Skip to content

Commit

Permalink
Add cbuild
Browse files Browse the repository at this point in the history
  • Loading branch information
@OysteinThuen
OysteinThuen committed Mar 1, 2024
1 parent 31101e7 commit 37a4d7b
Show file tree
Hide file tree
Showing 2 changed files with 218 additions and 1 deletion.
175 changes: 175 additions & 0 deletions .github/workflows/cbuild.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,175 @@
name: Build docker image, run CodeQL and scan for vulnerabilities

on:
workflow_call:
inputs:
name:
description: 'Name of application. Do not include namespace.'
required: true
type: string
namespace:
description: 'Namespace or system of the application.'
required: true
type: string
environment:
description: 'Github Environment.'
required: true
type: string
dockerfile:
description: 'Path to Dockerfile.'
required: true
type: string
dockerBuildContext:
description: 'Docker build context. It is the working directory needed to build the dockerfile. Defaults to the directory with the Dockerfile.'
required: false
type: string
languages:
description: 'List of languages to run CodeQL on, As JSON array. Defaults to ["csharp"]. The supported languages are c-cpp, csharp, go, java-kotlin, javascript-typescript, python, ruby, swift.'
required: false
default: '["csharp"]'
type: string
severity:
description: 'Severity levels to scan for. See https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs for more information.'
required: false
default: 'CRITICAL,HIGH'
type: string
AZURE_CLIENT_ID:
description: 'ClientId of a service principal that can push to Container Registry.'
required: false
default: ''
type: string
AZURE_TENANT_ID:
description: 'TenantId of a service principal that can push to Azure Container Registry.'
required: false
default: ''
type: string
ACR_SUBSCRIPTION_ID:
description: 'Subscription ID of the Azure Container Registry to push to.'
required: false
default: ''
type: string
ACR_NAME:
description: 'Name of the Azure Container Registry to push to.'
required: false
default: containerregistryelvia
type: string

env:
image_tag: ${{ github.sha }}-${{ github.run_number }}
image_full_name: containerregistryelvia.azurecr.io/${{ inputs.namespace }}-${{ inputs.name }}:${{ github.sha }}-${{ github.run_number }}

jobs:
analyze:
name: CodeQL Analyze
runs-on: 'ubuntu-latest'
timeout-minutes: 15
strategy:
fail-fast: false
matrix:
language: ${{ fromJSON(inputs.languages) }}
# CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ]

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}

- name: Autobuild
uses: github/codeql-action/autobuild@v3

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"

build:
name: Build and Scan
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
steps:
- name: Parse input
run: |
if [ -z "${{ inputs.AZURE_CLIENT_ID}}" ]
then
echo "AZURE_CLIENT_ID=${{ vars.AZURE_CLIENT_ID}}" >> "$GITHUB_ENV"
else
echo "AZURE_CLIENT_ID=${{ inputs.AZURE_CLIENT_ID}}" >> "$GITHUB_ENV"
fi
if [ -z "${{ inputs.AZURE_TENANT_ID}}" ]
then
echo "AZURE_TENANT_ID=${{ vars.AZURE_TENANT_ID}}" >> "$GITHUB_ENV"
else
echo "AZURE_TENANT_ID=${{ inputs.AZURE_TENANT_ID}}" >> "$GITHUB_ENV"
fi
if [ -z "${{ inputs.ACR_SUBSCRIPTION_ID}}" ]
then
echo "ACR_SUBSCRIPTION_ID=${{ vars.ACR_SUBSCRIPTION_ID}}" >> "$GITHUB_ENV"
else
echo "ACR_SUBSCRIPTION_ID=${{ inputs.ACR_SUBSCRIPTION_ID}}" >> "$GITHUB_ENV"
fi
- name: Checkout repository
uses: actions/checkout@v4

- name: Build image
run: |
if [ -z "${{ inputs.dockerBuildContext}}" ]
then
dir=`dirname ${{ inputs.dockerfile}}` # default to the directory of the Dockerfile
else
dir=${{ inputs.dockerBuildContext}}
fi
docker build --tag ${{ env.image_full_name}} -f ${{ inputs.dockerfile}} $dir
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.image_full_name}}
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: ${{ inputs.severity }}
github-pat: ${{ secrets.GITHUB_TOKEN }}
if: github.event_name == 'pull_request'

