What is in the SARIF file? #16
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Oracle: AWS Image Build for Data Guard Observer" | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| - "DBA-834" | |
| paths: | |
| - docker/oracle-observer/** | |
| - .github/workflows/oracle-observer-image-build.yml | |
| # Commented out while spiking this work out | |
| # pull_request: | |
| # branches: | |
| # - main | |
| # types: [opened, edited, reopened, synchronize] | |
| # paths: | |
| # - docker/delius-ansible-aws/** | |
| # - .github/workflows/ansible-aws-image-build.yml | |
| # Allow permissions on repository and docker image and OIDC token | |
| permissions: | |
| contents: read | |
| packages: read | |
| id-token: write | |
| # We split the build into 2 jobs, one to download the Oracle client software | |
| # and one to run the docker image build. This is because these require | |
| # different runner contains - downloading the software requires an OIDC ID token | |
| # to access the AWS S3 dependencies bucket, but this image cannot run | |
| # Docker to build the image, so with start a new runner for this. The software | |
| # is passed between the 2 jobs as a build artifact. | |
| jobs: | |
| download-client-software: | |
| runs-on: ubuntu-latest | |
| environment: delius-core-dev-preapproved | |
| container: | |
| image: ghcr.io/ministryofjustice/hmpps-delius-operational-automation:0.78.0 | |
| timeout-minutes: 1440 | |
| continue-on-error: false | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Configure AWS Credentials | |
| id: login-aws | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd" | |
| role-session-name: "hmpps-delius-operational-automation-${{ github.run_number }}" | |
| role-duration-seconds: 3600 | |
| aws-region: "eu-west-2" | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd" | |
| role-session-name: "hmpps-delius-operational-automation-${{ github.run_number }}" | |
| aws-region: "eu-west-2" | |
| - name: Copy Oracle Client ZIP file from S3 | |
| run: | | |
| aws s3 cp s3://mod-platform-image-artefact-bucket20230203091453221500000001/dependencies/oracle/rdbms/LINUX.X64_193000_client.zip /tmp/LINUX.X64_193000_client.zip | |
| - name: Upload Oracle Client ZIP as Artifact for the Build | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: oracle-client-zip | |
| path: /tmp/LINUX.X64_193000_client.zip | |
| build-observer-image: | |
| runs-on: ubuntu-22.04 | |
| needs: download-client-software | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download Oracle Client ZIP File | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: oracle-client-zip | |
| path: ./docker/oracle-observer/LINUX.X64_193000_client.zip | |
| - name: Set up Docker Buildx | |
| id: setup_buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build and push to ghcr | |
| id: build_publish | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: ./docker/oracle-observer | |
| file: ./docker/oracle-observer/Dockerfile | |
| platforms: linux/amd64 | |
| push: false | |
| tags: hmpps-delius-operational-automation:${{ github.sha }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| outputs: type=docker,dest=/tmp/oracle-observer-image.tar | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: oracle-observer-image | |
| path: /tmp/oracle-observer-image.tar | |
| retention-days: 1 | |
| scan-observer-image: | |
| name: Scan Image | |
| needs: build-observer-image | |
| permissions: | |
| # required for all workflows | |
| security-events: write | |
| # only required for workflows in private repositories | |
| actions: read | |
| contents: read | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: oracle-observer-image | |
| path: /tmp | |
| - name: Load image | |
| run: | | |
| docker load --input /tmp/oracle-observer-image.tar | |
| - name: Trivy scan | |
| uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 | |
| with: | |
| format: 'sarif' | |
| severity: 'CRITICAL,HIGH' | |
| limit-severities-for-sarif: 'true' | |
| image-ref: 'hmpps-delius-operational-automation:${{ github.sha }}' | |
| exit-code: '1' | |
| scan-type: 'image' | |
| trivyignores: 'docker/oracle-observer/.trivyignore' | |
| ignore-unfixed: 'true' | |
| output: 'trivy-results.sarif' | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: trivy-file | |
| path: trivy-results.sarif | |
| retention-days: 1 | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: failure() # If Trivy found vulnerabilities | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| publish-observer-image: | |
| name: Publish image | |
| needs: [build-observer-image, scan-observer-image] | |
| permissions: | |
| contents: write | |
| packages: write | |
| runs-on: ubuntu-latest | |
| outputs: | |
| new_tag: ${{ steps.bump-version.outputs.new_tag }} | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Bump version and push tag | |
| id: bump-version | |
| uses: anothrNick/[email protected] | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| WITH_V: false | |
| DEFAULT_BUMP: minor # Making this default visible | |
| TAG_CONTEXT: repo # Making this default visible | |
| PRERELEASE: ${{ github.base_ref != 'refs/heads/main' }} | |
| PRERELEASE_SUFFIX: ${{ github.base_ref }} # Branch name | |
| - name: Create safe tag | |
| id: safe_tag | |
| run: | | |
| echo "SAFE_TAG=$(echo ${{ steps.bump-version.outputs.new_tag }} | sed 's/[^a-zA-Z0-9.]/-/g')" >> $GITHUB_OUTPUT | |
| - name: Download Artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: oracle-observer-image | |
| path: /tmp | |
| - name: Load and retag image for publish | |
| run: | | |
| docker load --input /tmp/oracle-observer-image.tar | |
| docker tag hmpps-delius-operational-automation:${{ github.sha }} ghcr.io/ministryofjustice/hmpps-delius-operational-automation:${{ steps.safe_tag.outputs.SAFE_TAG }} | |
| - name: Log into ghcr | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Publish image | |
| run: docker push ghcr.io/ministryofjustice/hmpps-delius-operational-automation:${{ steps.safe_tag.outputs.SAFE_TAG }} | |