From 000f213efcd4e98ac3462086c47de58005c4b697 Mon Sep 17 00:00:00 2001 From: Andreas Bucksteeg Date: Fri, 27 Dec 2024 14:00:57 +0100 Subject: [PATCH] chore: add cve-scan.yaml to server template, download of shellcheck for macos/ARM (#224) --- .github/workflows/format.yml | 2 +- .github/workflows/licenses.yml | 4 +- .github/workflows/stale.yml | 10 +- .github/workflows/sync.yml | 8 +- .github/workflows/text-run.yml | 2 +- Makefile | 17 ++- .../.github/workflows/release_tagger.yml | 2 +- .../.github/ISSUE_TEMPLATE/BUG-REPORT.yml | 66 ++++----- .../.github/ISSUE_TEMPLATE/DESIGN-DOC.yml | 48 +++--- .../ISSUE_TEMPLATE/FEATURE-REQUEST.yml | 48 +++--- .../common/.github/ISSUE_TEMPLATE/config.yml | 6 +- .../repository/common/.github/config.yml | 2 +- .../.github/workflows/closed_references.yml | 6 +- .../common/.github/workflows/stale.yml | 10 +- .../server/.github/workflows/cve-scan.yaml | 138 ++++++++++++++++++ 15 files changed, 247 insertions(+), 122 deletions(-) create mode 100644 templates/repository/server/.github/workflows/cve-scan.yaml diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index c18d880..b1182a5 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -11,7 +11,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v2 with: - node-version: '18.10' + node-version: "18.10" - uses: actions/setup-go@v3 with: go-version: 1.19 diff --git a/.github/workflows/licenses.yml b/.github/workflows/licenses.yml index 7dcf1b2..9ef147d 100644 --- a/.github/workflows/licenses.yml +++ b/.github/workflows/licenses.yml @@ -14,8 +14,8 @@ jobs: - uses: actions/checkout@v2 - uses: actions/setup-go@v2 with: - go-version: '1.18' + go-version: "1.18" - uses: actions/setup-node@v2 with: - node-version: '18.10' + node-version: "18.10" - run: make licenses diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index f8657ac..702e037 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,8 +1,8 @@ -name: 'Close Stale Issues' +name: "Close Stale Issues" on: workflow_dispatch: schedule: - - cron: '0 0 * * *' + - cron: "0 0 * * *" jobs: stale: @@ -17,8 +17,8 @@ jobs: stale-pr-message: | Thank you for opening this pull request. It appears that a request for e.g. information has not yet been completed. Therefore this issue will be automatically closed in 7 days, assuming that the proposed change is no longer required or has otherwise been resolved. - stale-issue-label: 'stale' - stale-pr-label: 'stale' - only-labels: 'needs more info' + stale-issue-label: "stale" + stale-pr-label: "stale" + only-labels: "needs more info" days-before-stale: 7 days-before-close: 7 diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml index 084d70a..a8393cf 100644 --- a/.github/workflows/sync.yml +++ b/.github/workflows/sync.yml @@ -6,10 +6,10 @@ on: # action is triggered on push to the following paths push: paths: - - 'templates/**' - - 'scripts/sync*' - - 'package.json' - - '.github/workflows/sync.yml' + - "templates/**" + - "scripts/sync*" + - "package.json" + - ".github/workflows/sync.yml" branches: - master diff --git a/.github/workflows/text-run.yml b/.github/workflows/text-run.yml index 858217d..26fe38b 100644 --- a/.github/workflows/text-run.yml +++ b/.github/workflows/text-run.yml @@ -16,6 +16,6 @@ jobs: - uses: actions/checkout@v2 - uses: actions/setup-node@v2 with: - node-version: '15' + node-version: "15" - run: npm ci - run: npm run text-run diff --git a/Makefile b/Makefile index 0626931..5ca3135 100644 --- a/Makefile +++ b/Makefile @@ -26,11 +26,20 @@ test: .bin/shellcheck .bin/shfmt node_modules # runs all linters .bin/shellcheck: Makefile echo installing Shellcheck ... - curl -sSL https://github.com/koalaman/shellcheck/releases/download/stable/shellcheck-stable.linux.x86_64.tar.xz | tar xJ mkdir -p .bin - mv shellcheck-stable/shellcheck .bin - rm -rf shellcheck-stable - touch .bin/shellcheck # update the timestamp so that Make doesn't re-install the file over and over again + if [ "$$(uname -s)" = "Darwin" ] && [ "$$(uname -m)" = "arm64" ]; then \ + echo " - detected macOS ARM64" && \ + curl -sSL https://github.com/koalaman/shellcheck/releases/download/v0.10.0/shellcheck-v0.10.0.darwin.aarch64.tar.xz | tar xJ; \ + elif [ "$$(uname -s)" = "Linux" ] && [ "$$(uname -m)" = "x86_64" ]; then \ + echo " - detected Linux AMD64" && \ + curl -sSL