From 938ebb379058ddb2b361f337d1112290e1478dd4 Mon Sep 17 00:00:00 2001 From: Thomas Manson Date: Tue, 31 Jan 2023 15:42:31 +1100 Subject: [PATCH 1/8] Added shared validation workflow --- .github/workflows/shared-validate-image.yaml | 97 ++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 .github/workflows/shared-validate-image.yaml diff --git a/.github/workflows/shared-validate-image.yaml b/.github/workflows/shared-validate-image.yaml new file mode 100644 index 00000000..a0dd245f --- /dev/null +++ b/.github/workflows/shared-validate-image.yaml @@ -0,0 +1,97 @@ +name: Shared Validation of Docker image +on: + workflow_call: + inputs: + failure_severity: + description: 'Must be one of CRITICAL, HIGH, MEDIUM' + required: false + default: 'HIGH' + type: string + cloud_provider: + description: 'Must be one of [aws, gcp, azure, default]' + required: false + default: 'default' + type: string +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build-publish-docker: + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + packages: write + outputs: + jar_version: ${{ steps.package.outputs.jar_version }} + steps: + - name: Checkout Full history + uses: actions/checkout@v3 + with: + # git-restore-mtime requires full git history. The default fetch-depth value (1) creates a shallow checkout. + fetch-depth: 0 + + - name: Restore Timestamps + uses: thetradedesk/git-restore-mtime-action@v1.2 + + - name: Package Jar + id: package + run: | + mvn -B package -P ${{ github.event.inputs.cloud_provider }} + echo "jar_version=$(mvn help:evaluate -Dexpression=project.version | grep -e '^[1-9][^\[]')" >> $GITHUB_OUTPUT + echo "git_commit=$(git show --format="%h" --no-patch)" >> $GITHUB_OUTPUT + + - name: Log in to the Container registry + uses: docker/login-action@v2 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v4 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=sha,prefix=${{ steps.package.outputs.jar_version }}-,suffix=-${{ github.event.inputs.cloud_provider }},format=short + + - name: Build Docker Image + uses: docker/build-push-action@v3 + with: + context: . + load: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + build-args: | + JAR_VERSION=${{ steps.package.outputs.jar_version }} + IMAGE_VERSION=${{ steps.package.outputs.jar_version }}-${{ steps.package.outputs.git_commit }} + + - name: Local vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.meta.outputs.tags }} + format: 'table' + exit-code: '0' + ignore-unfixed: true + severity: ${{ github.event.inputs.failure_severity }} + hide-progress: true + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.meta.outputs.tags }} + format: 'sarif' + exit-code: '1' + ignore-unfixed: true + severity: ${{ github.event.inputs.failure_severity }} + output: 'trivy-results.sarif' + hide-progress: true + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: 'trivy-results.sarif' + From e2cd35a763d3f856b9c4b41c7c6ed54c1bee21eb Mon Sep 17 00:00:00 2001 From: Thomas Manson Date: Tue, 31 Jan 2023 16:23:32 +1100 Subject: [PATCH 2/8] Changed reference to inputs --- .github/workflows/shared-validate-image.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/shared-validate-image.yaml b/.github/workflows/shared-validate-image.yaml index a0dd245f..42b5877b 100644 --- a/.github/workflows/shared-validate-image.yaml +++ b/.github/workflows/shared-validate-image.yaml @@ -38,7 +38,7 @@ jobs: - name: Package Jar id: package run: | - mvn -B package -P ${{ github.event.inputs.cloud_provider }} + mvn -B package -P ${{ inputs.cloud_provider }} echo "jar_version=$(mvn help:evaluate -Dexpression=project.version | grep -e '^[1-9][^\[]')" >> $GITHUB_OUTPUT echo "git_commit=$(git show --format="%h" --no-patch)" >> $GITHUB_OUTPUT @@ -55,7 +55,7 @@ jobs: with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | - type=sha,prefix=${{ steps.package.outputs.jar_version }}-,suffix=-${{ github.event.inputs.cloud_provider }},format=short + type=sha,prefix=${{ steps.package.outputs.jar_version }}-,suffix=-${{ inputs.cloud_provider }},format=short - name: Build Docker Image uses: docker/build-push-action@v3 @@ -75,7 +75,7 @@ jobs: format: 'table' exit-code: '0' ignore-unfixed: true - severity: ${{ github.event.inputs.failure_severity }} + severity: ${{ inputs.failure_severity }} hide-progress: true - name: Run Trivy vulnerability scanner @@ -85,7 +85,7 @@ jobs: format: 'sarif' exit-code: '1' ignore-unfixed: true - severity: ${{ github.event.inputs.failure_severity }} + severity: ${{ inputs.failure_severity }} output: 'trivy-results.sarif' hide-progress: true From 06a4e8d0c386180623cee20dd010c7d08e838ab1 Mon Sep 17 00:00:00 2001 From: Thomas Manson Date: Tue, 31 Jan 2023 16:41:18 +1100 Subject: [PATCH 3/8] Set local scanner to do critical, high and medium --- .github/workflows/shared-validate-image.