-
Notifications
You must be signed in to change notification settings - Fork 45
135 lines (120 loc) · 4.49 KB
/
build_images.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: Build and Push Docker Images
on:
push:
jobs:
build-and-push-images:
runs-on: ubuntu-latest
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
services:
registry:
image: registry:2
ports:
- 5000:5000
strategy:
matrix:
include:
- context: ./src/node/addon/
image_name: knightcrawler-addon
platforms: linux/amd64,linux/arm64
- context: ./src/node/addon-jackett/
image_name: knightcrawler-addon-jackett
platforms: linux/amd64,linux/arm64
- context: ./src/node/consumer/
image_name: knightcrawler-consumer
platforms: linux/amd64,linux/arm64
- context: ./src/producer/
image_name: knightcrawler-producer
platforms: linux/amd64,linux/arm64
- context: ./src/metadata/
image_name: knightcrawler-metadata
platforms: linux/amd64,linux/arm64
name: Build - ${{ matrix.image_name }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: network=host
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build Docker Metadata
id: docker-metadata
uses: docker/metadata-action@v5
with:
images: |
${{ vars.DOCKERHUB_USERNAME }}/${{ matrix.image_name }}
flavor: |
latest=auto
tags: |
type=edge,branch=master,commit=${{ github.sha }}
type=sha,commit=${{ github.sha }}
type=raw,value=latest,enable={{is_default_branch}}
- name: Build image for scanning ${{ matrix.image_name }}
uses: docker/build-push-action@v5
with:
context: ${{ matrix.context }}
push: true
provenance: false
tags: localhost:5000/dockle-examine-image:test
platforms: ${{ matrix.platforms }}
cache-from: type=gha,scope=${{ github.workflow }}
cache-to: type=gha,mode=max,scope=${{ github.workflow }}
- name: Pull Built Image for Scanning
run: |
docker pull localhost:5000/dockle-examine-image:test
- name: Dockle - Examine Best Practices
uses: davidjameshowell/dockle-action@ad7164c945d12d55ac5e639f91f0a5c708a4cdce
with:
image: localhost:5000/dockle-examine-image:test
dockle-ignores: CIS-DI-0005 # Ignore `Enable Content trust for Docker`
- name: Run Trivy vulnerability scanner - human readable output
uses: aquasecurity/trivy-action@master
with:
image-ref: localhost:5000/dockle-examine-image:test
scan-type: 'image'
format: 'table'
exit-code: '0'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
scanners: 'vuln,secret,config'
env:
TRIVY_NON_SSL: true
- name: Run Trivy vulnerability scanner (sarif report)
uses: aquasecurity/trivy-action@master
with:
image-ref: localhost:5000/dockle-examine-image:test
scan-type: 'image'
format: 'sarif'
exit-code: '0'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
scanners: 'vuln,secret,config'
output: 'trivy-results-os.sarif'
env:
TRIVY_NON_SSL: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results-os.sarif'
- name: Push ${{ matrix.image_name }} to repo
if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master'
uses: docker/build-push-action@v5
with:
context: ${{ matrix.context }}
push: true
provenance: false
tags: ${{ steps.docker-metadata.outputs.tags }}
labels: ${{ steps.docker-metadata.outputs.labels }}
platforms: ${{ matrix.platforms }}
cache-from: type=gha,scope=${{ github.workflow }}
cache-to: type=gha,mode=max,scope=${{ github.workflow }}