Merge pull request #14 from cupofpython/scout

cupofpython · web-flow · commit f192422dbe25 · 2025-04-07T14:25:52.000-04:00
add scout job
diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml
@@ -11,7 +11,8 @@ on:
         type: string
 
 env:
-  IMAGE_NAME: samanthamorris684/catbot
+  REGISTRY: samanthamorris684
+  IMAGE_NAME: catbot
   USERNAME: ${{ vars.DOCKERHUB_USERNAME }}
   PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }}
 
@@ -30,9 +31,8 @@ jobs:
       
       - name: Build and push the Docker image
         run: |
-          docker build -t $IMAGE_NAME:${{ inputs.IMAGE_TAG }} .
-          docker push $IMAGE_NAME:${{ inputs.IMAGE_TAG }}
-
+          docker build -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ inputs.IMAGE_TAG }} .
+          docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ inputs.IMAGE_TAG }}
         
         
     
diff --git a/.github/workflows/deploy-to-eks.yml b/.github/workflows/deploy-to-eks.yml
@@ -15,7 +15,8 @@ on:
         type: string
 
 env:
-  IMAGE_NAME: samanthamorris684/catbot
+  REGISTRY: samanthamorris684
+  IMAGE_NAME: catbot
   EKS_CLUSTER_NAME: catbot-cluster
   NAMESPACE: cat-chatbot
 
@@ -36,5 +37,5 @@ jobs:
       
       - name: Deploy to EKS
         run: |
-          kubectl set image deployment/server server=${{ env.IMAGE_NAME }}:${{ inputs.IMAGE_TAG }} -n ${{ env.NAMESPACE }}
+          kubectl set image deployment/server server=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ inputs.IMAGE_TAG }} -n ${{ env.NAMESPACE }}
           kubectl rollout status deployment/server -n ${{ env.NAMESPACE }}
diff --git a/.github/workflows/feature-branch.yml b/.github/workflows/feature-branch.yml
diff --git a/.github/workflows/main-branch.yml b/.github/workflows/main-branch.yml
@@ -4,9 +4,6 @@ on:
   push:
     branches: main
 
-env:
-  IMAGE_NAME: samanthamorris684/catbot
-
 jobs:
   build-and-push-image:
     uses: ./.github/workflows/build-and-push.yml
diff --git a/.github/workflows/pull-request-workflow.yml b/.github/workflows/pull-request-workflow.yml
@@ -0,0 +1,21 @@
+name: Pull request workflow
+
+on:
+  pull_request
+
+jobs:
+  build-and-push-image:
+    uses: ./.github/workflows/build-and-push.yml
+    with:
+      IMAGE_TAG: pr-${{ github.event.number }}
+    secrets:
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+  scout:
+    permissions:
+      pull-requests: write
+    needs: build-and-push-image
+    uses: ./.github/workflows/scout.yml
+    with:
+      IMAGE_TAG: pr-${{ github.event.number }}
+    secrets:
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
diff --git a/.github/workflows/scout.yml b/.github/workflows/scout.yml
@@ -0,0 +1,40 @@
+name: Security workflow
+on:
+  workflow_call:
+    secrets:
+      DOCKERHUB_TOKEN:
+        required: true
+    inputs:
+      IMAGE_TAG:
+        required: true
+        type: string
+
+env:
+  REGISTRY: samanthamorris684
+  IMAGE_NAME: catbot
+  # Change from latest
+  COMPARE_TAG: latest
+  USERNAME: ${{ vars.DOCKERHUB_USERNAME }}
+  PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }}
+
+jobs:
+  scout:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3.4.0
+        with:
+          username: ${{ env.USERNAME }}
+          password: ${{ env.PASSWORD }}
+      
+      - name: Docker Scout
+        id: docker-scout
+        uses: docker/scout-action@v1
+        with:
+          command: compare
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ inputs.IMAGE_TAG }}
+          to: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.COMPARE_TAG }}
+          ignore-unchanged: true
+          only-severities: critical,high
+          write-comment: true
+          github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
