title": "Update library/liquibase to ${{ needs.update-dockerfiles.outputs.liquibaseVersion }}",
"body": "Update library/liquibase with latest commit and version",
"head": "liquibase:master",
"base": "master"
Expand Down
137 changes: 112 additions & 25 deletions .github/workflows/trivy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,75 +3,162 @@
# separate terms of service, privacy policy, and support
# documentation.

name: trivy
name: Vulnerability Scanning

on:
workflow_dispatch:
push:
branches: [ "main", "master" ]
branches: [ "main" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main" ]
schedule:
- cron: '27 6 * * 2'
- cron: '0 7 * * 1-5' # Run every weekday at 7am UTC

permissions:
contents: read

jobs:
build:
trivy:
strategy:
fail-fast: false
matrix:
image: [
{dockerfile: Dockerfile, name: liquibase/liquibase, suffix: ""},
{dockerfile: Dockerfile.alpine, name: liquibase/liquibase, suffix: "-alpine"},
]
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Build
runs-on: "ubuntu-20.04"
name: Trivy
runs-on: "ubuntu-22.04"
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Build an image from Dockerfile
- name: Build ${{ matrix.image.name }}${{ matrix.image.suffix }} from Dockerfile
run: |
docker build -f Dockerfile -t liquibase/liquibase:${{ github.sha }} .
docker build -f ${{ matrix.image.dockerfile }} -t ${{ matrix.image.name }}${{ matrix.image.suffix }}:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d
uses: aquasecurity/trivy-action@0.24.0
with:
image-ref: 'liquibase/liquibase:${{ github.sha }}'
image-ref: '${{ matrix.image.name }}${{ matrix.image.suffix }}:${{ github.sha }}'
vuln-type: 'os,library'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'HIGH,CRITICAL'
exit-code: '1'
limit-severities-for-sarif: true

- name: Build an image from Dockerfile (alpine)
run: |
docker build -f Dockerfile.alpine -t liquibase/liquibase-alpine:${{ github.sha }} .
- name: Run Trivy vulnerability scanner (alpine)
uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d
with:
image-ref: 'liquibase/liquibase-alpine:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results-alpine.sarif'
- name: Notify Slack on Build Failure
if: failure()
uses: rtCamp/action-slack-notify@v2
env:
SLACK_COLOR: 'failure'
SLACK_MESSAGE: "View details on GitHub Actions: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}. Triggered by repository: ${{ github.repository }} and job: ${{ github.job }}"
SLACK_TITLE: "❌ ${{ github.repository }} ❌ Trivy failed on branch ${{ github.ref_name }} for commit ${{ github.sha }} in repository ${{ github.repository }}"
SLACK_USERNAME: liquibot
SLACK_WEBHOOK: ${{ secrets.DOCKER_SLACK_WEBHOOK_URL }}
SLACK_ICON_EMOJI: ":whale:"
SLACK_FOOTER: "${{ github.repository }} - ${{ matrix.image.name }}${{ matrix.image.suffix }}:${{ github.sha }}"
SLACK_LINK_NAMES: true

- name: Upload Trivy scan results to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
category: 'eclipse-temurin'
category: '${{ matrix.image.name }}${{ matrix.image.suffix }}'

- name: Generate Security Report
if: always()
uses: rsdmike/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
outputDir: ./reports/
sarifReportDir: .

- name: Upload Security Report
if: always()
uses: actions/upload-artifact@v3
with:
name: security-report-trivy
path: ./reports/summary.pdf


scout:
strategy:
fail-fast: false
matrix:
image: [
{dockerfile: Dockerfile, name: liquibase/liquibase, suffix: ""},
{dockerfile: Dockerfile.alpine, name: liquibase/liquibase, suffix: "-alpine"},
]
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
pull-requests: write # for docker/scout-action to write comments on pull requests
name: Scout
runs-on: "ubuntu-22.04"
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Build ${{ matrix.image.name }}${{ matrix.image.suffix }} from Dockerfile
run: |
docker build -f ${{ matrix.image.dockerfile }} -t ${{ matrix.image.name }}${{ matrix.image.suffix }}:${{ github.sha }} .
- uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Docker Scout
uses: docker/[email protected]
with:
command: cves
image: '${{ matrix.image.name }}${{ matrix.image.suffix }}:${{ github.sha }}'
github-token: ${{ secrets.GITHUB_TOKEN }}
write-comment: true
sarif-file: 'scout-results.sarif'
summary: true
exit-code: true
only-severities: "critical,high"

