Security Audit #413
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Security Audit" | |
on: | |
push: | |
schedule: | |
- cron: '0 5 * * *' | |
jobs: | |
grype: | |
name: Grype | |
runs-on: ubuntu-latest | |
services: | |
registry: | |
image: registry:2 | |
ports: | |
- 5000:5000 | |
strategy: | |
fail-fast: false | |
matrix: | |
tag: | |
- 3.11-basic | |
- 3.11-docworker | |
- 3.11-docworker-lambda | |
env: | |
IMAGE_BASE_NAME: 'localhost:5000/test/python-base' | |
DOCKER_META_CONTEXT: '.' | |
DOCKER_META_FILE: './${{ matrix.tag }}/Dockerfile' | |
DOCKER_META_PLATFORMS: 'linux/amd64,linux/arm64' | |
steps: | |
- name: Check out repository | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Install Grype | |
run: | | |
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin | |
- name: Check Grype | |
run: | | |
grype version | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@v2 | |
with: | |
driver-opts: network=host | |
# TEST DOCKER IMAGE BUILD | |
- name: Docker meta [test] | |
id: meta-test | |
uses: docker/metadata-action@v4 | |
with: | |
images: | | |
${{ env.IMAGE_BASE_NAME }} | |
tags: | | |
type=raw,value=${{ matrix.tag }} | |
- name: Docker build+push [test] | |
uses: docker/build-push-action@v3 | |
with: | |
context: ${{ env.DOCKER_META_CONTEXT }} | |
file: ${{ env.DOCKER_META_FILE }} | |
platforms: ${{ env.DOCKER_META_PLATFORMS }} | |
push: true | |
tags: ${{ steps.meta-test.outputs.tags }} | |
labels: ${{ steps.meta-test.outputs.labels }} | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
- name: Run Grype | |
run: | | |
grype ${{ env.IMAGE_BASE_NAME }}:${{ matrix.tag }} | tee result.txt | |
- name: Check critical vulnerabilities | |
run: | | |
CRITICALS=$(cat result.txt | grep "Critical" | wc -l | tr -s " ") | |
if [ "$CRITICALS" -gt "0" ]; then | |
echo "There are critical vulnerabilities: $CRITICALS (image: $IMAGE)" | |
echo "--------------------------------------------------------------------------------" | |
cat result.txt | grep "Critical" | |
exit 1 | |
else | |
echo "There are no citical vulnerabilities for image: $IMAGE" | |
echo "Sending notification..." | |
echo "Well done!" | |
fi | |
env: | |
IMAGE: ${{ env.IMAGE_BASE_NAME }}:${{ matrix.tag }} |