https://github.com/koalaman/shellcheck/releases/download/v0.10.0/shellcheck-v0.10.0.linux.x86_64.tar.xz | tar xJ; \ + else \ + echo " - unsupported architecture: $$(uname -s) $$(uname -m)" && \ + exit 1; \ + fi + mv shellcheck-v0.10.0/shellcheck .bin + rm -rf shellcheck-v0.10.0 + touch .bin/shellcheck .bin/shfmt: Makefile echo "Installing Shellfmt ..." diff --git a/templates/repository/action/.github/workflows/release_tagger.yml b/templates/repository/action/.github/workflows/release_tagger.yml index f37d4ad..11eb443 100644 --- a/templates/repository/action/.github/workflows/release_tagger.yml +++ b/templates/repository/action/.github/workflows/release_tagger.yml @@ -10,6 +10,6 @@ jobs: steps: - uses: Actions-R-Us/actions-tagger@latest env: - GITHUB_TOKEN: '${{ github.token }}' + GITHUB_TOKEN: "${{ github.token }}" with: publish_latest_tag: true diff --git a/templates/repository/common/.github/ISSUE_TEMPLATE/BUG-REPORT.yml b/templates/repository/common/.github/ISSUE_TEMPLATE/BUG-REPORT.yml index 7e7f3b4..13cdb34 100644 --- a/templates/repository/common/.github/ISSUE_TEMPLATE/BUG-REPORT.yml +++ b/templates/repository/common/.github/ISSUE_TEMPLATE/BUG-REPORT.yml @@ -1,45 +1,40 @@ -description: 'Create a bug report' +description: "Create a bug report" labels: - bug -name: 'Bug Report' +name: "Bug Report" body: - attributes: value: "Thank you for taking the time to fill out this bug report!\n" type: markdown - attributes: - label: 'Preflight checklist' + label: "Preflight checklist" options: - - label: - 'I could not find a solution in the existing issues, docs, nor - discussions.' + - label: "I could not find a solution in the existing issues, docs, nor + discussions." required: true - - label: - "I agree to follow this project's [Code of + - label: "I agree to follow this project's [Code of Conduct](https://github.com/$REPOSITORY/blob/master/CODE_OF_CONDUCT.md)." required: true - - label: - "I have read and am following this repository's [Contribution + - label: "I have read and am following this repository's [Contribution Guidelines](https://github.com/$REPOSITORY/blob/master/CONTRIBUTING.md)." required: true - - label: - 'I have joined the [Ory Community Slack](https://slack.ory.sh).' - - label: - 'I am signed up to the [Ory Security Patch - Newsletter](https://www.ory.sh/l/sign-up-newsletter).' + - label: "I have joined the [Ory Community Slack](https://slack.ory.sh)." + - label: "I am signed up to the [Ory Security Patch + Newsletter](https://www.ory.sh/l/sign-up-newsletter)." id: checklist type: checkboxes - attributes: description: - 'Enter the slug or API URL of the affected Ory Network project. Leave - empty when you are self-hosting.' - label: 'Ory Network Project' - placeholder: 'https://.projects.oryapis.com' + "Enter the slug or API URL of the affected Ory Network project. Leave + empty when you are self-hosting." + label: "Ory Network Project" + placeholder: "https://.projects.oryapis.com" id: ory-network-project type: input - attributes: - description: 'A clear and concise description of what the bug is.' - label: 'Describe the bug' - placeholder: 'Tell us what you see!' + description: "A clear and concise description of what the bug is." + label: "Describe the bug" + placeholder: "Tell us what you see!" id: describe-bug type: textarea validations: @@ -53,17 +48,16 @@ body: 1. Run `docker run ....` 2. Make API Request to with `curl ...` 3. Request fails with response: `{"some": "error"}` - label: 'Reproducing the bug' + label: "Reproducing the bug" id: reproduce-bug type: textarea validations: required: true - attributes: - description: - 'Please copy and paste any relevant log output. This will be + description: "Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks. Please - redact any sensitive information' - label: 'Relevant log output' + redact any sensitive information" + label: "Relevant log output" render: shell placeholder: | log=error .... @@ -71,10 +65,10 @@ body: type: textarea - attributes: description: - 'Please copy and paste any relevant configuration. This will be + "Please copy and paste any relevant configuration. This will be automatically formatted into code, so no need for backticks. Please - redact any sensitive information!' - label: 'Relevant configuration' + redact any sensitive information!" + label: "Relevant