Skip to content

Commit

Permalink
SCAN-5585 : Publish and use docker image.
Browse files Browse the repository at this point in the history
  • Loading branch information
steviemul committed Jul 30, 2024
1 parent 38af10d commit 1e80aee
Show file tree
Hide file tree
Showing 4 changed files with 113 additions and 23 deletions.
68 changes: 68 additions & 0 deletions .github/actions/build-image/action.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
name: build-and-deploy-image

inputs:
registry:
description: The registry to deploy to
required: true
image_name:
description: The name of the docker image
required: true
username:
description: The username to login to the container registry
required: true
password:
description: The password to login to the container registry
required: true

runs:
using: composite
steps:
- uses: actions/checkout@v4
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ inputs.password }}

- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
with:
images: ${{ inputs.registry }}/${{ inputs.image_name }}
tags: type=sha,format=long

- name: Build and push Docker image
id: push
uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}

- name: install yq
shell: bash
run: |
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys CC86BB64
sudo add-apt-repository ppa:rmescandon/yq -y
sudo apt update -y
sudo apt install yq -y
- name: Commit changes
shell: bash
env:
IMAGE_TAG: docker://${{ steps.meta.outputs.tags }}
run: |
git config --global user.name 'Github'
git config --global user.email '[email protected]'
yq e ".runs.image = env(IMAGE_TAG)" -i action.yml
git add action.yml
git diff-index --quiet HEAD || (git commit -m "[Auto] Image tag updated latest pushed version" && git push)





23 changes: 17 additions & 6 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,15 @@ on:
branches:
- 'main'

env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}

permissions:
contents: write
packages: write
checks: write
id-token: write

jobs:
lint:
Expand All @@ -22,16 +29,20 @@ jobs:
needs: [ lint ]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build local scanner action image
run: |
docker build .
- uses: actions/checkout@v4
- uses: ./.github/actions/build-image
name: Build and publish docker image
with:
registry: ${{ env.REGISTRY }}
image_name: ${{ env.IMAGE_NAME }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

verify-action:
runs-on: ubuntu-latest
needs: [ build-action-docker-image ]
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses : ./
name: Run action against itself
with:
Expand All @@ -47,7 +58,7 @@ jobs:
runs-on: ubuntu-latest
needs: [ verify-action ]
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Install modules
run: npm ci
- name: release
Expand Down
24 changes: 17 additions & 7 deletions .github/workflows/validate.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,21 @@ on:
- '*'
- '!main'

env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}

permissions:
contents: read
contents: write
packages: write
checks: write
id-token: write

jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Install modules
run: npm ci
- name: eslint
Expand All @@ -24,16 +30,20 @@ jobs:
needs: [ lint ]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build local scanner action image
run: |
docker build .
- uses: actions/checkout@v4
- uses: ./.github/actions/build-image
name: Build and publish docker image
with:
registry: ${{ env.REGISTRY }}
image_name: ${{ env.IMAGE_NAME }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

verify-action:
runs-on: ubuntu-latest
needs: [ build-action-docker-image ]
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses : ./
name: Run action against repoository
with:
Expand Down
21 changes: 11 additions & 10 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ branding:
icon: crosshair
color: green
inputs:
apiUrl: # id of input
apiUrl: # id of input
description: Url of your contrast instance, defaults to https://app.contrastsecurity.com/
required: true
default: 'https://app.contrastsecurity.com/'
Expand All @@ -22,8 +22,8 @@ inputs:
required: true
checks:
description: >
If set, checks will be added to the current commit based on any vulnerabilities found.
Requires the 'checks: write' permission.
If set, checks will be added to the current commit based on any vulnerabilities found. Requires the 'checks: write' permission.
required: false
default: false
codeQuality:
Expand All @@ -32,8 +32,8 @@ inputs:
default: false
defaultBranch:
description: >
Set this to true or false explicitly override the default branching behviour in scan whereby scan results
not on the default github branch are not saved against the main project.
Set this to true or false explicitly override the default branching behviour in scan whereby scan results not on the default github branch are not saved against the main project.
required: false
label:
description: Label to associate with the current scan. Defaults to the current ref e.g. refs/heads/main
Expand All @@ -51,23 +51,24 @@ inputs:
required: false
strategy:
description: >
Used in conjuction with severity or checks, set this valid to fail the build based on agreggated project
vulnerabilities or scan level. Valid values are "project" or "scan". Defaults to "project".
Used in conjuction with severity or checks, set this valid to fail the build based on agreggated project vulnerabilities or scan level. Valid values are "project" or "scan". Defaults to "project".
required: false
default: "project"
severity:
description: >
Set this to cause the build to fail if vulnerabilities are found exceeding this severity or higher.
Valid values are CRITICAL, HIGH, MEDIUM, LOW, NOTE.
Set this to cause the build to fail if vulnerabilities are found exceeding this severity or higher. Valid values are CRITICAL, HIGH, MEDIUM, LOW, NOTE.
required: false
timeout:
description: Execution timeout (in seconds) setting passed to the underlying scan engine. Defaulted to 60 minutes.
required: false
token:
description: >
GitHub token for GitHub API requests. Defaults to GITHUB_TOKEN.
required: true
default: ${{ github.token }}
runs:
using: 'docker'
image: 'Dockerfile'
image: 'ghcr.io/contrast-security-oss/contrast-local-scan-action:sha-ff0a63a22c9c93d850d6cab1a191217efdc017ae'

0 comments on commit 1e80aee

Please sign in to comment.