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.image_full_name}}
format: 'sarif'
template: '@/contrib/sarif.tpl'
output: trivy.sarif
severity: ${{ inputs.severity }}
github-pat: ${{ secrets.GITHUB_TOKEN }}
ignore-unfixed: true
if: github.event_name == 'push'

# GitHub Security tab does not support SARIF files with `git::` or `https:/` URL's:
# https://github.com/aquasecurity/trivy/issues/5003#issuecomment-1780415058
- name: Fix Trivy output
run: sed -i 's#git::https:/##g' "trivy.sarif"
if: github.event_name == 'push'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: trivy.sarif
category: 'Trivy'
if: github.event_name == 'push'

- name: Authenticate with Azure
uses: azure/login@v1
with:
client-id: ${{ env.AZURE_CLIENT_ID }}
tenant-id: ${{ env.AZURE_TENANT_ID }}
subscription-id: ${{ env.ACR_SUBSCRIPTION_ID }}

- name: Login ACR
run: az acr login --name ${{ inputs.ACR_NAME }}

- name: Push image
run: docker push ${{ env.image_full_name}}
44 changes: 43 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ Template that build docker image, analyze it using CodeQL, scans for vulnerabili
| --------------------- | ------ | ------------------------ | ------------
| `name` | String | | Name of application.
| `namespace` | String | | Namespace of application.
| `environment´ | String | | Github environment. This environment should contain the variable AZURE_CLIENT_ID, AZURE_TENANT_ID and ACR_SUBSCRIPTION_ID.
| `environment` | String | | Github environment. This environment should contain the variable AZURE_CLIENT_ID, AZURE_TENANT_ID and ACR_SUBSCRIPTION_ID.
| `dockerfile` | String | | Path to Dockerfile.
| `dockerBuildContext` | String | directory of dockerfile | Path to Docker build context.
| `languages` | String | `[csharp]` | List of language to run CodeQL on. The supported languages are c-cpp, csharp, go, java-kotlin, javascript-typescript, python, ruby, swift.
Expand Down Expand Up @@ -50,6 +50,48 @@ jobs:
```
## Deploy
Template that deploys an Elvia Helm chart to Kubernetes
### Inputs
| Name | Type | Default | Description
| --------------------- | ------ | ------------------------ | ------------
| `name` | String | | Name of application.
| `namespace` | String | | Namespace of application.
| `environment` | String | | Github environment. This environment should contain the variable AZURE_CLIENT_ID, AZURE_TENANT_ID, AKS_SUBSCRIPTION_ID, AKS_CLUSTER_NAME and AKS_RESOURCE_GROUP.
| `AZURE_CLIENT_ID` | String | `$AZURE_CLIENT_ID` | ClientId of a service principal that can push to Container Registry.
| `AZURE_TENANT_ID` | String | `$AZURE_TENANT_ID` | TenantId of a service principal that can push to Azure Container Registry.
| `AKS_SUBSCRIPTION_ID` | String | `$AKS_SUBSCRIPTION_ID` | Subscription ID of the Azure Container Registry to push to.
| `AKS_CLUSTER_NAME` | String | `$AKS_CLUSTER_NAME` | Name of the AKS cluster
| `AKS_RESOURCE_GROUP` | String | `$AKS_RESOURCE_GROUP` | Resource group of the AKS cluster
| `acrName ` | String | `containerregistryelvia` | Name of the Azure Container Registry to push to.

### Example

```yaml
name: Deploy
on:
push:
branches: [trunk]
pull_request:
branches: [trunk]
jobs:
deploy:
permissions:
actions: read
contents: read
uses: 3lvia/core-github-actions-templates/.github/workflows/deploy.yaml@v2
with:
name: 'my-cool-app'
namespace: 'my-system'
environment: 'dev'
```



## Trivy scanning

Expand Down

0 comments on commit 37a4d7b

Please sign in to comment.