ci(gha): add steps to perform container image scan #155
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CICD Pipeline | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| jobs: | |
| # conventional-commit-check: | |
| # runs-on: ubuntu-latest | |
| # steps: | |
| # - uses: actions/checkout@v5 | |
| # with: | |
| # fetch-depth: 0 | |
| # - name: Conventional commit check | |
| # uses: cocogitto/cocogitto-action@v3 | |
| # build: | |
| # runs-on: ubuntu-latest | |
| # needs: conventional-commit-check | |
| # steps: | |
| # - uses: actions/checkout@v5 | |
| # - uses: actions/setup-java@v5 | |
| # with: | |
| # distribution: adopt | |
| # java-version: 21 | |
| # check-latest: true | |
| # - name: Cached Gradle packages | |
| # uses: actions/cache@v4 | |
| # with: | |
| # key: ${{ runner.os }}-v1-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} | |
| # path: | | |
| # ~/.gradle/caches | |
| # ~/.gradle/wrapper | |
| # - run: ( ./gradlew build -x test ) | |
| # name: "Executing build" | |
| # unit-test: | |
| # runs-on: ubuntu-latest | |
| # needs: build | |
| # steps: | |
| # - uses: actions/checkout@v5 | |
| # - uses: actions/setup-java@v5 | |
| # with: | |
| # distribution: adopt | |
| # java-version: 21 | |
| # check-latest: true | |
| # - name: Cached Gradle packages | |
| # uses: actions/cache@v4 | |
| # with: | |
| # key: ${{ runner.os }}-v1-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} | |
| # path: | | |
| # ~/.gradle/caches | |
| # ~/.gradle/wrapper | |
| # - run: ( ./gradlew test ) | |
| # name: "Executing tests" | |
| # - run: ( ./gradlew jacocoTestCoverageVerification ) | |
| # name: "Code coverage" | |
| # mutation-test: | |
| # runs-on: ubuntu-latest | |
| # needs: build | |
| # steps: | |
| # - uses: actions/checkout@v5 | |
| # - uses: actions/setup-java@v5 | |
| # with: | |
| # distribution: adopt | |
| # java-version: 21 | |
| # check-latest: true | |
| # - name: Cached Gradle packages | |
| # uses: actions/cache@v4 | |
| # with: | |
| # key: ${{ runner.os }}-v1-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} | |
| # path: | | |
| # ~/.gradle/caches | |
| # ~/.gradle/wrapper | |
| # - run: ( ./gradlew pitest ) | |
| # name: "Executing mutation tests" | |
| # dependency-vulnerability-analysis: | |
| # runs-on: ubuntu-latest | |
| # needs: build | |
| # steps: | |
| # - uses: actions/checkout@v5 | |
| # - uses: actions/setup-java@v5 | |
| # with: | |
| # distribution: adopt | |
| # java-version: 21 | |
| # check-latest: true | |
| # - name: Cached Gradle packages | |
| # uses: actions/cache@v4 | |
| # with: | |
| # key: ${{ runner.os }}-v1-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} | |
| # path: | | |
| # ~/.gradle/caches | |
| # ~/.gradle/wrapper | |
| # ~/.gradle/dependency-check-data/ | |
| # - run: ( ./gradlew dependencyCheckAnalyze -PUseNVDKey ) | |
| # name: "Executing dependency vulnerability checks" | |
| # env: | |
| # NVD_API_KEY: ${{ secrets.NVD_API_KEY }} | |
| # sast-snyk: | |
| # if: github.ref == 'refs/heads/main' | |
| # runs-on: ubuntu-latest | |
| # needs: build | |
| # steps: | |
| # - uses: actions/checkout@v5 | |
| # - uses: snyk/actions/maven-3-jdk-21@master | |
| # name: Run Snyk scan for dependency and license | |
| # env: | |
| # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| # with: | |
| # args: --severity-threshold=high | |
| # - uses: actions/setup-java@v5 | |
| # with: | |
| # distribution: adopt | |
| # java-version: 21 | |
| # check-latest: true | |
| # - uses: snyk/actions/setup@master | |
| # - name: Snyk SAST code | |
| # run: snyk code test | |
| # env: | |
| # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| # sast-iac-trivy-hadolint: | |
| # runs-on: ubuntu-latest | |
| # needs: build | |
| # steps: | |
| # - uses: actions/checkout@v5 | |
| # - uses: hadolint/[email protected] | |
| # with: | |
| # dockerfile: Dockerfile | |
| # failure-threshold: error | |
| # - name: Run Trivy vulnerability for IAC | |
| # uses: aquasecurity/[email protected] | |
| # with: | |
| # scan-type: config | |
| # scan-ref: './' | |
| # exit-code: 1 | |
| # trivy-config: ./config/trivy/trivy.yaml | |
| # dependabot-pr-auto-merge: | |
| # runs-on: ubuntu-latest | |
| # needs: | |
| # - unit-test | |
| # - mutation-test | |
| # - dependency-vulnerability-analysis | |
| # - sast-iac-trivy-hadolint | |
| # if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'abhisheksr01/spring-boot-microservice-best-practices' | |
| # steps: | |
| # - name: Dependabot metadata | |
| # id: metadata | |
| # uses: dependabot/fetch-metadata@v2 | |
| # with: | |
| # github-token: ${{ secrets.GITHUB_TOKEN }} | |
| # - name: Enable auto-merge for Dependabot PRs | |
| ## if: contains(steps.metadata.outputs.dependency-names, 'my-dependency') && steps.metadata.outputs.update-type == 'version-update:semver-patch' | |