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shared-validate-image.yaml b/.github/workflows/shared-validate-image.yaml index 42b5877b..7e18488f 100644 --- a/.github/workflows/shared-validate-image.yaml +++ b/.github/workflows/shared-validate-image.yaml @@ -75,7 +75,7 @@ jobs: format: 'table' exit-code: '0' ignore-unfixed: true - severity: ${{ inputs.failure_severity }} + severity: 'CRITICAL,HIGH,MEDIUM' hide-progress: true - name: Run Trivy vulnerability scanner From eab7b17e3f0c7352df5a9be75d68c04152a69ab4 Mon Sep 17 00:00:00 2001 From: Thomas Manson Date: Wed, 1 Feb 2023 09:36:02 +1100 Subject: [PATCH 4/8] Move to shared action --- .github/workflows/shared-validate-image.yaml | 62 +------------------- 1 file changed, 3 insertions(+), 59 deletions(-) diff --git a/.github/workflows/shared-validate-image.yaml b/.github/workflows/shared-validate-image.yaml index 7e18488f..e1da4782 100644 --- a/.github/workflows/shared-validate-image.yaml +++ b/.github/workflows/shared-validate-image.yaml @@ -35,63 +35,7 @@ jobs: - name: Restore Timestamps uses: thetradedesk/git-restore-mtime-action@v1.2 - - name: Package Jar - id: package - run: | - mvn -B package -P ${{ inputs.cloud_provider }} - echo "jar_version=$(mvn help:evaluate -Dexpression=project.version | grep -e '^[1-9][^\[]')" >> $GITHUB_OUTPUT - echo "git_commit=$(git show --format="%h" --no-patch)" >> $GITHUB_OUTPUT - - - name: Log in to the Container registry - uses: docker/login-action@v2 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@v4 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: | - type=sha,prefix=${{ steps.package.outputs.jar_version }}-,suffix=-${{ inputs.cloud_provider }},format=short - - - name: Build Docker Image - uses: docker/build-push-action@v3 - with: - context: . - load: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - build-args: | - JAR_VERSION=${{ steps.package.outputs.jar_version }} - IMAGE_VERSION=${{ steps.package.outputs.jar_version }}-${{ steps.package.outputs.git_commit }} - - - name: Local vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ steps.meta.outputs.tags }} - format: 'table' - exit-code: '0' - ignore-unfixed: true - severity: 'CRITICAL,HIGH,MEDIUM' - hide-progress: true - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master + - uses: ./.github/workflows/build_scan_image with: - image-ref: ${{ steps.meta.outputs.tags }} - format: 'sarif' - exit-code: '1' - ignore-unfixed: true - severity: ${{ inputs.failure_severity }} - output: 'trivy-results.sarif' - hide-progress: true - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - if: always() - with: - sarif_file: 'trivy-results.sarif' - + cloud_provider: ${{ inputs.cloud_provider }} + failure_severity: ${{ inputs. failure_severity }} From 0b26098a6ce331716ec3de5af02af69f5943607a Mon Sep 17 00:00:00 2001 From: Thomas Manson Date: Wed, 1 Feb 2023 09:45:46 +1100 Subject: [PATCH 5/8] Changed path to action --- .github/workflows/shared-validate-image.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shared-validate-image.yaml b/.github/workflows/shared-validate-image.yaml index e1da4782..c5663326 100644 --- a/.github/workflows/shared-validate-image.yaml +++ b/.github/workflows/shared-validate-image.yaml @@ -35,7 +35,7 @@ jobs: - name: Restore Timestamps uses: thetradedesk/git-restore-mtime-action@v1.2 - - uses: ./.github/workflows/build_scan_image + - uses: ./.github/actions/build_scan_image with: cloud_provider: ${{ inputs.cloud_provider }} failure_severity: ${{ inputs. failure_severity }} From 13bc1afd3d2dfbaa03ec011699014320d85bbbd9 Mon Sep 17 00:00:00 2001 From: Thomas Manson Date: Wed, 1 Feb 2023 09:50:22 +1100 Subject: [PATCH 6/8] Added repo name --- .github/workflows/shared-validate-image.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shared-validate-image.yaml b/.github/workflows/shared-validate-image.yaml index c5663326..58716cf7 100644 --- a/.github/workflows/shared-validate-image.yaml +++ b/.github/workflows/shared-validate-image.yaml @@ -35,7 +35,7 @@ jobs: - name: Restore Timestamps uses: thetradedesk/git-restore-mtime-action@v1.2 - - uses: ./.github/actions/build_scan_image + - uses: IABTechLab/uid2-shared-actions/actions/build_scan_image@main with: cloud_provider: ${{ inputs.cloud_provider }} failure_severity: ${{ inputs. failure_severity }} From dbbf3db9623801edc4011c11ac085aaf3f2d3f86 Mon Sep 17 00:00:00 2001 From: Thomas Manson Date: Wed, 1 Feb 2023 10:01:01 +1100 Subject: [PATCH 7/8] Set the token as a parameter --- .github/workflows/shared-validate-image.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/shared-validate-image.yaml b/.github/workflows/shared-validate-image.yaml index 58716cf7..05ae022e 100644 --- a/.github/workflows/shared-validate-image.yaml +++ b/.github/workflows/shared-validate-image.yaml @@ -39,3 +39,4 @@ jobs: with: cloud_provider: ${{ inputs.cloud_provider }} failure_severity: ${{ inputs. failure_severity }} + github_token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 94bc62c7ba86806489baee493e2a6e822ce010b4 Mon Sep 17 00:00:00 2001 From: Thomas Manson Date: Wed, 1 Feb 2023 10:40:30 +1100 Subject: [PATCH 8/8] Added line end --- .github/workflows/shared-validate-image.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shared-validate-image.yaml b/.github/workflows/shared-validate-image.yaml index 05ae022e..29c68d71 100644 --- a/.github/workflows/shared-validate-image.yaml +++ b/.github/workflows/shared-validate-image.yaml @@ -39,4 +39,4 @@ jobs: with: cloud_provider: ${{ inputs.cloud_provider }} failure_severity: ${{ inputs. failure_severity }} - github_token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + github_token: ${{ secrets.GITHUB_TOKEN }}