-
Notifications
You must be signed in to change notification settings - Fork 0
97 lines (82 loc) · 2.58 KB
/
security.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
name: "Security Audit"
on:
push:
schedule:
- cron: '0 5 * * *'
jobs:
grype:
name: Grype
runs-on: ubuntu-latest
services:
registry:
image: registry:2
ports:
- 5000:5000
strategy:
fail-fast: false
matrix:
tag:
- basic
- docworker
- docworker-lambda
env:
IMAGE_BASE_NAME: 'localhost:5000/test/python-base'
DOCKER_META_CONTEXT: '.'
DOCKER_META_FILE: './${{ matrix.tag }}/Dockerfile'
DOCKER_META_PLATFORMS: 'linux/amd64,linux/arm64'
steps:
- name: Check out repository
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Install Grype
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin
- name: Check Grype
run: |
grype version
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2
with:
driver-opts: network=host
# TEST DOCKER IMAGE BUILD
- name: Docker meta [test]
id: meta-test
uses: docker/metadata-action@v4
with:
images: |
${{ env.IMAGE_BASE_NAME }}
tags: |
type=raw,value=${{ matrix.tag }}
- name: Docker build+push [test]
uses: docker/build-push-action@v3
with:
context: ${{ env.DOCKER_META_CONTEXT }}
file: ${{ env.DOCKER_META_FILE }}
platforms: ${{ env.DOCKER_META_PLATFORMS }}
push: true
tags: ${{ steps.meta-test.outputs.tags }}
labels: ${{ steps.meta-test.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Run Grype
run: |
grype ${{ env.IMAGE_BASE_NAME }}:${{ matrix.tag }} | tee result.txt
- name: Check critical vulnerabilities
run: |
CRITICALS=$(cat result.txt | grep "Critical" | wc -l | tr -s " ")
if [ "$CRITICALS" -gt "0" ]; then
echo "There are critical vulnerabilities: $CRITICALS (image: $IMAGE)"
echo "--------------------------------------------------------------------------------"
cat result.txt | grep "Critical"
exit 1
else
echo "There are no citical vulnerabilities for image: $IMAGE"
echo "Sending notification..."
echo "Well done!"
fi
env:
IMAGE: ${{ env.IMAGE_BASE_NAME }}:${{ matrix.tag }}