-
Notifications
You must be signed in to change notification settings - Fork 12
96 lines (87 loc) · 3.46 KB
/
docker-image-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
name: SCA Docker Test
on:
pull_request:
branches:
- main
push:
branches:
- main
tags:
- '*'
workflow_dispatch: {}
jobs:
test-scan-docker-image:
permissions:
contents: write # publish sbom to GH releases/tag assets
issues: read
checks: write
pull-requests: write
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
name: Test Scan Docker Image
runs-on: ubuntu-22.04
env:
IMAGE: kong/kong-gateway-dev:latest #particular reason for the choice of image: test multi arch image sbom
steps:
- uses: actions/checkout@v4
- name: Install regctl
uses: regclient/actions/regctl-installer@main
- name: Login to DockerHub
if: success()
uses: docker/login-action@v3
with:
username: ${{ secrets.GHA_DOCKERHUB_PULL_USER }}
password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUBLIC_TOKEN }}
- name: Parse Architecture Specific Image Manifest Digests
id: image_manifest_metadata
run: |
manifest_list_exists="$(
if regctl manifest get "${IMAGE}" --format raw-body --require-list -v panic &> /dev/null; then
echo true
else
echo false
fi
)"
echo "manifest_list_exists=$manifest_list_exists"
echo "manifest_list_exists=$manifest_list_exists" >> $GITHUB_OUTPUT
amd64_sha="$(regctl image digest "${IMAGE}" --platform linux/amd64 || echo '')"
arm64_sha="$(regctl image digest "${IMAGE}" --platform linux/arm64 || echo '')"
echo "amd64_sha=$amd64_sha"
echo "amd64_sha=$amd64_sha" >> $GITHUB_OUTPUT
echo "arm64_sha=$arm64_sha"
echo "arm64_sha=$arm64_sha" >> $GITHUB_OUTPUT
- name: Scan AMD64 Image digest
id: sbom_action_amd64
if: steps.image_manifest_metadata.outputs.amd64_sha != ''
uses: ./security-actions/scan-docker-image
with:
asset_prefix: kong-gateway-dev-linux-amd64
image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.amd64_sha }}
skip_cis_scan: true
- name: Scan ARM64 Image digest
if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != ''
id: sbom_action_arm64
uses: ./security-actions/scan-docker-image
with:
asset_prefix: test.kong-gateway-dev-linux-arm64
image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.arm64_sha }}
upload-sbom-release-assets: true
skip_cis_scan: true
test-download-sbom:
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
name: Download SBOM
runs-on: ubuntu-22.04
needs: [test-scan-docker-image]
env:
SBOM_DOWNLOAD_PATH: ${{ github.workspace }}/security-assets/sboms
SPDX_SBOM_PATTERN: "*sbom.spdx.json"
CYCLONEDX_SBOM_PATTERN: "*sbom.cyclonedx.json"
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: "Download all SBOM assets"
id: collect_sbom
if: ${{ needs.test-scan-docker-image.result == 'success' }}
run: |-
gh run download ${{ github.run_id }} -D ${{ env.SBOM_DOWNLOAD_PATH }} -p '${{ env.CYCLONEDX_SBOM_PATTERN }}' -p '${{ env.SPDX_SBOM_PATTERN }}' --repo ${{ github.repository }}
- name: Inspect download assets
run: |
ls -alR ${{ github.workspace }}/security-assets/sboms