-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
disable vulnerability scan for infra temp
- Loading branch information
Showing
1 changed file
with
127 additions
and
127 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,127 +1,127 @@ | ||
| # GitHub Actions CI workflow that runs vulnerability scans on the application's Docker image | ||
| # to ensure images built are secure before they are deployed. | ||
|
|
||
| # NOTE: The workflow isn't able to pass the docker image between jobs, so each builds the image. | ||
| # A future PR will pass the image between the scans to reduce overhead and increase speed | ||
| name: Vulnerability Scans | ||
|
|
||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| app_name: | ||
| description: "name of application folder under infra directory" | ||
| required: true | ||
| type: string | ||
|
|
||
| jobs: | ||
| hadolint-scan: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v3 | ||
|
|
||
| # Scans Dockerfile for any bad practices or issues | ||
| - name: Scan Dockerfile by hadolint | ||
| uses: hadolint/[email protected] | ||
| with: | ||
| dockerfile: ${{ inputs.app_name }}/Dockerfile | ||
| format: tty | ||
| failure-threshold: warning | ||
| output-file: hadolint-results.txt | ||
|
|
||
| - name: Save output to workflow summary | ||
| if: always() # Runs even if there is a failure | ||
| run: cat hadolint-results.txt >> "$GITHUB_STEP_SUMMARY" | ||
|
|
||
| trivy-scan: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v3 | ||
|
|
||
| - name: Build and tag Docker image for scanning | ||
| id: build-image | ||
| run: | | ||
| make APP_NAME=${{ inputs.app_name }} release-build | ||
| IMAGE_NAME=$(make APP_NAME=${{ inputs.app_name }} release-image-name) | ||
| IMAGE_TAG=$(make release-image-tag) | ||
| echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT" | ||
| - name: Run Trivy vulnerability scan | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| scan-type: image | ||
| image-ref: ${{ steps.build-image.outputs.image }} | ||
| format: table | ||
| exit-code: 1 | ||
| ignore-unfixed: true | ||
| vuln-type: os | ||
| scanners: vuln,secret | ||
|
|
||
| - name: Save output to workflow summary | ||
| if: always() # Runs even if there is a failure | ||
| run: | | ||
| echo "View results in GitHub Action logs" >> "$GITHUB_STEP_SUMMARY" | ||
| anchore-scan: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v3 | ||
|
|
||
| - name: Build and tag Docker image for scanning | ||
| id: build-image | ||
| run: | | ||
| make APP_NAME=${{ inputs.app_name }} release-build | ||
| IMAGE_NAME=$(make APP_NAME=${{ inputs.app_name }} release-image-name) | ||
| IMAGE_TAG=$(make release-image-tag) | ||
| echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT" | ||
| - name: Run Anchore vulnerability scan | ||
| uses: anchore/scan-action@v3 | ||
| with: | ||
| image: ${{ steps.build-image.outputs.image }} | ||
| output-format: table | ||
|
|
||
| - name: Save output to workflow summary | ||
| if: always() # Runs even if there is a failure | ||
| run: echo "View results in GitHub Action logs" >> "$GITHUB_STEP_SUMMARY" | ||
|
|
||
| dockle-scan: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v3 | ||
|
|
||
| - name: Build and tag Docker image for scanning | ||
| id: build-image | ||
| run: | | ||
| make APP_NAME=${{ inputs.app_name }} release-build | ||
| IMAGE_NAME=$(make APP_NAME=${{ inputs.app_name }} release-image-name) | ||
| IMAGE_TAG=$(make release-image-tag) | ||
| echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT" | ||
| # Dockle doesn't allow you to have an ignore file for the DOCKLE_ACCEPT_FILES | ||
| # variable, this will save the variable in this file to env for Dockle | ||
| - name: Set any acceptable Dockle files | ||
| run: | | ||
| if grep -q "^DOCKLE_ACCEPT_FILES=.*" .dockleconfig; then | ||
| grep -s '^DOCKLE_ACCEPT_FILES=' .dockleconfig >> "$GITHUB_ENV" | ||
| fi | ||
| - name: Run Dockle container linter | ||
| uses: erzz/[email protected] | ||
| with: | ||
| image: ${{ steps.build-image.outputs.image }} | ||
| exit-code: "1" | ||
| failure-threshold: WARN | ||
| accept-filenames: ${{ env.DOCKLE_ACCEPT_FILES }} | ||
|
|
||
| - name: Save output to workflow summary | ||
| if: always() # Runs even if there is a failure | ||
| run: | | ||
| { | ||
| echo '```json' | ||
| cat dockle-report.json | ||
| echo '```' | ||
| } >> "$GITHUB_STEP_SUMMARY" | ||
| # # GitHub Actions CI workflow that runs vulnerability scans on the application's Docker image | ||
