diff --git a/.github/workflows/ci-vulnerability-scans.yml b/.github/workflows/ci-vulnerability-scans.yml deleted file mode 100644 index c39f2ee..0000000 --- a/.github/workflows/ci-vulnerability-scans.yml +++ /dev/null @@ -1,140 +0,0 @@ -# GitHub Actions CI workflow that runs vulnerability scans on the application's Docker image -# to ensure images built are secure before they are deployed. - -# NOTE: The workflow isn't able to pass the docker image between jobs, so each builds the image. -# A future PR will pass the image between the scans to reduce overhead and increase speed -name: CI Vulnerability Scans - -on: - push: - branches: - - main - paths: - - app/** - - .grype.yml - - .hadolint.yaml - - .trivyignore - - .github/workflows/ci-vulnerability-scans.yml - pull_request: - paths: - - app/** - - .grype.yml - - .hadolint.yaml - - .trivyignore - - .github/workflows/ci-vulnerability-scans.yml - -env: - APP_NAME: app - -jobs: - hadolint-scan: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - # Scans Dockerfile for any bad practices or issues - - name: Scan Dockerfile by hadolint - uses: hadolint/hadolint-action@v3.1.0 - with: - dockerfile: ${{ env.APP_NAME }}/Dockerfile - format: tty - failure-threshold: warning - output-file: hadolint-results.txt - - - name: Save output to workflow summary - if: always() # Runs even if there is a failure - run: cat hadolint-results.txt >> "$GITHUB_STEP_SUMMARY" - - trivy-scan: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - name: Build and tag Docker image for scanning - id: build-image - run: | - make APP_NAME=${{ env.APP_NAME }} release-build - IMAGE_NAME=$(make APP_NAME=${{ env.APP_NAME }} release-image-name) - IMAGE_TAG=$(make release-image-tag) - echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT" - - - name: Run Trivy vulnerability scan - uses: aquasecurity/trivy-action@master - with: - scan-type: image - image-ref: ${{ steps.build-image.outputs.image }} - format: table - exit-code: 1 - ignore-unfixed: true - vuln-type: os - scanners: vuln,secret - - - name: Save output to workflow summary - if: always() # Runs even if there is a failure - run: | - echo "View results in GitHub Action logs" >> "$GITHUB_STEP_SUMMARY" - - anchore-scan: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - name: Build and tag Docker image for scanning - id: build-image - run: | - make APP_NAME=${{ env.APP_NAME }} release-build - IMAGE_NAME=$(make APP_NAME=${{ env.APP_NAME }} release-image-name) - IMAGE_TAG=$(make release-image-tag) - echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT" - - - name: Run Anchore vulnerability scan - uses: anchore/scan-action@v3 - with: - image: ${{ steps.build-image.outputs.image }} - output-format: table - - - name: Save output to workflow summary - if: always() # Runs even if there is a failure - run: echo "View results in GitHub Action logs" >> "$GITHUB_STEP_SUMMARY" - - dockle-scan: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - name: Build and tag Docker image for scanning - id: build-image - run: | - make APP_NAME=${{ env.APP_NAME }} release-build - IMAGE_NAME=$(make APP_NAME=${{ env.APP_NAME }} release-image-name) - IMAGE_TAG=$(make release-image-tag) - echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT" - - # Dockle doesn't allow you to have an ignore file for the DOCKLE_ACCEPT_FILES - # variable, this will save the variable in this file to env for Dockle - - name: Set any acceptable Dockle files - run: | - if grep -q "^DOCKLE_ACCEPT_FILES=.*" .dockleconfig; then - grep -s '^DOCKLE_ACCEPT_FILES=' .dockleconfig >> "$GITHUB_ENV" - fi - - - name: Run Dockle container linter - uses: erzz/dockle-action@v1.3.1 - with: - image: ${{ steps.build-image.outputs.image }} - exit-code: "1" - failure-threshold: WARN - accept-filenames: ${{ env.DOCKLE_ACCEPT_FILES }} - - - name: Save output to workflow summary - if: always() # Runs even if there is a failure - run: | - { - echo '```json' - cat dockle-report.json - echo '```' - } >> "$GITHUB_STEP_SUMMARY"