Skip to content

Commit

Permalink
Add compliance workflow
Browse files Browse the repository at this point in the history 
Signed-off-by: John Kjell <[email protected]>
  • Loading branch information
@jkjell
jkjell committed Dec 9, 2024
1 parent ed193f3 commit 4f3922e
Showing 1 changed file with 124 additions and 0 deletions.
124 changes: 124 additions & 0 deletions .github/workflows/compliance.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

name: pipeline

on:
push:
branches:
- '*'
pull_request:
branches:
- '*'

jobs:
lint:
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: lint
pre-command-attestations: "git github environment"
attestations: "git github environment"
pre-command: |
curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
chmod +x /usr/local/bin/hadolint
command: hadolint -f sarif Dockerfile > hadolint.sarif
artifact-upload-name: hadolint.sarif
artifact-upload-path: hadolint.sarif

sast:
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: sast
pre-command-attestations: "git github environment"
attestations: "git github environment"
pre-command: python3 -m pip install semgrep==1.45.0
command: semgrep scan --config auto ./ --sarif -o semgrep.sarif
artifact-upload-name: semgrep.sarif
artifact-upload-path: semgrep.sarif

build-image:
needs: [ lint, sast ]
runs-on: ubuntu-latest

permissions:
packages: write
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

steps:
- uses: actions/[email protected]
- uses: docker/[email protected]

- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/testifysec/swf/software

- name: Docker Login
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Setup Buildx
uses: docker/setup-buildx-action@v3
with:
platforms: linux/amd64
install: true
use: true

- name: Build Image
uses: testifysec/witness-run-action@reusable-workflow # v0.2.0
with:
version: 0.6.0
step: build-image
archivista-server: "https://archivista.aws-sandbox-staging.testifysec.dev/"
attestations: "git github environment oci slsa"
command: |
/bin/sh -c "docker buildx build -t ${{ steps.meta.outputs.tags }} -o type=docker,dest=image.tar --push ."
- name: Upload Artifact
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
with:
name: image.tar
path: image.tar

outputs:
tags: ${{ steps.meta.outputs.tags }}

generate-sbom:
needs: build-image
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: generate-sbom
pre-command-attestations: "git github environment"
attestations: "git github environment sbom"
artifact-download: image.tar
pre-command: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
command: |
syft packages docker-archive:/tmp/image.tar --source-name=pkg:oci/testifysec/swf -o cyclonedx-json --file sbom.cdx.json
artifact-upload-name: sbom.cdx.json
artifact-upload-path: sbom.cdx.json

secret-scan:
needs: build-image
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: secret-scan
pre-command-attestations: "git github environment"
attestations: "git github environment"
artifact-download: image.tar
pre-command: |
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
command: |
trufflehog docker --image=file:///tmp/image.tar -j > trufflehog.json
artifact-upload-name: trufflehog.json
artifact-upload-path: trufflehog.json

0 comments on commit 4f3922e

Please sign in to comment.