Merge branch 'main' of github.com:l3montree-dev/devguard-web #44
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # DevSecOps Workflow Definition | |
| # This workflow is triggered on every push to the repository | |
| name: DevGuard Workflow | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - '*' | |
| # Environment variables used across multiple jobs | |
| env: | |
| IMAGE_TAG: ghcr.io/${{ github.repository }}:unstable | |
| IMAGE_NAME: ghcr.io/${{ github.repository }} | |
| jobs: | |
| # Secret scanning job to detect secrets in codebase | |
| sca: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| with: | |
| fetch-depth: 0 | |
| uses: actions/checkout@v4 # Check out the repository content to the runner | |
| - name: Set up Git | |
| run: | | |
| git config --global --add safe.directory /github/workspace | |
| - name: DevGuard SCA | |
| uses: docker://ghcr.io/l3montree-dev/devguard-scanner@sha256:55736b9dc029762131ea31b7d5ec7a108f07df114520fefa82df28132f554ab8 | |
| with: | |
| args: devguard-scanner sca --assetName="l3montree-cybersecurity/projects/devguard/assets/devguard-web" --apiUrl="https://api.main.devguard.org" --token="${{ secrets.DEVGUARD_TOKEN }}" --path="/github/workspace" | |
| # Running Gitleaks to scan the code for secrets | |
| # Docker image build job | |
| build-image: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set IMAGE_TAG if tagged | |
| # Setting the image tag if the push is a tag push | |
| run: | | |
| echo "ghcr.io/${{ github.repository }}:${GITHUB_REF#refs/tags/}" > image-tag.txt | |
| export IMAGE_TAG=$(cat image-tag.txt) | |
| echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV | |
| if: startsWith(github.ref, 'refs/tags/') | |
| - name: Set IMAGE_TAG if not tagged | |
| run: | | |
| branch=${GITHUB_REF##*/} | |
| sha=${GITHUB_SHA::8} | |
| ts=$(date +%s) | |
| echo "ghcr.io/${{ github.repository }}:${branch}-${sha}-${ts}" > image-tag.txt | |
| export IMAGE_TAG=$(cat image-tag.txt) | |
| echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV | |
| if: github.ref == 'refs/heads/main' | |
| - name: Build Docker image with Kaniko | |
| # Building the Docker image using Kaniko | |
| id: build_image | |
| uses: docker://gcr.io/kaniko-project/executor:v1.23.0 | |
| with: | |
| args: --destination=${{ env.IMAGE_TAG }} --context=/github/workspace --dockerfile=/github/workspace/Dockerfile --no-push --tarPath /github/workspace/image.tar | |
| - name: Setup crane | |
| uses: imjasonh/[email protected] | |
| - name: Use crane to get the digest | |
| run: crane digest --tarball=image.tar > digest.txt | |
| - name: Upload artifact | |
| # Uploading the built Docker image as an artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: docker-image | |
| path: image.tar | |
| - name: Upload digest | |
| # Uploading the built Docker image digest as an artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: digest | |
| path: digest.txt | |
| - name: Upload image tag | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: image-tag | |
| path: image-tag.txt | |
| # Image scanning job to detect vulnerabilities in the built Docker image | |
| image-scanning: | |
| needs: build-image | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: docker-image | |
| path: . | |
| - name: Set up Git | |
| run: | | |
| git config --global --add safe.directory /github/workspace | |
| - name: DevGuard Container-Scanning | |
| uses: docker://ghcr.io/l3montree-dev/devguard-scanner@sha256:55736b9dc029762131ea31b7d5ec7a108f07df114520fefa82df28132f554ab8 | |
| with: | |
| args: devguard-scanner container-scanning --assetName="l3montree-cybersecurity/projects/devguard/assets/devguard-web" --apiUrl="https://api.main.devguard.org" --token="${{ secrets.DEVGUARD_TOKEN }}" --path="/github/workspace/image.tar" |