forked from dockersamples/example-voting-app
-
Notifications
You must be signed in to change notification settings - Fork 0
99 lines (80 loc) · 3.61 KB
/
ci.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
env:
SYSDIG_SECURE_ENDPOINT: "https://app.us4.sysdig.com/secure"
REGISTRY_HOST: "docker.io"
name: CIWF
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
build-and-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Log in to DockerHub
run: echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
- name: Build vote image
run: docker build -t ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest ./vote
- name: Build worker image
run: docker build -t ${{ secrets.DOCKER_USERNAME }}/voting-app-worker:latest ./worker
- name: Build result image
run: docker build -t ${{ secrets.DOCKER_USERNAME }}/voting-app-result:latest ./result
- name: Push vote image
run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest
- name: Push worker image
run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-worker:latest
- name: Push result image
run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-result:latest
- name: Setup cache
uses: actions/cache@v3
with:
path: cache
key: ${{ runner.os }}-cache-${{ hashFiles('**/sysdig-cli-scanner', '**/latest_version.txt', '**/db/main.db.meta.json', '**/scanner-cache/inlineScannerCache.db') }}
restore-keys: ${{ runner.os }}-cache-
- name: Download sysdig-cli-scanner if needed
run: |
curl -sLO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt
mkdir -p ${GITHUB_WORKSPACE}/cache/db/
if [ ! -f ${GITHUB_WORKSPACE}/cache/latest_version.txt ] || [ $(cat ./latest_version.txt) != $(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt) ]; then
cp ./latest_version.txt ${GITHUB_WORKSPACE}/cache/latest_version.txt
curl -sL -o ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)/linux/amd64/sysdig-cli-scanner"
chmod +x ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner
else
echo "sysdig-cli-scanner latest version already downloaded"
fi
- name: Scan vote image with Sysdig
env:
SECURE_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }}
run: |
${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \
--apiurl ${SYSDIG_SECURE_ENDPOINT} \
docker://${REGISTRY_HOST}/${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest \
--console-log \
--dbpath=${GITHUB_WORKSPACE}/cache/db/ \
--cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/
- name: Scan worker image with Sysdig
env:
SECURE_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }}
run: |
${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \
--apiurl ${SYSDIG_SECURE_ENDPOINT} \
${{ secrets.DOCKER_USERNAME }}/voting-app-worker:latest \
--console-log \
--dbpath=${GITHUB_WORKSPACE}/cache/db/ \
--cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/
- name: Scan result image with Sysdig
env:
SECURE_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }}
run: |
${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \
--apiurl ${SYSDIG_SECURE_ENDPOINT} \
${{ secrets.DOCKER_USERNAME }}/voting-app-results:latest \
--console-log \
--dbpath=${GITHUB_WORKSPACE}/cache/db/ \
--cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/