Build and Security scan Docker image

DucBaoUIT · DucBaoUIT · commit f29f0b74e71f · 2024-06-10T08:45:36.000+07:00
diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml
@@ -0,0 +1,37 @@
+name: Build Image Video Service
+
+on:
+  workflow_call:
+    secrets:
+      DOCKER_HUB_ACCESS_TOKEN:
+        required: true
+
+jobs:
+  build-image:
+    name: Build and Push Docker Image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Setup JDK 17
+        uses: actions/setup-java@v3
+        with:
+          distribution: 'corretto'
+          java-version: 17
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: datuits
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Build the application
+        run: |
+          mvn clean
+          mvn -B package --file pom.xml
+
+      - name: Build and Push the docker image
+        run: |
+          docker build -t datuits/devops-video-service:latest .
+          docker push datuits/devops-video-service:latest
diff --git a/.github/workflows/scan-image.yaml b/.github/workflows/scan-image.yaml
@@ -0,0 +1,46 @@
+name: Scan Image Video Service
+on:
+  workflow_call:
+
+jobs:
+  scan-image:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install Trivy
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y wget
+          wget https://github.com/aquasecurity/trivy/releases/download/v0.40.0/trivy_0.40.0_Linux-64bit.deb
+          sudo dpkg -i trivy_0.40.0_Linux-64bit.deb
+
+      - name: Scan Docker image with Trivy
+        id: scan-image
+        run: |
+          trivy image --format json --output scan-results.json datuits/devops-video-service:latest
+        
+      - name: Extract high and critical vulnerabilities
+        id: extract_vulnerabilities
+        run: |
+          jq -r '
+          def hr(severity):
+            if severity == "HIGH" or severity == "CRITICAL" then true else false end;
+          def to_md:
+            "| " + (.VulnerabilityID // "") + " | " + (.PkgName // "") + " | " + (.InstalledVersion // "") + " | " + (.Severity // "") + " | " + (.Title // "") + " |";
+          [
+            "# Docker Image Scan Results",
+            "",
+            "## High and Critical Vulnerabilities",
+            "",
+            "| Vulnerability ID | Package | Version | Severity | Description |",
+            "|------------------|---------|---------|----------|-------------|",
+            (.Results[] | .Vulnerabilities[] | select(hr(.Severity)) | to_md),
+            ""
+          ] | join("\n")
+          ' scan-results.json > vulnerability-report.md
+
+      - name: Upload vulnerability report
+        uses: actions/upload-artifact@v2
+        with:
+          name: vulnerability-report
+          path: vulnerability-report.md
