-
Notifications
You must be signed in to change notification settings - Fork 9
123 lines (109 loc) · 3.95 KB
/
security.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
name: Vulnerability detection
on:
schedule:
- cron: '0 9 * * *'
push:
branches-ignore:
- master
jobs:
vulnerability-detection:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
## Alpine
### Alpine 3.15
- image: "alpine/3.15/8.0/Dockerfile"
tags: "8.0-alpine3.15"
platforms: "linux/amd64"
- image: "alpine/3.15/8.1/Dockerfile"
tags: "8.1-alpine3.15"
platforms: "linux/amd64"
### Alpine 3.16
- image: "alpine/3.16/8.0/Dockerfile"
tags: "8.0-alpine3.16"
platforms: "linux/amd64"
- image: "alpine/3.16/8.1/Dockerfile"
tags: "8.1-alpine3.16"
platforms: "linux/amd64"
- image: "alpine/3.16/8.2/Dockerfile"
tags: "8.2-alpine3.16"
platforms: "linux/amd64"
### Alpine 3.17
- image: "alpine/3.17/8.1/Dockerfile"
tags: "8.1-alpine3.17"
platforms: "linux/amd64"
- image: "alpine/3.17/8.2/Dockerfile"
tags: "8.2-alpine3.17"
platforms: "linux/amd64"
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Login to AWS ECR
uses: aws-actions/amazon-ecr-login@v1
- name: Build and push
id: docker-build
uses: docker/build-push-action@v2
with:
push: ${{ github.ref != 'refs/heads/master' }}
file: ${{ matrix.image }}
tags: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/${{ secrets.AWS_ECR_REPO }}:${{ matrix.tags }}-${{ github.sha }}
platforms: ${{ matrix.platforms }}
- name: Scan Docker image
id: docker-scan
uses: alexjurkiewicz/[email protected]
with:
repository: ${{ secrets.AWS_ECR_REPO }}
tag: ${{ join(matrix.tags) }}-${{ github.sha }}
- name: Delete images after scan images
run: |
aws ecr batch-delete-image --repository-name ${{ secrets.AWS_ECR_REPO }} --image-id imageTag="${{ join(matrix.tags) }}-${{ github.sha }}"
- run: |
echo "${{ steps.docker-scan.outputs.total }} total vulnerabilities."
- name: Set Date and Time
id: set-date
if: github.event.schedule == '0 9 * * *'
run: echo "::set-output name=current_datetime::$(date +'%Y-%m-%d %H:%M:%S')"
- name: Set Color
id: set-color
if: github.event.schedule == '0 9 * * *'
run: |
if [[ "${{ true }}" ]]; then
COLOR="#008000"
else
COLOR="#ff0000"
fi
echo "::set-output name=color::$COLOR"
- name: Send GitHub Action trigger data to Slack workflow
id: slack
if: github.event.schedule == '0 9 * * *'
uses: slackapi/[email protected]
with:
payload: |
{
"text": "Scanned image tag *${{ matrix.tags }}*.",
"attachments": [
{
"pretext": "Vulnerability scan outputs for ${{ steps.set-date.outputs.current_datetime }}",
"color": "${{ steps.set-color.outputs.color }}",
"fields": [
{
"title": "Status",
"short": true,
"value": "*${{ steps.docker-scan.outputs.total }}* total vulnerabilities"
}
]
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
- name: Fail the execution
if: ${{ steps.docker-scan.outputs.total > 0 }}
run: exit 1