vxunderground · timbastin · Jan 29, 2024 · Jan 29, 2024 · Jan 29, 2024 · Jan 29, 2024
diff --git a/.github/workflows/devsecops.yaml b/.github/workflows/devsecops.yaml
@@ -0,0 +1,137 @@
+# DevSecOps Workflow Definition
+# This workflow is triggered on every push to the repository
+name: DevSecOps Workflow
+
+on: push
+
+# Environment variables used across multiple jobs
+env:
+  IMAGE_TAG: ghcr.io/${{ github.repository }}:unstable
+
+jobs:
+  # Secret scanning job to detect secrets in codebase
+  secret-scanning:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4  # Check out the repository content to the runner
+      - name: Run Gitleaks Scan
+        # Running Gitleaks to scan the code for secrets
+        run: |
+          docker run --rm -v $(pwd):/code -u $(id -u):$(id -g) zricethezav/gitleaks:v8.18.1 -s /code detect -f sarif -r /code/gitleaks.sarif.json
+      - name: Upload sarif file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: gitleaks.sarif.json
+          category: secret-scanning
+
+  # Software Composition Analysis (SCA) to find vulnerabilities in project dependencies
+  sca:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Run Trivy vulnerability scanner in fs mode
+        # Running Trivy to scan the filesystem for vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: "fs"
+          scan-ref: "."
+          severity: "CRITICAL,HIGH"
+          format: "sarif"
+          output: "trivy-results.sarif"
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results.sarif"
+          category: "sca"
+
+  # Static Application Security Testing (SAST) to identify security vulnerabilities in source code
+  sast:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Run Semgrep
+        # Running Semgrep for static code analysis to identify security issues
+        uses: docker://returntocorp/semgrep
+        with:
+          args: semgrep scan /github/workspace --sarif -o /github/workspace/semgrep.sarif.json
+      - name: Upload sarif file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: semgrep.sarif.json
+          category: sast
+
+  # Docker image build job
+  build-image:
+    runs-on: ubuntu-latest
+    outputs:
+      image_path: ${{ steps.build_output.outputs.image_path }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set IMAGE_TAG if tagged
+        # Setting the image tag if the push is a tag push
+        run: echo "IMAGE_TAG=ghcr.io/${{ github.repository }}:${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+        if: startsWith(github.ref, 'refs/tags/')
+
+        # make sure the IMAGE_TAG is lowercase
+      - name: Transform IMAGE_TAG to lowercase
+        run: echo "IMAGE_TAG=$(echo ${{ env.IMAGE_TAG }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
+      - name: Build Docker image with Kaniko
+        # Building the Docker image using Kaniko
+        id: build_image
+        uses: docker://gcr.io/kaniko-project/executor:v1.9.2
+        with:
+          args: --destination=${{ env.IMAGE_TAG }} --context=/github/workspace --dockerfile=/github/workspace/Dockerfile --no-push --tarPath /github/workspace/image.tar
+      - name: Upload artifact
+        # Uploading the built Docker image as an artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: docker-image
+          path: image.tar
+
+  # Image scanning job to detect vulnerabilities in the built Docker image
+  image-scanning:
+    needs: build-image
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
+        with:
+          name: docker-image
+          path: .
+      - name: Run Trivy vulnerability scanner in tarball mode
+        # Running Trivy to scan the Docker image for vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          input: /github/workspace/image.tar
+          severity: "CRITICAL,HIGH"
+          format: "sarif"
+          output: "trivy-results.sarif"
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results.sarif"
+          category: "image-scanning"
+
+  # Publish job to push the Docker image to a registry
+  publish:
+    needs: [build-image, image-scanning, secret-scanning, sca, sast]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: docker-image
+          path: .
+      - uses: imjasonh/[email protected]
+      - name: Set IMAGE_TAG if tagged
+        # Setting the image tag if the push is a tag push
+        run: echo "IMAGE_TAG=ghcr.io/${{ github.repository }}:${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+        if: startsWith(github.ref, 'refs/tags/')
+        # make sure the IMAGE_TAG is lowercase
+      - name: Transform IMAGE_TAG to lowercase
+        run: echo "IMAGE_TAG=$(echo ${{ env.IMAGE_TAG }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
+      - name: Push Docker image to GitHub image Registry
+        # Pushing the Docker image to GitHub Container Registry
+        run: crane push image.tar ${{ env.IMAGE_TAG }}
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,23 @@
+# Build a virtualenv using the appropriate Debian release
+# * Install python3-venv for the built-in Python3 venv module (not installed by default)
+# * Install gcc libpython3-dev to compile C Python modules
+# * In the virtualenv: Update pip setuputils and wheel to support building new packages
+FROM debian:12-slim AS build
+RUN apt-get update && \
+    apt-get install --no-install-suggests --no-install-recommends --yes python3-venv gcc libpython3-dev && \
+    python3 -m venv /venv && \
+    /venv/bin/pip install --upgrade pip setuptools wheel
+
+# Build the virtualenv as a separate step: Only re-execute this step when requirements.txt changes
+FROM build AS build-venv
+COPY requirements.txt /requirements.txt
+RUN /venv/bin/pip install --disable-pip-version-check -r /requirements.txt
+
+# Copy the virtualenv into a distroless image
+FROM gcr.io/distroless/python3-debian12
+COPY --from=build-venv /venv /venv
+COPY . /app
+WORKDIR /app
+ENTRYPOINT [""]
+# This ensures that the application runs when the container starts.
+CMD ["/venv/bin/python3", "-m", "Source", "RSS"]