-
Notifications
You must be signed in to change notification settings - Fork 1
104 lines (98 loc) · 3.73 KB
/
devguard-scanner.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
# DevSecOps Workflow Definition
# This workflow is triggered on every push to the repository
name: DevGuard Workflow
on:
pull_request:
push:
branches:
- '*'
tags:
- '*'
# Environment variables used across multiple jobs
env:
IMAGE_TAG: ghcr.io/${{ github.repository }}:unstable
IMAGE_NAME: ghcr.io/${{ github.repository }}
jobs:
# Secret scanning job to detect secrets in codebase
sca:
runs-on: ubuntu-latest
steps:
- name: Checkout code
with:
fetch-depth: 0
uses: actions/checkout@v4 # Check out the repository content to the runner
- name: Set up Git
run: |
git config --global --add safe.directory /github/workspace
- name: DevGuard SCA
uses: docker://ghcr.io/l3montree-dev/devguard-scanner@sha256:55736b9dc029762131ea31b7d5ec7a108f07df114520fefa82df28132f554ab8
with:
args: devguard-scanner sca --assetName="l3montree-cybersecurity/projects/devguard/assets/devguard-web" --apiUrl="https://api.main.devguard.org" --token="${{ secrets.DEVGUARD_TOKEN }}" --path="/github/workspace"
# Running Gitleaks to scan the code for secrets
# Docker image build job
build-image:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set IMAGE_TAG if tagged
# Setting the image tag if the push is a tag push
run: |
echo "ghcr.io/${{ github.repository }}:${GITHUB_REF#refs/tags/}" > image-tag.txt
export IMAGE_TAG=$(cat image-tag.txt)
echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
if: startsWith(github.ref, 'refs/tags/')
- name: Set IMAGE_TAG if not tagged
run: |
branch=${GITHUB_REF##*/}
sha=${GITHUB_SHA::8}
ts=$(date +%s)
echo "ghcr.io/${{ github.repository }}:${branch}-${sha}-${ts}" > image-tag.txt
export IMAGE_TAG=$(cat image-tag.txt)
echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
if: github.ref == 'refs/heads/main'
- name: Build Docker image with Kaniko
# Building the Docker image using Kaniko
id: build_image
uses: docker://gcr.io/kaniko-project/executor:v1.23.0
with:
args: --destination=${{ env.IMAGE_TAG }} --context=/github/workspace --dockerfile=/github/workspace/Dockerfile --no-push --tarPath /github/workspace/image.tar
- name: Setup crane
uses: imjasonh/[email protected]
- name: Use crane to get the digest
run: crane digest --tarball=image.tar > digest.txt
- name: Upload artifact
# Uploading the built Docker image as an artifact
uses: actions/upload-artifact@v4
with:
name: docker-image
path: image.tar
- name: Upload digest
# Uploading the built Docker image digest as an artifact
uses: actions/upload-artifact@v4
with:
name: digest
path: digest.txt
- name: Upload image tag
uses: actions/upload-artifact@v4
with:
name: image-tag
path: image-tag.txt
# Image scanning job to detect vulnerabilities in the built Docker image
image-scanning:
needs: build-image
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/download-artifact@v4
with:
name: docker-image
path: .
- name: Set up Git
run: |
git config --global --add safe.directory /github/workspace
- name: DevGuard Container-Scanning
uses: docker://ghcr.io/l3montree-dev/devguard-scanner@sha256:55736b9dc029762131ea31b7d5ec7a108f07df114520fefa82df28132f554ab8
with:
args: devguard-scanner container-scanning --assetName="l3montree-cybersecurity/projects/devguard/assets/devguard-web" --apiUrl="https://api.main.devguard.org" --token="${{ secrets.DEVGUARD_TOKEN }}" --path="/github/workspace/image.tar"