configuration" render: yml placeholder: | server: @@ -83,14 +77,14 @@ body: id: config type: textarea - attributes: - description: 'What version of our software are you running?' + description: "What version of our software are you running?" label: Version id: version type: input validations: required: true - attributes: - label: 'On which operating system are you observing this issue?' + label: "On which operating system are you observing this issue?" options: - Ory Network - macOS @@ -101,19 +95,19 @@ body: id: operating-system type: dropdown - attributes: - label: 'In which environment are you deploying?' + label: "In which environment are you deploying?" options: - Ory Network - Docker - - 'Docker Compose' - - 'Kubernetes with Helm' + - "Docker Compose" + - "Kubernetes with Helm" - Kubernetes - Binary - Other id: deployment type: dropdown - attributes: - description: 'Add any other context about the problem here.' + description: "Add any other context about the problem here." label: Additional Context id: additional type: textarea diff --git a/templates/repository/common/.github/ISSUE_TEMPLATE/DESIGN-DOC.yml b/templates/repository/common/.github/ISSUE_TEMPLATE/DESIGN-DOC.yml index 635ba7e..e4b70b2 100644 --- a/templates/repository/common/.github/ISSUE_TEMPLATE/DESIGN-DOC.yml +++ b/templates/repository/common/.github/ISSUE_TEMPLATE/DESIGN-DOC.yml @@ -1,8 +1,7 @@ -description: - 'A design document is needed for non-trivial changes to the code base.' +description: "A design document is needed for non-trivial changes to the code base." labels: - rfc -name: 'Design Document' +name: "Design Document" body: - attributes: value: | @@ -18,39 +17,34 @@ body: after code reviews, and your pull requests will be merged faster. type: markdown - attributes: - label: 'Preflight checklist' + label: "Preflight checklist" options: - - label: - 'I could not find a solution in the existing issues, docs, nor - discussions.' + - label: "I could not find a solution in the existing issues, docs, nor + discussions." required: true - - label: - "I agree to follow this project's [Code of + - label: "I agree to follow this project's [Code of Conduct](https://github.com/$REPOSITORY/blob/master/CODE_OF_CONDUCT.md)." required: true - - label: - "I have read and am following this repository's [Contribution + - label: "I have read and am following this repository's [Contribution Guidelines](https://github.com/$REPOSITORY/blob/master/CONTRIBUTING.md)." required: true - - label: - 'I have joined the [Ory Community Slack](https://slack.ory.sh).' - - label: - 'I am signed up to the [Ory Security Patch - Newsletter](https://www.ory.sh/l/sign-up-newsletter).' + - label: "I have joined the [Ory Community Slack](https://slack.ory.sh)." + - label: "I am signed up to the [Ory Security Patch + Newsletter](https://www.ory.sh/l/sign-up-newsletter)." id: checklist type: checkboxes - attributes: description: - 'Enter the slug or API URL of the affected Ory Network project. Leave - empty when you are self-hosting.' - label: 'Ory Network Project' - placeholder: 'https://.projects.oryapis.com' + "Enter the slug or API URL of the affected Ory Network project. Leave + empty when you are self-hosting." + label: "Ory Network Project" + placeholder: "https://.projects.oryapis.com" id: ory-network-project type: input - attributes: description: | This section gives the reader a very rough overview of the landscape in which the new system is being built and what is actually being built. This isn’t a requirements doc. Keep it succinct! The goal is that readers are brought up to speed but some previous knowledge can be assumed and detailed info can be linked to. This section should be entirely focused on objective background facts. - label: 'Context and scope' + label: "Context and scope" id: scope type: textarea validations: @@ -59,7 +53,7 @@ body: - attributes: description: | A short list of bullet points of what the goals of the system are, and, sometimes more importantly, what non-goals are. Note, that non-goals aren’t negated goals like “The system shouldn’t crash”, but rather things that could reasonably be goals, but are explicitly chosen not to be goals. A good example would be “ACID compliance”; when designing a database, you’d certainly want to know whether that is a goal or