Docker #42
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright 2022 Goldman Sachs | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
name: Docker | |
# NOTE: this job does not scan for the latest image published on Docker Hub | |
# We might need to use some other tools such as http://snyk.io/ to monitor | |
on: | |
schedule: | |
- cron: '0 0 * * 2' # every Tuesday on default/base branch | |
push: | |
branches: | |
- master | |
paths: | |
- "**/Dockerfile" | |
pull_request: | |
paths: | |
- "**/Dockerfile" | |
workflow_dispatch: {} | |
jobs: | |
release: | |
name: Run Image Checks | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Build simplified Docker image for checks | |
# NOTE: we do this to make this action run faster by not actually building out the full JAR | |
# Also, if this gets more complicated, consider having this as a bash script. | |
run: mkdir -p ./legend-sdlc-server/target && touch ./legend-sdlc-server/target/legend-sdlc-server-dummy-shaded.jar && docker build --quiet --tag local/legend-sdlc-server:${{ github.sha }} ./legend-sdlc-server | |
- name: Scan image for security issues | |
uses: aquasecurity/[email protected] | |
with: | |
# TODO: we should probably also setup misconfiguration scanning | |
# See https://github.com/aquasecurity/trivy-action#using-trivy-to-scan-infrastucture-as-code | |
scan-type: image | |
image-ref: local/legend-sdlc-server:${{ github.sha }} | |
format: table | |
exit-code: 1 | |
# Ignore unpatched/unfixed vulnerabilities/CVEs | |
ignore-unfixed: true | |
severity: CRITICAL | |
# Manually increase timeout as the default 2-minute is not enough | |
# See https://github.com/aquasecurity/trivy/issues/802 | |
timeout: 10m |