Skip to content
Build

BED-7248: Resolves BP-491 Request for Entra ID User Last Logon Timestamp AZUser Node Property #474

Sign in to view logs

BED-7248: Resolves BP-491 Request for Entra ID User Last Logon Timestamp AZUser Node Property

BED-7248: Resolves BP-491 Request for Entra ID User Last Logon Timestamp AZUser Node Property #474

Workflow file for this run

.github/workflows/build.yml at 7dba309
name: Build
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
test:
runs-on: ubuntu-latest
defaults:
run:
shell: bash
steps:
- uses: actions/checkout@v3
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version-file: go.mod
check-latest: true
cache: true
- name: Test
run: go test ./...
containerize:
runs-on: ubuntu-latest
permissions:
packages: write
defaults:
run:
shell: bash
steps:
- uses: actions/checkout@v3
- name: Login to GHCR
uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
if: ${{ ! startsWith(github.event_name, 'pull_request') }}
with:
registry: ghcr.io
username: ${{ secrets.GHCR_USER }}
password: ${{ secrets.PACKAGE_SCOPE }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
if: ${{ ! startsWith(github.event_name, 'pull_request') }}
with:
aws-access-key-id: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}
aws-region: 'us-east-1'
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
if: ${{ ! startsWith(github.event_name, 'pull_request') }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: |
ghcr.io/bloodhoundad/azurehound
${{ steps.login-ecr.outputs.registry || 'public.ecr.aws' }}/production/azurehound
tags: |
type=edge,branch=main
type=sha,prefix=edge-,format=short
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up buildx
uses: docker/setup-buildx-action@v3
- name: Build Container Image
uses: docker/build-push-action@v6
with:
context: .
build-args: VERSION=v0.0.0-rolling+${{ github.sha }}
tags: azurehound # temporary tag to simplify oci conversion
labels: ${{ steps.meta.outputs.labels }}
push: false
secrets: |
GIT_AUTH_TOKEN=${{ secrets.PACKAGE_SCOPE }}
# Multi-plaform builds can not be loaded into local Docker Daemon
# Must use an Open Container Image to scan for vulnerabilities.
outputs: type=oci,dest=/tmp/oci-image.tar
- name: Upload OCI tarball
uses: actions/upload-artifact@v4
with:
name: oci-image-tar
path: /tmp/oci-image.tar
# Convert OCI Directory to Docker-compatible tar for amd64
- name: Convert OCI to Docker tarball
run: |
set -euo pipefail
echo "Converting amd64 image..."
if ! skopeo copy \
--override-arch=amd64 --override-os=linux \
oci-archive:/tmp/oci-image.tar \
docker-archive:/tmp/converted-amd64.tar; then
echo "skopeo copy failed for amd64"
exit 1
fi
- name: Trivy scan for vulnerabilities (AMD64)
id: trivy_amd64
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
with:
input: /tmp/converted-amd64.tar
format: "json"
severity: "HIGH,CRITICAL"
ignore-unfixed: true
cache-dir: /tmp/trivy-cache
output: /tmp/trivy-report-amd64.json
- name: Upload Trivy scan reports
uses: actions/upload-artifact@v4
with:
name: trivy-scan-reports
path: /tmp/trivy-report-amd64.json
- name: Check Trivy Report for HIGH/CRITICAL vulnerabilities (amd64 only)
env:
GITHUB_EVENT_NAME: ${{ github.event_name }}
run: |
echo "Checking Trivy report for HIGH/CRITICAL vulnerabilities (amd64 only)..."
# Ensure report exists
if [ ! -f /tmp/trivy-report-amd64.json ]; then
echo "Error: /tmp/trivy-report-amd64.json not found!"
exit 1
fi
# Count vulnerabilities from amd64 report
total_vulns=$(jq '[.Results[].Vulnerabilities[]? | select(.Severity=="HIGH" or .Severity=="CRITICAL")] | length' /tmp/trivy-report-amd64.json)
echo "Event: $GITHUB_EVENT_NAME"
echo "Total HIGH/CRITICAL vulnerabilities: $total_vulns"
if [ "$total_vulns" -gt 0 ]; then
# Fail only on push events
if [ "$GITHUB_EVENT_NAME" = "push" ]; then
echo "Push event detected. Failing the job to block image push."
exit 1
else
echo "Pull request event. Vulnerabilities found, but continuing (non-blocking)."
fi
else
echo "No HIGH/CRITICAL vulnerabilities found. Safe to proceed."
fi
- name: Push Image
uses: docker/build-push-action@v6
with:
context: .
build-args: VERSION=v0.0.0-rolling+${{ github.sha }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
push: ${{ ! startsWith(github.event_name, 'pull_request') }}
secrets: |
GIT_AUTH_TOKEN=${{ secrets.PACKAGE_SCOPE }}
build:
runs-on: ubuntu-latest
defaults:
run:
shell: bash
strategy:
matrix:
os:
- darwin
- linux
- windows
arch:
- amd64
- arm64
steps:
- uses: actions/checkout@v3
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version-file: go.mod
check-latest: true
cache: true
- name: Build
run: 'go build -ldflags="-s -w -X github.com/bloodhoundad/azurehound/v2/constants.Version=v0.0.0-rolling+${{ github.sha }}"'
env:
GOOS: ${{ matrix.os }}
GOARCH: ${{ matrix.arch }}
- name: Zip
if: "! startsWith(github.event_name, 'pull_request')"
run: 7z a -tzip -mx9 azurehound-${{ matrix.os }}-${{ matrix.arch }}.zip azurehound*
- name: Compute Checksum
if: "! startsWith(github.event_name, 'pull_request')"
run: sha256sum azurehound-${{ matrix.os }}-${{ matrix.arch }}.zip > azurehound-${{ matrix.os }}-${{ matrix.arch }}.zip.sha256
- name: Update Rolling Release
if: "! startsWith(github.event_name, 'pull_request')"
uses: softprops/action-gh-release@v1
with:
name: Rolling Release (unstable)
tag_name: rolling
prerelease: true
files: |
azurehound-${{ matrix.os }}-${{ matrix.arch }}.zip
azurehound-${{ matrix.os }}-${{ matrix.arch }}.zip.sha256
body: |
Rolling release of AzureHound compiled from source (${{ github.sha }})
This is automatically kept up-to-date with the `${{ github.ref_name }}` ${{ github.ref_type }}