126 lines
4.3 KiB
YAML
126 lines
4.3 KiB
YAML
name: ci-workflow
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- master
|
|
workflow_dispatch: {}
|
|
|
|
jobs:
|
|
build-and-scan:
|
|
runs-on: docker
|
|
env:
|
|
REGISTRY_HOST: ${{ secrets.REGISTRY_HOST }}
|
|
IMAGE_NAMESPACE: ${{ secrets.IMAGE_NAMESPACE }}
|
|
IMAGE_NAME: ${{ secrets.IMAGE_NAME }}
|
|
CI_GREETING: ${{ secrets.CI_GREETING }}
|
|
DEFECTDOJO_URL: ${{ secrets.DEFECTDOJO_URL }}
|
|
DEFECTDOJO_PRODUCT_TYPE: ${{ secrets.DEFECTDOJO_PRODUCT_TYPE }}
|
|
DEFECTDOJO_PRODUCT: ${{ secrets.DEFECTDOJO_PRODUCT }}
|
|
DEFECTDOJO_ENGAGEMENT: ${{ secrets.DEFECTDOJO_ENGAGEMENT }}
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: https://data.forgejo.org/actions/checkout@v6
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Show variables and secrets
|
|
run: |
|
|
echo "HELLO_SECRET: ${HELLO_SECRET}"
|
|
echo "CI_GREETING: ${CI_GREETING}"
|
|
echo "REGISTRY_HOST: ${REGISTRY_HOST}"
|
|
echo "IMAGE_NAMESPACE: ${IMAGE_NAMESPACE}"
|
|
echo "IMAGE_NAME: ${IMAGE_NAME}"
|
|
env:
|
|
HELLO_SECRET: ${{ secrets.HELLO_SECRET }}
|
|
|
|
- name: Trust cluster CA
|
|
run: |
|
|
cp /etc/cluster-ca/root-ca.crt /usr/local/share/ca-certificates/cluster-root-ca.crt
|
|
update-ca-certificates
|
|
|
|
- name: Debug CA trust
|
|
run: |
|
|
echo "== cluster CA file =="
|
|
ls -l /etc/cluster-ca || true
|
|
ls -l /etc/cluster-ca/root-ca.crt || true
|
|
echo "== ca-certificates directory =="
|
|
ls -l /usr/local/share/ca-certificates || true
|
|
ls -l /etc/ssl/certs | head -n 20
|
|
echo "== CA content (cluster) =="
|
|
openssl x509 -in /etc/cluster-ca/root-ca.crt -noout -subject -issuer -dates -fingerprint -sha256 || true
|
|
echo "== CA in system trust store? =="
|
|
grep -R "BEGIN CERTIFICATE" -n /etc/ssl/certs || true
|
|
|
|
- name: Debug docker registry trust
|
|
run: |
|
|
echo "== docker certs.d (job container) =="
|
|
ls -l /etc/docker/certs.d || true
|
|
ls -l /etc/docker/certs.d/harbor.k8s.sk4.nz || true
|
|
|
|
- name: Install required dependencies
|
|
run: |
|
|
apt-get update
|
|
apt-get install -y \
|
|
apt-transport-https \
|
|
ca-certificates \
|
|
curl \
|
|
gnupg2 \
|
|
lsb-release \
|
|
software-properties-common
|
|
|
|
- name: Download Docker CLI .deb package
|
|
run: |
|
|
wget https://download.docker.com/linux/debian/dists/bullseye/pool/stable/amd64/docker-ce-cli_29.1.4-1~debian.11~bullseye_amd64.deb
|
|
|
|
- name: Install Docker CLI
|
|
run: |
|
|
dpkg -i docker-ce-cli_29.1.4-1~debian.11~bullseye_amd64.deb
|
|
apt-get install -f
|
|
|
|
- name: Verify Docker CLI version
|
|
run: docker --version
|
|
|
|
- name: Login to registry
|
|
run: |
|
|
echo "${REGISTRY_TOKEN}" | docker login "${REGISTRY_HOST}" -u "${REGISTRY_USERNAME}" --password-stdin
|
|
env:
|
|
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
|
|
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
|
|
|
- name: Build image
|
|
run: |
|
|
IMAGE_REF="${REGISTRY_HOST}/${IMAGE_NAMESPACE}/${IMAGE_NAME}:${GITHUB_SHA}"
|
|
echo "IMAGE_REF=${IMAGE_REF}" >> "${GITHUB_ENV}"
|
|
docker build -t "${IMAGE_REF}" .
|
|
|
|
|
|
- name: Push image
|
|
run: |
|
|
docker push "${IMAGE_REF}"
|
|
|
|
- name: Trivy scan (securecodebox)
|
|
run: |
|
|
docker run --rm \
|
|
-v /var/run/docker.sock:/var/run/docker.sock \
|
|
-v "${PWD}:/workspace" \
|
|
-w /workspace \
|
|
harbor.k8s.sk4.nz/docker-mirror/aquasec/trivy:latest \
|
|
image --no-progress --format json --output trivy-results.json "${IMAGE_REF}"
|
|
|
|
- name: Upload to DefectDojo
|
|
run: |
|
|
curl -sSf -X POST "${DEFECTDOJO_URL}/api/v2/import-scan/" \
|
|
-H "Authorization: Token ${DEFECTDOJO_API_KEY}" \
|
|
-F "scan_type=Trivy Scan" \
|
|
-F "minimum_severity=Low" \
|
|
-F "product_type_name=${DEFECTDOJO_PRODUCT_TYPE}" \
|
|
-F "product_name=${DEFECTDOJO_PRODUCT}" \
|
|
-F "engagement_name=${DEFECTDOJO_ENGAGEMENT}" \
|
|
-F "file=@trivy-results.json" \
|
|
-F "verified=true" \
|
|
-F "active=true"
|
|
env:
|
|
DEFECTDOJO_API_KEY: ${{ secrets.DEFECTDOJO_API_KEY }}
|