non-goal. And if it is a non-goal you might still select a solution that provides it, if it doesn’t introduce trade-offs that prevent achieving the goals. - label: 'Goals and non-goals' + label: "Goals and non-goals" id: goals type: textarea validations: @@ -71,7 +65,7 @@ body: The design doc is the place to write down the trade-offs you made in designing your software. Focus on those trade-offs to produce a useful document with long-term value. That is, given the context (facts), goals and non-goals (requirements), the design doc is the place to suggest solutions and show why a particular solution best satisfies those goals. The point of writing a document over a more formal medium is to provide the flexibility to express the problem at hand in an appropriate manner. Because of this, there is no explicit guidance on how to actually describe the design. - label: 'The design' + label: "The design" id: design type: textarea validations: @@ -80,21 +74,21 @@ body: - attributes: description: | If the system under design exposes an API, then sketching out that API is usually a good idea. In most cases, however, one should withstand the temptation to copy-paste formal interface or data definitions into the doc as these are often verbose, contain unnecessary detail and quickly get out of date. Instead, focus on the parts that are relevant to the design and its trade-offs. - label: 'APIs' + label: "APIs" id: apis type: textarea - attributes: description: | Systems that store data should likely discuss how and in what rough form this happens. Similar to the advice on APIs, and for the same reasons, copy-pasting complete schema definitions should be avoided. Instead, focus on the parts that are relevant to the design and its trade-offs. - label: 'Data storage' + label: "Data storage" id: persistence type: textarea - attributes: description: | Design docs should rarely contain code, or pseudo-code except in situations where novel algorithms are described. As appropriate, link to prototypes that show the feasibility of the design. - label: 'Code and pseudo-code' + label: "Code and pseudo-code" id: pseudocode type: textarea @@ -107,7 +101,7 @@ body: On the other end are systems where the possible solutions are very well defined, but it isn't at all obvious how they could even be combined to achieve the goals. This may be a legacy system that is difficult to change and wasn't designed to do what you want it to do or a library design that needs to operate within the constraints of the host programming language. In this situation, you may be able to enumerate all the things you can do relatively easily, but you need to creatively put those things together to achieve the goals. There may be multiple solutions, and none of them are great, and hence such a document should focus on selecting the best way given all identified trade-offs. - label: 'Degree of constraint' + label: "Degree of constraint" id: constrait type: textarea diff --git a/templates/repository/common/.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml b/templates/repository/common/.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml index 43ce5db..321e3e7 100644 --- a/templates/repository/common/.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml +++ b/templates/repository/common/.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml @@ -1,8 +1,7 @@ -description: - 'Suggest an idea for this project without a plan for implementation' +description: "Suggest an idea for this project without a plan for implementation" labels: - feat -name: 'Feature Request' +name: "Feature Request" body: - attributes: value: | @@ -11,39 +10,33 @@ body: If you already have a plan to implement a feature or a change, please create a [design document](https://github.com/aeneasr/gh-template-test/issues/new?assignees=&labels=rfc&template=DESIGN-DOC.yml) instead if the change is non-trivial! type: markdown - attributes: - label: 'Preflight checklist' + label: "Preflight checklist" options: - - label: - 'I could not find a solution in the existing issues, docs, nor - discussions.' + - label: "I could not find a solution in the existing issues, docs, nor + discussions." required: true - - label: - "I agree to follow this project's [Code of + - label: "I agree to follow this project's [Code of