Compare commits
2 Commits
9bcb07f846
...
c46397f5b2
| Author | SHA1 | Date | |
|---|---|---|---|
| c46397f5b2 | |||
| 900d310edf |
@ -147,7 +147,7 @@ jobs:
|
||||
sudo mv oras /usr/local/bin/
|
||||
|
||||
# Get the image digest from the build step
|
||||
IMAGE_DIGEST="${{ steps.build.outputs.image-digest }}"
|
||||
IMAGE_DIGEST="${{ steps.build.outputs.digest }}"
|
||||
|
||||
# Attach SBOM to the specific image digest
|
||||
oras attach ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} \
|
||||
@ -157,73 +157,73 @@ jobs:
|
||||
echo "SBOM attached successfully to image digest: ${IMAGE_DIGEST}"
|
||||
|
||||
# Job 4: Image Security Scan
|
||||
scan:
|
||||
name: 🛡️ Image Security Scan
|
||||
runs-on: ubuntu-latest
|
||||
needs: build
|
||||
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
|
||||
steps:
|
||||
- name: Login to Harbor Registry
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
registry: ${{ env.REGISTRY }}
|
||||
username: ${{ secrets.HARBOR_USERNAME }}
|
||||
password: ${{ secrets.HARBOR_TOKEN }}
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
|
||||
format: 'sarif'
|
||||
output: 'trivy-results.sarif'
|
||||
|
||||
- name: Generate JSON scan results
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
|
||||
format: 'json'
|
||||
output: 'trivy-results.json'
|
||||
|
||||
- name: Upload scan results artifacts
|
||||
uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: trivy-scan-results
|
||||
path: |
|
||||
trivy-results.sarif
|
||||
trivy-results.json
|
||||
|
||||
- name: Attach scan results to Harbor image
|
||||
run: |
|
||||
# Install ORAS
|
||||
curl -LO https://github.com/oras-project/oras/releases/download/v1.1.0/oras_1.1.0_linux_amd64.tar.gz
|
||||
tar -xzf oras_1.1.0_linux_amd64.tar.gz
|
||||
sudo mv oras /usr/local/bin/
|
||||
|
||||
# Get the image digest from the build job
|
||||
IMAGE_DIGEST="${{ needs.build.outputs.digest }}"
|
||||
|
||||
# Attach SARIF scan results
|
||||
oras attach ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} \
|
||||
--artifact-type application/sarif+json \
|
||||
trivy-results.sarif:application/sarif+json
|
||||
|
||||
# Attach JSON scan results
|
||||
oras attach ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} \
|
||||
--artifact-type application/json \
|
||||
trivy-results.json:application/json \
|
||||
--annotation "scan.type=vulnerability" \
|
||||
--annotation "scan.tool=trivy"
|
||||
|
||||
echo "Scan results attached successfully to image digest: ${IMAGE_DIGEST}"
|
||||
|
||||
- name: Check for HIGH/CRITICAL vulnerabilities
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
|
||||
format: 'json'
|
||||
output: 'trivy-critical.json'
|
||||
exit-code: '1'
|
||||
severity: 'HIGH,CRITICAL'
|
||||
scan:
|
||||
name: 🛡️ Image Security Scan
|
||||
runs-on: ubuntu-latest
|
||||
needs: build
|
||||
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
|
||||
steps:
|
||||
- name: Login to Harbor Registry
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
registry: ${{ env.REGISTRY }}
|
||||
username: ${{ secrets.HARBOR_USERNAME }}
|
||||
password: ${{ secrets.HARBOR_TOKEN }}
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
|
||||
format: 'sarif'
|
||||
output: 'trivy-results.sarif'
|
||||
|
||||
- name: Generate JSON scan results
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
|
||||
format: 'json'
|
||||
output: 'trivy-results.json'
|
||||
|
||||
- name: Upload scan results artifacts
|
||||
uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: trivy-scan-results
|
||||
path: |
|
||||
trivy-results.sarif
|
||||
trivy-results.json
|
||||
|
||||
- name: Attach scan results to Harbor image
|
||||
run: |
|
||||
# Install ORAS
|
||||
curl -LO https://github.com/oras-project/oras/releases/download/v1.1.0/oras_1.1.0_linux_amd64.tar.gz
|
||||
tar -xzf oras_1.1.0_linux_amd64.tar.gz
|
||||
sudo mv oras /usr/local/bin/
|
||||
|
||||
# Get the image digest from the build job
|
||||
IMAGE_DIGEST="${{ needs.build.outputs.digest }}"
|
||||
|
||||
# Attach SARIF scan results
|
||||
oras attach ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} \
|
||||
--artifact-type application/sarif+json \
|
||||
trivy-results.sarif:application/sarif+json
|
||||
|
||||
# Attach JSON scan results
|
||||
oras attach ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} \
|
||||
--artifact-type application/json \
|
||||
trivy-results.json:application/json \
|
||||
--annotation "scan.type=vulnerability" \
|
||||
--annotation "scan.tool=trivy"
|
||||
|
||||
echo "Scan results attached successfully to image digest: ${IMAGE_DIGEST}"
|
||||
|
||||
- name: Check for HIGH/CRITICAL vulnerabilities
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
|
||||
format: 'json'
|
||||
output: 'trivy-critical.json'
|
||||
exit-code: '1'
|
||||
severity: 'HIGH,CRITICAL'
|
||||
|
||||
# # Job 5: Deploy to Development
|
||||
# deploy-dev:
|
||||
|
||||
Reference in New Issue
Block a user