Update docker-image.yml

crivetimihai · web-flow · commit ecf0ae5a9f49 · 2025-05-31T15:10:39.000+01:00
Added linting and cosign
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -1,18 +1,170 @@
-name: Docker Image CI
+# ===============================================================
+# 📦 Secure Docker Build & Scan Workflow
+# ===============================================================
+#
+# This workflow:
+#   • Builds and tags the container image (`latest` + timestamp)
+#   • Re-uses a BuildKit layer cache for faster rebuilds
+#   • Lints the Dockerfile with Hadolint
+#   • Lints the finished image with Dockle (CIS best-practices)
+#   • Generates an SPDX SBOM with Syft
+#   • Scans the image for CRITICAL/HIGH CVEs with Trivy
+#   • Uploads both Dockle and Trivy results as SARIF files
+#   • Pushes the image to GitHub Container Registry (GHCR)
+#   • Signs and attests the image with Cosign **key-less (OIDC)** –
+#     no private keys or secrets required
+#
+# Triggers:
+#   • Every push / PR to `main`
+#   • Weekly scheduled run (Tue 18:17 UTC) to catch newly-disclosed CVEs
+# ---------------------------------------------------------------
+
+name: Secure Docker Build
 
 on:
   push:
     branches: [ "main" ]
   pull_request:
     branches: [ "main" ]
+  schedule:
+    - cron: '17 18 * * 2'   # every Tuesday @ 18:17 UTC
 
-jobs:
-
-  build:
+# -----------------------------------------------------------------
+# GitHub permission scopes for this job
+#   - contents: read    → checkout source
+#   - packages: write   → push to GHCR with the builtin GITHUB_TOKEN
+#   - security-events: write → upload SARIF to “Code-scanning alerts”
+#   - actions: read     → required by upload-sarif in private repos
+# -----------------------------------------------------------------
+permissions:
+  contents: read
+  packages: write
+  security-events: write
+  actions: read
 
+jobs:
+  build-scan-sign:
     runs-on: ubuntu-latest
 
+    env:
+      IMAGE_NAME: ghcr.io/${{ github.repository }}
+      CACHE_DIR: /tmp/.buildx-cache   # local BuildKit layer cache
+
     steps:
-    - uses: actions/checkout@v4
-    - name: Build the Docker image using Containerfile.lite
-      run: docker build . --file Containerfile.lite --tag mcpgateway/mcpgateway:$(date +%s) --tag mcpgateway/mcpgateway:latest
+    # -------------------------------------------------------------
+    # 0️⃣  Checkout source
+    # -------------------------------------------------------------
+    - name: ⬇️  Checkout code
+      uses: actions/checkout@v4
+
+    # -------------------------------------------------------------
+    # 1️⃣  Lint Dockerfile (Hadolint)
+    # -------------------------------------------------------------
+    - name: 🔍 Dockerfile lint (Hadolint)
+      uses: hadolint/hadolint-action@v3.1.0
+      with:
+        dockerfile: Containerfile.lite
+
+    # -------------------------------------------------------------
+    # 2️⃣  Set up Buildx & restore cache
+    # -------------------------------------------------------------
+    - name: 🛠️  Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: 🔄 Restore BuildKit layer cache
+      uses: actions/cache@v4
+      with:
+        path: ${{ env.CACHE_DIR }}
+        key: ${{ runner.os }}-buildx-${{ github.sha }}
+        restore-keys: |
+          ${{ runner.os }}-buildx-
+
+    # -------------------------------------------------------------
+    # 3️⃣  Build & tag image (timestamp + latest)
+    # -------------------------------------------------------------
+    - name: 🏗️  Build Docker image
+      run: |
+        TAG=$(date +%s)
+        docker buildx build \
+          --file Containerfile.lite \
+          --tag $IMAGE_NAME:$TAG \
+          --tag $IMAGE_NAME:latest \
+          --cache-from type=local,src=${{ env.CACHE_DIR }} \
+          --cache-to   type=local,dest=${{ env.CACHE_DIR }},mode=max \
+          --load
+
+    # -------------------------------------------------------------
+    # 4️⃣  Lint image with Dockle
+    # -------------------------------------------------------------
+    - name: 🔍 Image lint (Dockle)
+      uses: erzz/dockle-action@v2
+      with:
+        image: ${{ env.IMAGE_NAME }}:latest
+        format: sarif
+        output: dockle-results.sarif
+        exit-code: 1     # fail on WARN+  (remove to make non-blocking)
+
+    - name: ☁️ Upload Dockle SARIF
+      if: always()
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: dockle-results.sarif
+
+    # -------------------------------------------------------------
+    # 5️⃣  Generate SPDX SBOM with Syft
+    # -------------------------------------------------------------
+    - name: 📄 Generate SBOM (Syft)
+      uses: anchore/sbom-action@v0
+      with:
+        image: ${{ env.IMAGE_NAME }}:latest
+        output-file: sbom.spdx.json
+
+    # -------------------------------------------------------------
+    # 6️⃣  Trivy CVE scan → SARIF  (fails on CRITICAL/HIGH)
+    # -------------------------------------------------------------
+    - name: 🛡️  Trivy vulnerability scan
+      uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
+      with:
+        image-ref: ${{ env.IMAGE_NAME }}:latest
+        format: template
+        template: '@/contrib/sarif.tpl'
+        output: trivy-results.sarif
+        severity: CRITICAL,HIGH
+        exit-code: 1        # break build on CRITICAL/HIGH vulns
+
+    - name: ☁️ Upload Trivy SARIF
+      if: always()
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: trivy-results.sarif
+
+    # -------------------------------------------------------------
+    # 7️⃣  Push both tags to GHCR (uses built-in GITHUB_TOKEN)
+    # -------------------------------------------------------------
+    - name: 🔑 Log in to GHCR
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: 🚀 Push image to GHCR
+      run: |
+        # Grab the timestamp tag we built earlier
+        TIMESTAMP_TAG=$(docker images --format '{{.Tag}}' $IMAGE_NAME | grep -v latest)
+        docker push $IMAGE_NAME:$TIMESTAMP_TAG
+        docker push $IMAGE_NAME:latest
+
+    # -------------------------------------------------------------
+    # 8️⃣  Key-less Cosign sign (OIDC) + provenance
+    # -------------------------------------------------------------
+    - name: 📥 Install Cosign
+      uses: sigstore/cosign-installer@v3
+
+    - name: 🔏 Sign & attest image
+      env:
+        COSIGN_EXPERIMENTAL: "1"   # enable key-less OIDC flow
+      run: |
+        # Cosign will interactively fetch an OIDC token from GitHub Actions
+        cosign sign   --yes $IMAGE_NAME:latest
+        cosign attest --yes --predicate sbom.spdx.json $IMAGE_NAME:latest