| # # to ensure images built are secure before they are deployed. | ||
|
|
||
| # # NOTE: The workflow isn't able to pass the docker image between jobs, so each builds the image. | ||
| # # A future PR will pass the image between the scans to reduce overhead and increase speed | ||
| # name: Vulnerability Scans | ||
|
|
||
| # on: | ||
| # workflow_call: | ||
| # inputs: | ||
| # app_name: | ||
| # description: "name of application folder under infra directory" | ||
| # required: true | ||
| # type: string | ||
|
|
||
| # jobs: | ||
| # hadolint-scan: | ||
| # runs-on: ubuntu-latest | ||
|
|
||
| # steps: | ||
| # - uses: actions/checkout@v3 | ||
|
|
||
| # # Scans Dockerfile for any bad practices or issues | ||
| # - name: Scan Dockerfile by hadolint | ||
| # uses: hadolint/[email protected] | ||
| # with: | ||
| # dockerfile: ${{ inputs.app_name }}/Dockerfile | ||
| # format: tty | ||
| # failure-threshold: warning | ||
| # output-file: hadolint-results.txt | ||
|
|
||
| # - name: Save output to workflow summary | ||
| # if: always() # Runs even if there is a failure | ||
| # run: cat hadolint-results.txt >> "$GITHUB_STEP_SUMMARY" | ||
|
|
||
| # trivy-scan: | ||
| # runs-on: ubuntu-latest | ||
|
|
||
| # steps: | ||
| # - uses: actions/checkout@v3 | ||
|
|
||
| # - name: Build and tag Docker image for scanning | ||
| # id: build-image | ||
| # run: | | ||
| # make APP_NAME=${{ inputs.app_name }} release-build | ||
| # IMAGE_NAME=$(make APP_NAME=${{ inputs.app_name }} release-image-name) | ||
| # IMAGE_TAG=$(make release-image-tag) | ||
| # echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT" | ||
|
|
||
| # - name: Run Trivy vulnerability scan | ||
| # uses: aquasecurity/trivy-action@master | ||
| # with: | ||
| # scan-type: image | ||
| # image-ref: ${{ steps.build-image.outputs.image }} | ||
| # format: table | ||
| # exit-code: 1 | ||
| # ignore-unfixed: true | ||
| # vuln-type: os | ||
| # scanners: vuln,secret | ||
|
|
||
| # - name: Save output to workflow summary | ||
| # if: always() # Runs even if there is a failure | ||
| # run: | | ||
| # echo "View results in GitHub Action logs" >> "$GITHUB_STEP_SUMMARY" | ||
|
|
||
| # anchore-scan: | ||
| # runs-on: ubuntu-latest | ||
|
|
||
| # steps: | ||
| # - uses: actions/checkout@v3 | ||
|
|
||
| # - name: Build and tag Docker image for scanning | ||
| # id: build-image | ||
| # run: | | ||
| # make APP_NAME=${{ inputs.app_name }} release-build | ||
| # IMAGE_NAME=$(make APP_NAME=${{ inputs.app_name }} release-image-name) | ||
| # IMAGE_TAG=$(make release-image-tag) | ||
| # echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT" | ||
|
|
||
| # - name: Run Anchore vulnerability scan | ||
| # uses: anchore/scan-action@v3 | ||
| # with: | ||
| # image: ${{ steps.build-image.outputs.image }} | ||
| # output-format: table | ||
|
|
||
| # - name: Save output to workflow summary | ||
| # if: always() # Runs even if there is a failure | ||
| # run: echo "View results in GitHub Action logs" >> "$GITHUB_STEP_SUMMARY" | ||
|
|
||
| # dockle-scan: | ||
| # runs-on: ubuntu-latest | ||
|
|
||
| # steps: | ||
| # - uses: actions/checkout@v3 | ||
|
|
||
| # - name: Build and tag Docker image for scanning | ||
| # id: build-image | ||
| # run: | | ||
| # make APP_NAME=${{ inputs.app_name }} release-build | ||
| # IMAGE_NAME=$(make APP_NAME=${{ inputs.app_name }} release-image-name) | ||
| # IMAGE_TAG=$(make release-image-tag) | ||
| # echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT" | ||
|
|
||
| # # Dockle doesn't allow you to have an ignore file for the DOCKLE_ACCEPT_FILES | ||
| # # variable, this will save the variable in this file to env for Dockle | ||
| # - name: Set any acceptable Dockle files | ||
| # run: | | ||
| # if grep -q "^DOCKLE_ACCEPT_FILES=.*" .dockleconfig; then | ||
| # grep -s '^DOCKLE_ACCEPT_FILES=' .dockleconfig >> "$GITHUB_ENV" | ||
| # fi | ||
|
|
||
| # - name: Run Dockle container linter | ||
| # uses: erzz/[email protected] | ||
| # with: | ||
| # image: ${{ steps.build-image.outputs.image }} | ||
| # exit-code: "1" | ||
| # failure-threshold: WARN | ||
| # accept-filenames: ${{ env.DOCKLE_ACCEPT_FILES }} | ||
|
|
||
| # - name: Save output to workflow summary | ||
| # if: always() # Runs even if there is a failure | ||
| # run: | | ||
| # { | ||
| # echo '```json' | ||
| # cat dockle-report.json | ||
| # echo '```' | ||
| # } >> "$GITHUB_STEP_SUMMARY" |