diff --git a/.github/workflows/patch.yaml b/.github/workflows/patch.yaml index 2cd4a4e..ababc9f 100644 --- a/.github/workflows/patch.yaml +++ b/.github/workflows/patch.yaml @@ -1,69 +1,71 @@ on: [push] jobs: - test: - runs-on: ubuntu-latest + test: + runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - images: ['docker.io/library/nginx:1.21.6', 'docker.io/openpolicyagent/opa:0.46.0'] + strategy: + fail-fast: false + matrix: + # provide relevant list of images to scan on each run + images: ['docker.io/library/nginx:1.21.6', 'docker.io/openpolicyagent/opa:0.46.0', 'docker.io/library/hello-world:latest'] - steps: - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@dedd61cf5d839122591f5027c89bf3ad27691d18 + steps: + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@dedd61cf5d839122591f5027c89bf3ad27691d18 - - name: Generate Trivy Report - uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4 - with: - scan-type: 'image' - format: 'json' - output: 'report.json' - ignore-unfixed: true - vuln-type: 'os' - image-ref: ${{ matrix.images }} + - name: Generate Trivy Report + uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4 + with: + scan-type: 'image' + format: 'json' + output: 'report.json' + ignore-unfixed: true + vuln-type: 'os' + image-ref: ${{ matrix.images }} - - name: Check Vuln Count - id: vuln_count - run: | - report_file="report.json" - vuln_count=$(jq '.Results | length' "$report_file") - echo "vuln_count=$vuln_count" >> $GITHUB_ENV + - name: Check Vuln Count + id: vuln_count + run: | + report_file="report.json" + vuln_count=$(jq '.Results | length' "$report_file") + echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT - - name: Copa Action - if: steps.vuln_count.outputs.vuln_count != '0' - id: copa - uses: project-copacetic/copa-action@v1.0.0 - with: - image: ${{ matrix.images }} - image-report: 'report.json' - patched-tag: 'patched' - buildkit-version: 'v0.11.6' - copa-version: '0.3.0' + - name: Copa Action + if: steps.vuln_count.outputs.vuln_count != '0' + id: copa + uses: project-copacetic/copa-action@v1.0.0 + with: + image: ${{ matrix.images }} + image-report: 'report.json' + patched-tag: 'patched' + buildkit-version: 'v0.11.6' + # optional, default is latest + copa-version: '0.3.0' - - name: Modify Patched Image Names - id: modify_images - run: | - PATCHED_IMAGES="" - for image in ${{ matrix.images }}; do - # Modify image names based on your requirements - patched_image="docker.io/r3drun3/$(basename $image)-immunized" - PATCHED_IMAGES="$PATCHED_IMAGES $patched_image" - done - echo $PATCHED_IMAGES - echo "patched_images=$PATCHED_IMAGES" >> $GITHUB_ENV + - name: Modify Patched Image Names + id: modify_images + run: | + PATCHED_IMAGES="" + for image in ${{ matrix.images }}; do + # Modify image names based on your requirements + patched_image="docker.io/r3drun3/$(basename $image)-immunized" + PATCHED_IMAGES="$PATCHED_IMAGES $patched_image" + done + echo $PATCHED_IMAGES + echo "patched_images=$PATCHED_IMAGES" >> $GITHUB_ENV - - name: Login to Docker Hub - if: steps.copa.conclusion == 'success' - id: login - uses: docker/login-action@b4bedf8053341df3b5a9f9e0f2cf4e79e27360c6 - with: - username: r3drun3 - password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Login to Docker Hub + if: steps.copa.conclusion == 'success' + id: login + uses: docker/login-action@b4bedf8053341df3b5a9f9e0f2cf4e79e27360c6 + with: + username: r3drun3 + password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Docker Push Patched Images - if: steps.login.conclusion == 'success' - run: | - for patched_image in ${{ steps.modify_images.outputs.patched_images }}; do - docker push $patched_image - done + - name: Docker Push Patched Images + if: steps.login.conclusion == 'success' + run: | + for patched_image in ${{ steps.modify_images.outputs.patched_images }}; do + docker push $patched_image + done