- name: Notify Slack on Build Failure
if: failure()
uses: rtCamp/action-slack-notify@v2
env:
SLACK_COLOR: 'failure'
SLACK_MESSAGE: "View details on GitHub Actions: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}. Triggered by repository: ${{ github.repository }} and job: ${{ github.job }}"
SLACK_TITLE: "❌ ${{ github.repository }} ❌ Docker Scout failed on branch ${{ github.ref_name }} for commit ${{ github.sha }} in repository ${{ github.repository }}"
SLACK_USERNAME: liquibot
SLACK_WEBHOOK: ${{ secrets.DOCKER_SLACK_WEBHOOK_URL }}
SLACK_ICON_EMOJI: ":whale:"
SLACK_FOOTER: "${{ github.repository }} - ${{ matrix.image.name }}${{ matrix.image.suffix }}:${{ github.sha }}"
SLACK_LINK_NAMES: true

- name: Upload Trivy scan results to GitHub Security tab (alpine)
- name: Upload Scout scan results to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results-alpine.sarif'
category: 'alpine'
sarif_file: 'scout-results.sarif'
category: '${{ matrix.image.name }}${{ matrix.image.suffix }}'

- name: Generate Security Report
if: always()
uses: rsdmike/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
outputDir: ./reports/
sarifReportDir: .

- name: Upload Security Report
if: always()
uses: actions/upload-artifact@v3
with:
name: security-report
name: security-report-scout
path: ./reports/summary.pdf
10 changes: 5 additions & 5 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ RUN groupadd --gid 1001 liquibase && \
# Download and install Liquibase
WORKDIR /liquibase

ARG LIQUIBASE_VERSION=4.28.0
ARG LB_SHA256=97dd07eaca0406a09e1ae19b407eea42a7e944c7f4571922bffce71b43b75ce8
ARG LIQUIBASE_VERSION=4.29.0
ARG LB_SHA256=0883b4975fc2f0a2f0180614cb156cea3c453057e6ec185c01550ec67030d8d0

RUN wget -q -O liquibase-${LIQUIBASE_VERSION}.tar.gz "https://github.com/liquibase/liquibase/releases/download/v${LIQUIBASE_VERSION}/liquibase-${LIQUIBASE_VERSION}.tar.gz" && \
echo "$LB_SHA256 *liquibase-${LIQUIBASE_VERSION}.tar.gz" | sha256sum -c - && \
Expand All @@ -25,9 +25,9 @@ RUN wget -q -O liquibase-${LIQUIBASE_VERSION}.tar.gz "https://github.com/liquiba
ln -s /liquibase/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh && \
liquibase --version

ARG LPM_VERSION=0.2.6
ARG LPM_SHA256=0e1df6b8daf9d53a2d1d90fa8e48abbcbb8e885d249de7a09879a3a0276bebdf
ARG LPM_SHA256_ARM=b1f6d5c8b21353b213ef828849c3d767d4214e13e8c0f4fbadd038c96ef93389
ARG LPM_VERSION=0.2.7
ARG LPM_SHA256=e831120c566c76a427c6d3489cd62d5447322444399393e3ef304db0c036c4a1
ARG LPM_SHA256_ARM=720afb6bafb987ab502b86682f410d0e19da45fdf0119d947ed7bfa4e6a02665

# Download and Install lpm
RUN apt-get update && \
Expand Down
12 changes: 6 additions & 6 deletions Dockerfile.alpine
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Use multi-stage build
FROM alpine:3.19
FROM alpine:3.20

# Create liquibase user
RUN addgroup --gid 1001 liquibase && \
Expand All @@ -11,8 +11,8 @@ RUN apk add --no-cache openjdk17-jre-headless bash

WORKDIR /liquibase

ARG LIQUIBASE_VERSION=4.28.0
ARG LB_SHA256=97dd07eaca0406a09e1ae19b407eea42a7e944c7f4571922bffce71b43b75ce8
ARG LIQUIBASE_VERSION=4.29.0
ARG LB_SHA256=0883b4975fc2f0a2f0180614cb156cea3c453057e6ec185c01550ec67030d8d0

# Download, verify, extract
RUN set -x && \
Expand All @@ -26,9 +26,9 @@ RUN set -x && \
ln -s /liquibase/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh && \
liquibase --version

ARG LPM_VERSION=0.2.6
ARG LPM_SHA256=0e1df6b8daf9d53a2d1d90fa8e48abbcbb8e885d249de7a09879a3a0276bebdf
ARG LPM_SHA256_ARM=b1f6d5c8b21353b213ef828849c3d767d4214e13e8c0f4fbadd038c96ef93389
ARG LPM_VERSION=0.2.7
ARG LPM_SHA256=e831120c566c76a427c6d3489cd62d5447322444399393e3ef304db0c036c4a1
ARG LPM_SHA256_ARM=720afb6bafb987ab502b86682f410d0e19da45fdf0119d947ed7bfa4e6a02665

# Download and Install lpm
RUN mkdir /liquibase/bin && \
Expand Down

0 comments on commit 5b6c019

Please sign in to comment.