Skip to content

ci: test

ci: test #126

Workflow file for this run

name: patch
on:
push:
paths:
- '**/*'
- '!README.md'
- '!images/**'
jobs:
immunize:
runs-on: ubuntu-latest
strategy:
fail-fast: true
matrix:
# images: ['docker.io/library/nginx:1.21.6', 'docker.io/openpolicyagent/opa:0.46.0', 'mcr.microsoft.com/dotnet/aspnet:7.0.15-alpine3.18', 'docker.io/library/python:3.10.10-alpine3.17',
#'docker.io/library/golang:1.18.10', 'docker.io/library/node:18.17.1-slim', 'docker.io/library/rust:1.69.0', 'docker.io/library/python:3.5.10-slim']
images: ['docker.io/library/nginx:1.21.6', 'docker.io/openpolicyagent/opa:0.46.0']
steps:
- name: Install Cosign
uses: sigstore/[email protected]
with:
cosign-release: 'v2.2.2'
# - name: Set up Docker Buildx
# uses: docker/setup-buildx-action@dedd61cf5d839122591f5027c89bf3ad27691d18
- name: Generate Trivy Report
uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4
with:
scan-type: 'image'
format: 'json'
output: 'report.json'
ignore-unfixed: true
vuln-type: 'os'
image-ref: ${{ matrix.images }}
- name: Check Vuln Count
id: vuln_count
run: |
report_file="report.json"
vuln_count=$(jq '.Results | length' "$report_file")
echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
- name: Set Tag
id: set_tag
run: |
TAG=$(echo "${{ matrix.images }}" | grep -oP '(?<=:).*' | grep -oP '^[^/]+')
IMMUNIZED_TAG="${TAG}-immunized"
PATCHED_TAG_SBOM=$(echo "${{matrix.images}}" | tr '/:' '-')
echo "PATCHED_TAG=${IMMUNIZED_TAG}" >> $GITHUB_ENV
echo "PATCHED_TAG_SBOM=${PATCHED_TAG_SBOM}" >> $GITHUB_ENV
- name: Copa Action
if: steps.vuln_count.outputs.vuln_count != '0'
id: copa
uses: sozercan/copa-action@out-vex
with:
image: ${{ matrix.images }}
image-report: 'report.json'
patched-tag: ${{ env.PATCHED_TAG }}
output: ${{ env.PATCHED_TAG_SBOM }}-openvex-report.json
# - name: list files
# run: |
# ls -al
# cat test.json
# sudo cat test.json
- name: Archive openvex vuln report
uses: actions/upload-artifact@v4
with:
name: ${{ env.PATCHED_TAG_SBOM }}-openvex-report
path: ${{ env.PATCHED_TAG_SBOM }}-openvex-report.json
- name: Log into ghcr
if: steps.copa.conclusion == 'success'
id: login
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Tag Image for GHCR
if: steps.login.conclusion == 'success'
run: |
docker tag ${{ steps.copa.outputs.patched-image }} ghcr.io/r3drun3/immunize/${{ steps.copa.outputs.patched-image }}
- name: Docker Push Patched Image
id: push
if: steps.login.conclusion == 'success'
run: |
docker push ghcr.io/r3drun3/immunize/${{ steps.copa.outputs.patched-image }}
- name: Produce Image SBOM
uses: anchore/sbom-action@v0
with:
image: "ghcr.io/r3drun3/immunize/${{ steps.copa.outputs.patched-image }}"
artifact-name: ${{ env.PATCHED_TAG_SBOM }}.spdx.json
- name: Sign image with Cosign
run: |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY "ghcr.io/r3drun3/immunize/${{ steps.copa.outputs.patched-image }}"
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
- name: Attest the Image with SBOM
run: |
echo "${{ env.PATCHED_TAG_SBOM }}"
SBOM_FILE=$(find /tmp/sbom-action-* -name "*${{ env.PATCHED_TAG_SBOM }}*.spdx.json" -type f)
echo "${SBOM_FILE}"
if [ -z "$SBOM_FILE" ]; then
echo "Error: .spdx file not found"
exit 1
fi
cosign attest --yes --key env://COSIGN_PRIVATE_KEY --type spdx --predicate "${SBOM_FILE}" "ghcr.io/r3drun3/immunize/${{ steps.copa.outputs.patched-image }}"
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
send-mail-report:
runs-on: ubuntu-latest
needs: immunize
steps:
- name: Checkout Repository
uses: actions/checkout@v3
- name: Download openvex reports
uses: actions/download-artifact@v4
- name: List files
run : |
ls -lah
- name: Send Mail Report
run: |
python $GITHUB_WORKSPACE/send_mail_report.py
env:
EMAIL_RECIPIENTS: ${{ secrets.EMAIL_RECIPIENTS }}
EMAIL_ADDRESS: ${{ secrets.EMAIL_ADDRESS }}
EMAIL_PASSWORD: ${{ secrets.EMAIL_PASSWORD }}