Conduct](https://github.com/$REPOSITORY/blob/master/CODE_OF_CONDUCT.md)." required: true - - label: - "I have read and am following this repository's [Contribution + - label: "I have read and am following this repository's [Contribution Guidelines](https://github.com/$REPOSITORY/blob/master/CONTRIBUTING.md)." required: true - - label: - 'I have joined the [Ory Community Slack](https://slack.ory.sh).' - - label: - 'I am signed up to the [Ory Security Patch - Newsletter](https://www.ory.sh/l/sign-up-newsletter).' + - label: "I have joined the [Ory Community Slack](https://slack.ory.sh)." + - label: "I am signed up to the [Ory Security Patch + Newsletter](https://www.ory.sh/l/sign-up-newsletter)." id: checklist type: checkboxes - attributes: description: - 'Enter the slug or API URL of the affected Ory Network project. Leave - empty when you are self-hosting.' - label: 'Ory Network Project' - placeholder: 'https://.projects.oryapis.com' + "Enter the slug or API URL of the affected Ory Network project. Leave + empty when you are self-hosting." + label: "Ory Network Project" + placeholder: "https://.projects.oryapis.com" id: ory-network-project type: input - attributes: - description: - 'Is your feature request related to a problem? Please describe.' - label: 'Describe your problem' + description: "Is your feature request related to a problem? Please describe." + label: "Describe your problem" placeholder: "A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]" @@ -56,28 +49,27 @@ body: Describe the solution you'd like placeholder: | A clear and concise description of what you want to happen. - label: 'Describe your ideal solution' + label: "Describe your ideal solution" id: solution type: textarea validations: required: true - attributes: description: "Describe alternatives you've considered" - label: 'Workarounds or alternatives' + label: "Workarounds or alternatives" id: alternatives type: textarea validations: required: true - attributes: - description: 'What version of our software are you running?' + description: "What version of our software are you running?" label: Version id: version type: input validations: required: true - attributes: - description: - 'Add any other context or screenshots about the feature request here.' + description: "Add any other context or screenshots about the feature request here." label: Additional Context id: additional type: textarea diff --git a/templates/repository/common/.github/ISSUE_TEMPLATE/config.yml b/templates/repository/common/.github/ISSUE_TEMPLATE/config.yml index 02d86b3..49a589a 100644 --- a/templates/repository/common/.github/ISSUE_TEMPLATE/config.yml +++ b/templates/repository/common/.github/ISSUE_TEMPLATE/config.yml @@ -2,10 +2,8 @@ blank_issues_enabled: false contact_links: - name: Ory $PROJECT Forum url: $DISCUSSIONS - about: - Please ask and answer questions here, show your implementations and + about: Please ask and answer questions here, show your implementations and discuss ideas. - name: Ory Chat url: https://www.ory.sh/chat - about: - Hang out with other Ory community members to ask and answer questions. + about: Hang out with other Ory community members to ask and answer questions. diff --git a/templates/repository/common/.github/config.yml b/templates/repository/common/.github/config.yml index 0d121fe..ea33569 100644 --- a/templates/repository/common/.github/config.yml +++ b/templates/repository/common/.github/config.yml @@ -1,3 +1,3 @@ todo: - keyword: '@todo' + keyword: "@todo" label: todo diff --git a/templates/repository/common/.github/workflows/closed_references.yml b/templates/repository/common/.github/workflows/closed_references.yml index ebafc8a..2789ac4 100644 --- a/templates/repository/common/.github/workflows/closed_references.yml +++ b/templates/repository/common/.github/workflows/closed_references.yml @@ -2,13 +2,13 @@ name: Closed Reference Notifier on: schedule: - - cron: '0 0 * * *' + - cron: "0 0 * * *" workflow_dispatch: inputs: issueLimit: description: Max. number of issues to create required: true - default: '5' + default: "5" jobs: find_closed_references: @@ -19,7 +19,7 @@ jobs: - uses: actions/checkout@v2 - uses: actions/setup-node@v2-beta with: - node-version: '14' + node-version: "14" - uses: ory/closed-reference-notifier@v1 