From 82b2db6eed8ac2dcf87c8837c6503c40ddcb26f7 Mon Sep 17 00:00:00 2001 From: eksrha <58111764+eksrha@users.noreply.github.com> Date: Fri, 29 Apr 2022 19:06:12 +0200 Subject: [PATCH 1/4] update runner --- images/base/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/images/base/Dockerfile b/images/base/Dockerfile index 6b9708e..fd9294d 100644 --- a/images/base/Dockerfile +++ b/images/base/Dockerfile @@ -12,7 +12,7 @@ ENV GH_RUNNER_WORKDIR="/home/${USERNAME}" ENV GH_KANIKO_WORKDIR="/kaniko/workspace" # https://github.com/actions/runner/releases -ENV GH_RUNNER_VERSION=2.290.1 +ENV GH_RUNNER_VERSION=2.291.1 ENV GH_RUNNER_LABELS=ubuntu-20.04 ENV AWESOME_CI_VERSION 0.11.3 From 3d13639bb0e7a5b58ba55a92616743659e544032 Mon Sep 17 00:00:00 2001 From: eksrha <58111764+eksrha@users.noreply.github.com> Date: Fri, 29 Apr 2022 19:06:38 +0200 Subject: [PATCH 2/4] add security scanning --- .github/workflows/anchore.yml | 43 +++++++++++++++++++++++++++++++++++ README.md | 22 ++++++++++-------- 2 files changed, 55 insertions(+), 10 deletions(-) create mode 100644 .github/workflows/anchore.yml diff --git a/.github/workflows/anchore.yml b/.github/workflows/anchore.yml new file mode 100644 index 0000000..b6a1768 --- /dev/null +++ b/.github/workflows/anchore.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, builds an image, performs a container image +# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security +# code scanning feature. For more information on the Anchore scan action usage +# and parameters, see https://github.com/anchore/scan-action. For more +# information on Anchore's container image scanning tool Grype, see +# https://github.com/anchore/grype +name: Anchore Container Scan + +on: + push: + branches: [ main ] + schedule: + - cron: '45 5 * * 1' + +permissions: + contents: read + +jobs: + Anchore-Build-Scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - name: Checkout the code + uses: actions/checkout@v3 + + - name: Scan current project + id: scan + uses: anchore/scan-action@v3 + with: + path: "." + acs-report-enable: true + + - name: Upload Anchore Scan Report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/README.md b/README.md index d06bab2..dbf1ec1 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ -# github-runner-base +[![Create Release](https://github.com/fullstack-devops/github-actions-runner/actions/workflows/create-release.yml/badge.svg)](https://github.com/fullstack-devops/github-actions-runner/actions/workflows/create-release.yml) + +# GitHub Actions Custom Runner Container images with Github Actions Runner. Different flavored images with preinstalled tools and software for builds with limited internet access and non root privileges. Ideal for building software in enterprise environments of large organizations that often restrict internet access. @@ -6,17 +8,17 @@ Software builds can be built there using a [Nexus Repository](https://de.sonatyp Support: If you need help or a feature just open an issue! -Package / Images: ghcr.io/fullstack-devops/github-actions-runner +Package / Images: `ghcr.io/fullstack-devops/github-actions-runner` Available Tags: -| Name (tag) | Installed Tools/ Software | Description | -|-------------------------|-----------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------| -| `latest-base` | libffi-dev, libicu-dev, build-essential, libssl-dev, ca-certificates, jq, sed, grep, git, curl, wget, zip | Base runner with nothing fancy installed
[Dockerfile](images/base/Dockerfile) | -| `latest-kaniko-sidecar` | kaniko | Sidecar used by other runner images to build containers without root privileges | -| `latest-ansible-k8s` | base-image + ansible, helm, kubectl, skopeo | Runner specialized for automated k8s deployments via ansible
For more Details see [Dockerfile](images/ansible-k8s/Dockerfile) | -| `latest-fullstacked` | base-image + maven, openjdk-11, nodejs, go, yarn, angular/cli, helm | Runner with a bunch of tools to build your hole application
For more Details see [Dockerfile](images/fullstacked/Dockerfile) | - -> Hint: `latest can be replaced with an spezfic release version for more stability` +| Name (tag) | Installed Tools/ Software | Description | +|-------------------------|-----------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------| +| `latest-base` | libffi-dev, libicu-dev, build-essential, libssl-dev, ca-certificates, jq, sed, grep, git, curl, wget, zip | Base runner with nothing fancy installed
[Dockerfile](images/base/Dockerfile) | +| `latest-kaniko-sidecar` | kaniko | Sidecar used by other runner images to build containers without root privileges | +| `latest-ansible-k8s` | base-image + ansible, helm, kubectl, skopeo | Runner specialized for automated k8s deployments via ansible
For more Details see [Dockerfile](images/ansible-k8s/Dockerfile) | +| `latest-fullstacked` | base-image + maven, openjdk-11, nodejs, go, yarn, angular/cli, helm | Runner with a bunch of tools to build your hole application
For more Details see [Dockerfile](images/fullstacked/Dockerfile) | + +> Hint: `latest` can be replaced with an specific release version for more stability in your environment. --- From 0f0a6377aef19ee5489119b6e7789458c1f07dd4 Mon Sep 17 00:00:00 2001 From: eksrha <58111764+eksrha@users.noreply.github.com> Date: Fri, 29 Apr 2022 19:08:26 +0200 Subject: [PATCH 3/4] add security scanning on pr --- .github/workflows/anchore.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/anchore.yml b/.github/workflows/anchore.yml index b6a1768..80e3f95 100644 --- a/.github/workflows/anchore.yml +++ b/.github/workflows/anchore.yml @@ -14,6 +14,8 @@ name: Anchore Container Scan on: push: branches: [ main ] + pull_request: + branches: [ main ] schedule: - cron: '45 5 * * 1' From 327e9543aa84330e7646ecfc38459a0417881380 Mon Sep 17 00:00:00 2001 From: eksrha <58111764+eksrha@users.noreply.github.com> Date: Fri, 29 Apr 2022 19:41:15 +0200 Subject: [PATCH 4/4] add anchore badge to readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index dbf1ec1..0a3708d 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ [![Create Release](https://github.com/fullstack-devops/github-actions-runner/actions/workflows/create-release.yml/badge.svg)](https://github.com/fullstack-devops/github-actions-runner/actions/workflows/create-release.yml) +[![Anchore Container Scan](https://github.com/fullstack-devops/github-actions-runner/actions/workflows/anchore.yml/badge.svg)](https://github.com/fullstack-devops/github-actions-runner/actions/workflows/anchore.yml) # GitHub Actions Custom Runner Container images with Github Actions Runner. Different flavored images with preinstalled tools and software for builds with limited internet access and non root privileges.