Skip to content
CI Vulnerability Scans

[ISSUE 299] Set up front-end infrastructure in AWS #11

Sign in to view logs

[ISSUE 299] Set up front-end infrastructure in AWS

[ISSUE 299] Set up front-end infrastructure in AWS #11

Workflow file for this run

.github/workflows/ci-vulnerability-scans.yml at fc2c0ae
# GitHub Actions CI workflow that runs vulnerability scans on the application's Docker image
# to ensure images built are secure before they are deployed.
# NOTE: The workflow isn't able to pass the docker image between jobs, so each builds the image.
# A future PR will pass the image between the scans to reduce overhead and increase speed
name: CI Vulnerability Scans
on:
push:
branches:
- main
paths:
- app/**
- .grype.yml
- .hadolint.yaml
- .trivyignore
- .github/workflows/ci-vulnerability-scans.yml
pull_request:
paths:
- app/**
- .grype.yml
- .hadolint.yaml
- .trivyignore
- .github/workflows/ci-vulnerability-scans.yml
jobs:
hadolint-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# Scans Dockerfile for any bad practices or issues
- name: Scan Dockerfile by hadolint
uses: hadolint/[email protected]
with:
dockerfile: app/Dockerfile
format: tty
failure-threshold: warning
output-file: hadolint-results.txt
- name: Save output to workflow summary
if: always() # Runs even if there is a failure
run: |
cat hadolint-results.txt >> $GITHUB_STEP_SUMMARY
trivy-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build and tag Docker image for scanning
id: build-image
run: |
make release-build
IMAGE_NAME=$(make release-image-name)
IMAGE_TAG=$(make release-image-tag)
echo "image=$IMAGE_NAME:$IMAGE_TAG" >> $GITHUB_OUTPUT
- name: Run Trivy vulnerability scan
uses: aquasecurity/trivy-action@master
with:
scan-type: image
image-ref: ${{ steps.build-image.outputs.image }}
format: table
exit-code: 1
ignore-unfixed: true
vuln-type: os
scanners: vuln,secret
- name: Save output to workflow summary
if: always() # Runs even if there is a failure
run: |
echo "View results in GitHub Action logs" >> $GITHUB_STEP_SUMMARY
anchore-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build and tag Docker image for scanning
id: build-image
run: |
make release-build
IMAGE_NAME=$(make release-image-name)
IMAGE_TAG=$(make release-image-tag)
echo "image=$IMAGE_NAME:$IMAGE_TAG" >> $GITHUB_OUTPUT
- name: Run Anchore vulnerability scan
uses: anchore/scan-action@v3
with:
image: ${{ steps.build-image.outputs.image }}
output-format: table
- name: Save output to workflow summary
if: always() # Runs even if there is a failure
run: |
echo "View results in GitHub Action logs" >> $GITHUB_STEP_SUMMARY
dockle-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build and tag Docker image for scanning
id: build-image
run: |
make release-build
IMAGE_NAME=$(make release-image-name)
IMAGE_TAG=$(make release-image-tag)
echo "image=$IMAGE_NAME:$IMAGE_TAG" >> $GITHUB_OUTPUT
# Dockle doesn't allow you to have an ignore file for the DOCKLE_ACCEPT_FILES
# variable, this will save the variable in this file to env for Dockle
- name: Set any acceptable Dockle files
run: |
if grep -q "^DOCKLE_ACCEPT_FILES=.*" .dockleconfig; then
grep -s '^DOCKLE_ACCEPT_FILES=' .dockleconfig >> $GITHUB_ENV
fi
- name: Run Dockle container linter
uses: erzz/[email protected]
with:
image: ${{ steps.build-image.outputs.image }}
exit-code: '1'
failure-threshold: WARN
accept-filenames: ${{ env.DOCKLE_ACCEPT_FILES }}
- name: Save output to workflow summary
if: always() # Runs even if there is a failure
run: |
echo "```json" >> $GITHUB_STEP_SUMMARY
cat dockle-report.json >> $GITHUB_STEP_SUMMARY
echo "```" >> $GITHUB_STEP_SUMMARY