| # run: gh pr merge --auto --merge "$PR_URL" | |
| # env: | |
| # PR_URL: ${{github.event.pull_request.html_url}} | |
| # GH_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
| docker-build-scan-push: | |
| # if: github.ref == 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| # needs: | |
| # - unit-test | |
| # - mutation-test | |
| # - dependency-vulnerability-analysis | |
| # - sast-snyk | |
| # - sast-iac-trivy-hadolint | |
| # outputs: | |
| # is-dryrun-version-bumped: ${{ steps.bump-version.outputs.is-dryrun-version-bumped }} | |
| steps: | |
| - uses: actions/checkout@v5 | |
| with: | |
| fetch-depth: 0 | |
| - name: fetch-tags | |
| run: git fetch --tags origin | |
| shell: bash | |
| - id: bump-version | |
| uses: abhisheksr01/github-actions/[email protected] | |
| with: | |
| dry-run: true # Since we are setting dryrun argument the bump-version will always be available until 'current-version' is pushed as release | |
| - name: check-bump-version-output | |
| run: | | |
| echo "previous-version: ${{ steps.bump-version.outputs.previous-version }}" | |
| echo "bump-version: ${{ steps.bump-version.outputs.bump-version }}" | |
| echo "current-version: ${{ steps.bump-version.outputs.current-version }}" | |
| echo "is-version-bumped: ${{ steps.bump-version.outputs.is-version-bumped }}" | |
| echo "is-dryrun-version-bumped: ${{ steps.bump-version.outputs.is-dryrun-version-bumped }}" | |
| shell: bash | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ vars.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Docker meta | |
| # if: ${{ steps.bump-version.outputs.is-dryrun-version-bumped == 'true' }} | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: abhisheksr01/companieshouse | |
| context: git | |
| tags: | | |
| type=ref,event=pr | |
| type=semver,pattern={{version}},prefix=v,value=${{ steps.bump-version.outputs.bump-version }} | |
| labels: | | |
| "org.opencontainers.image.title": "abhisheksr01/companieshouse", | |
| "org.opencontainers.image.description": "Best practices and integrations available for Spring Boot based Microservice in a single repository with companieshouse API use case.", | |
| "org.opencontainers.image.url": "https://github.com/abhisheksr01/spring-boot-microservice-best-practices", | |
| "org.opencontainers.image.source": "https://github.com/abhisheksr01/spring-boot-microservice-best-practices", | |
| "org.opencontainers.image.version": ${{ steps.bump-version.outputs.bump-version }}, | |
| "org.opencontainers.image.created": "$(date +"%Y%m%d%H%M%S")", | |
| "org.opencontainers.image.revision": ${{ github.sha }}, | |
| "org.opencontainers.image.licenses": "MIT" | |
| - name: Build Image | |
| # if: ${{ steps.bump-version.outputs.is-dryrun-version-bumped == 'true' }} | |
| uses: docker/build-push-action@v6 | |
| with: | |
| push: false | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| sbom: true | |
| provenance: true | |
| outputs: type=oci,dest=companieshouse.tar | |
| platforms: linux/amd64 | |
| - name: Scan Image | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: companieshouse.tar | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| scanners: 'vuln,secret,misconfig,license' | |
| - name: Push Image | |
| # if: ${{ github.event_name != 'pull_request' && steps.bump-version.outputs.is-dryrun-version-bumped == 'true' }} # Only push on main branch & when version is bumped with dryrun. We will create tags and creates separately after proper testing | |
| run: | | |
| buildctl image import < companieshouse.tar | |
| buildctl image push --name ${{ steps.meta.outputs.tags }} | |
| # create-release: | |
| # if: ${{ needs.docker-build-push.outputs.is-dryrun-version-bumped == 'true' }} # Only release when new version is available | |
| # runs-on: ubuntu-latest | |
| # permissions: | |
| # contents: write # to be able to publish a GitHub release | |
| # needs: | |
| # - docker-build-scan-push | |
| # environment: | |
| # name: approve-release # Manual Approval to decide if we are ready to push tags and release | |
| # steps: | |
| # - uses: actions/checkout@v5 | |
| # with: | |
| # fetch-depth: 0 | |
| # fetch-tags: true | |
| # - uses: abhisheksr01/github-actions/[email protected] # Publishing the tags | |
| # id: bump-tag-version | |
| # - name: Generate changelog | |
| # run: cog changelog --at v${{ steps.bump-tag-version.outputs.current-version }} -t full_hash > CHANGELOG.md | |
| # - run: | | |
| # set -euo pipefail | |
| # echo "Creating release from tag $tag" | |
| # gh release create "$tag" \ | |
| # --title="$tag" \ | |
| # --repo="$GITHUB_REPOSITORY" \ | |
| # --notes-file CHANGELOG.md | |
| # env: | |
| # tag: v${{ steps.bump-tag-version.outputs.current-version }} | |
| # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |