stephen/harbor-ci-cd-demo
1
0
Fork 0
Code Issues Pull Requests Actions Releases Wiki Activity

Compare commits

base: stephen:9bcb07f8469105a63c91a045b94000218cc8ae88
Branches Tags
stephen:main
..
compare: stephen:c46397f5b2c4bdabb9a8c2cbbbdd906272528c17
Branches Tags
stephen:main

2 Commits
9bcb07f846 ... c46397f5b2

Author SHA1 Message Date
stephenminakian
c46397f5b2 Fix IMAGE_DIGEST reference
Some checks failed
CI/CD Pipeline - Build, Test, and Deploy / 🧪 Test & Lint (push) Successful in 9m32s
Details
CI/CD Pipeline - Build, Test, and Deploy / 🔒 Security Scan (push) Successful in 9m31s
Details
CI/CD Pipeline - Build, Test, and Deploy / 🧹 Cleanup (push) Successful in 1s
Details
CI/CD Pipeline - Build, Test, and Deploy / 🏗️ Build & Push Image (push) Successful in 1m6s
Details
CI/CD Pipeline - Build, Test, and Deploy / 🛡️ Image Security Scan (push) Failing after 5m53s
Details
2025-07-03 09:54:23 -06:00
stephenminakian
900d310edf Fix image security scan intent 2025-07-03 09:41:03 -06:00
1 changed files with 68 additions and 68 deletions
Expand all files Collapse all files

136
.gitea/workflows/ci-cd.yml
View File

@ -147,7 +147,7 @@ jobs:
sudo mv oras /usr/local/bin/ sudo mv oras /usr/local/bin/
# Get the image digest from the build step # Get the image digest from the build step
IMAGE_DIGEST="${{ steps.build.outputs.image-digest }}" IMAGE_DIGEST="${{ steps.build.outputs.digest }}"
# Attach SBOM to the specific image digest # Attach SBOM to the specific image digest
oras attach ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} \ oras attach ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} \
@ -157,73 +157,73 @@ jobs:
echo "SBOM attached successfully to image digest: ${IMAGE_DIGEST}" echo "SBOM attached successfully to image digest: ${IMAGE_DIGEST}"
# Job 4: Image Security Scan # Job 4: Image Security Scan
scan: scan:
name: 🛡️ Image Security Scan name: 🛡️ Image Security Scan
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: build needs: build
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
steps: steps:
- name: Login to Harbor Registry - name: Login to Harbor Registry
uses: docker/login-action@v3 uses: docker/login-action@v3
with: with:
registry: ${{ env.REGISTRY }} registry: ${{ env.REGISTRY }}
username: ${{ secrets.HARBOR_USERNAME }} username: ${{ secrets.HARBOR_USERNAME }}
password: ${{ secrets.HARBOR_TOKEN }} password: ${{ secrets.HARBOR_TOKEN }}
- name: Run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@master
with: with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
format: 'sarif' format: 'sarif'
output: 'trivy-results.sarif' output: 'trivy-results.sarif'
- name: Generate JSON scan results - name: Generate JSON scan results
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@master
with: with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
format: 'json' format: 'json'
output: 'trivy-results.json' output: 'trivy-results.json'
- name: Upload scan results artifacts - name: Upload scan results artifacts
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:
name: trivy-scan-results name: trivy-scan-results
path: | path: |
trivy-results.sarif trivy-results.sarif
trivy-results.json trivy-results.json
- name: Attach scan results to Harbor image - name: Attach scan results to Harbor image
run: | run: |
# Install ORAS # Install ORAS
curl -LO https://github.com/oras-project/oras/releases/download/v1.1.0/oras_1.1.0_linux_amd64.tar.gz curl -LO https://github.com/oras-project/oras/releases/download/v1.1.0/oras_1.1.0_linux_amd64.tar.gz
tar -xzf oras_1.1.0_linux_amd64.tar.gz tar -xzf oras_1.1.0_linux_amd64.tar.gz
sudo mv oras /usr/local/bin/ sudo mv oras /usr/local/bin/
# Get the image digest from the build job # Get the image digest from the build job
IMAGE_DIGEST="${{ needs.build.outputs.digest }}" IMAGE_DIGEST="${{ needs.build.outputs.digest }}"
# Attach SARIF scan results # Attach SARIF scan results
oras attach ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} \ oras attach ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} \
--artifact-type application/sarif+json \ --artifact-type application/sarif+json \
trivy-results.sarif:application/sarif+json trivy-results.sarif:application/sarif+json
# Attach JSON scan results # Attach JSON scan results
oras attach ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} \ oras attach ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} \
--artifact-type application/json \ --artifact-type application/json \
trivy-results.json:application/json \ trivy-results.json:application/json \
--annotation "scan.type=vulnerability" \ --annotation "scan.type=vulnerability" \
--annotation "scan.tool=trivy" --annotation "scan.tool=trivy"
echo "Scan results attached successfully to image digest: ${IMAGE_DIGEST}" echo "Scan results attached successfully to image digest: ${IMAGE_DIGEST}"
- name: Check for HIGH/CRITICAL vulnerabilities - name: Check for HIGH/CRITICAL vulnerabilities
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@master
with: with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
format: 'json' format: 'json'
output: 'trivy-critical.json' output: 'trivy-critical.json'
exit-code: '1' exit-code: '1'
severity: 'HIGH,CRITICAL' severity: 'HIGH,CRITICAL'
# # Job 5: Deploy to Development # # Job 5: Deploy to Development
# deploy-dev: # deploy-dev: