Skip to content

Docker

Docker #17

Workflow file for this run

# Copyright 2022 Goldman Sachs
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Docker
# NOTE: this job does not scan for the latest image published on Docker Hub
# We might need to use some other tools such as http://snyk.io/ to monitor
on:
schedule:
- cron: '0 0 * * 2' # every Tuesday on default/base branch
push:
branches:
- master
paths:
- "**/Dockerfile"
pull_request:
paths:
- "**/Dockerfile"
workflow_dispatch: {}
jobs:
release:
name: Run Image Checks
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build simplified Docker image for checks
# NOTE: if this gets more complicated, consider having this as a bash script
run: mkdir -p ./legend-shared-server/target && touch ./legend-shared-server/target/legend-shared-server-dummy.jar && docker build --quiet --tag local/legend-shared-server:${{ github.sha }} ./legend-shared-server
- name: Scan image for security issues
uses: aquasecurity/[email protected]
with:
# TODO: we should probably also setup misconfiguration scanning
# See https://github.com/aquasecurity/trivy-action#using-trivy-to-scan-infrastucture-as-code
scan-type: image
image-ref: local/legend-shared-server:${{ github.sha }}
format: table
exit-code: 1
# Ignore unpatched/unfixed vulnerabilities/CVEs
ignore-unfixed: true
severity: CRITICAL
# Manually increase timeout as the default 2-minute is not enough
# See https://github.com/aquasecurity/trivy/issues/802
timeout: 10m