with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/templates/repository/common/.github/workflows/stale.yml b/templates/repository/common/.github/workflows/stale.yml index b168ce9..666299c 100644 --- a/templates/repository/common/.github/workflows/stale.yml +++ b/templates/repository/common/.github/workflows/stale.yml @@ -1,8 +1,8 @@ -name: 'Close Stale Issues' +name: "Close Stale Issues" on: workflow_dispatch: schedule: - - cron: '0 0 * * *' + - cron: "0 0 * * *" jobs: stale: @@ -35,10 +35,10 @@ jobs: Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you! Thank you 🙏✌️ - stale-issue-label: 'stale' - exempt-issue-labels: 'bug,blocking,docs,backlog' + stale-issue-label: "stale" + exempt-issue-labels: "bug,blocking,docs,backlog" days-before-stale: 365 days-before-close: 30 exempt-milestones: true exempt-assignees: true - only-pr-labels: 'stale' + only-pr-labels: "stale" diff --git a/templates/repository/server/.github/workflows/cve-scan.yaml b/templates/repository/server/.github/workflows/cve-scan.yaml new file mode 100644 index 0000000..b1335ce --- /dev/null +++ b/templates/repository/server/.github/workflows/cve-scan.yaml @@ -0,0 +1,138 @@ +name: Docker Image Scanners +on: + workflow_dispatch: + push: + branches: + - "master" + tags: + - "v*.*.*" + pull_request: + branches: + - "master" + +permissions: + contents: read + security-events: write + +jobs: + scanners: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Setup Env + id: vars + shell: bash + run: | + # Store values in local variables + SHA_SHORT=$(git rev-parse --short HEAD) + REPO_NAME=${{ github.event.repository.name }} + + # Append -sqlite to SHA_SHORT if repo is hydra + if [ "${REPO_NAME}" = "hydra" ]; then + echo "Repo is hydra, appending -sqlite to SHA_SHORT" + IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}-sqlite" + else + echo "Repo is not hydra, using default IMAGE_NAME" + IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}" + fi + + # Output values for debugging + echo "Values to be set:" + echo "SHA_SHORT: ${SHA_SHORT}" + echo "REPO_NAME: ${REPO_NAME}" + echo "IMAGE_NAME: ${IMAGE_NAME}" + + # Set GitHub Environment variables + echo "SHA_SHORT=${SHA_SHORT}" >> "${GITHUB_ENV}" + echo "IMAGE_NAME=${IMAGE_NAME}" >> "${GITHUB_ENV}" + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Build images + shell: bash + run: | + IMAGE_TAG="${{ env.SHA_SHORT }}" make docker + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Configure Trivy + run: | + mkdir -p $HOME/.cache/trivy + echo "TRIVY_USERNAME=${{ github.actor }}" >> $GITHUB_ENV + echo "TRIVY_PASSWORD=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV + + - name: Anchore Scanner + uses: anchore/scan-action@v5 + id: grype-scan + with: + image: ${{ env.IMAGE_NAME }} + fail-build: true + severity-cutoff: high + add-cpes-if-none: true + - name: Inspect action SARIF report + shell: bash + if: ${{ always() }} + run: | + echo "::group::Anchore Scan Details" + jq '.runs[0].results' ${{ steps.grype-scan.outputs.sarif }} + echo "::endgroup::" + - name: Anchore upload scan SARIF report + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.grype-scan.outputs.sarif }} + - name: Kubescape scanner + uses: kubescape/github-action@main + id: kubescape + with: + image: ${{ env.IMAGE_NAME }} + verbose: true + format: pretty-printer + # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568 + severityThreshold: critical + - name: Trivy Scanner + uses: aquasecurity/trivy-action@master + if: ${{ always() }} + with: + image-ref: ${{ env.IMAGE_NAME }} + format: "table" + exit-code: "42" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + scanners: "vuln,secret,misconfig" + env: + TRIVY_SKIP_JAVA_DB_UPDATE: "true" + TRIVY_DISABLE_VEX_NOTICE: "true" + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db + + - name: Dockle Linter + uses: erzz/dockle-action@v1 + if: ${{ always() }} + with: + image: ${{ env.IMAGE_NAME }} + exit-code: 42 + failure-threshold: high + - name: Hadolint + uses: hadolint/hadolint-action@v3.1.0 + id: hadolint + if: ${{ always() }} + with: + dockerfile: .docker/Dockerfile-build + verbose: true + format: "json" + failure-threshold: "error" + - name: View Hadolint results + if: ${{ always() }} + shell: bash + run: | + echo "::group::Hadolint Scan Details" + echo "${HADOLINT_RESULTS}" | jq '.' + echo "::endgroup::"