-
Notifications
You must be signed in to change notification settings - Fork 1
161 lines (142 loc) · 5.57 KB
/
docker-image-verify.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: Reusable GCR Vulnerability Docker container scanning
on:
workflow_call:
inputs:
working_directory:
required: false
type: string
default: "."
dockerfile_path:
required: false
type: string
default: Dockerfile
docker_image_name:
required: true
type: string
docker_image_tag:
required: true
type: string
scan_output_format:
required: false
type: string
default: "table(vulnerability.effectiveSeverity, vulnerability.cvssScore, noteName, vulnerability.packageIssue[0].affectedPackage, vulnerability.packageIssue[0].affectedVersion.name, vulnerability.packageIssue[0].fixedVersion.name)"
scan_remote:
required: false
type: boolean
default: true
jira_project:
required: false
type: string
default: 'CPDE'
jira_issuetype:
required: false
type: string
default: 'DevOps task'
jira_issue_creator:
required: false
type: string
default: 'githubot@intergiro.com'
secrets:
GCP_SERVICE_ACCOUNT:
required: true
WORKLOAD_IDENTITY_PROVIDER:
required: true
JIRA_BASE_URL:
required: true
JIRA_USER_EMAIL:
required: true
JIRA_API_TOKEN:
required: true
jobs:
docker-verify-image:
runs-on: [self-hosted, common]
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Checkout
if: inputs.scan_remote == 'false'
uses: actions/checkout@v2
- name: Set up Docker Context for Buildx
if: inputs.scan_remote == 'false'
run: |
docker context create builders
- name: Set up Docker Buildx
if: inputs.scan_remote == 'false'
uses: docker/setup-buildx-action@v1
with:
version: latest
endpoint: builders
- name: Build image
if: inputs.scan_remote == 'false'
working-directory: ${{ inputs.working_directory }}
run: |
docker build . -f ${{ inputs.dockerfile_path }} -t ${{ inputs.docker_image_name }}:${{ inputs.docker_image_tag }}
- name: "Set up Cloud SDK"
uses: "google-github-actions/setup-gcloud@v0"
with:
install_components: 'local-extract'
- name: "Authenticate to Google Cloud"
id: auth
uses: "google-github-actions/auth@v0"
with:
service_account: "${{ secrets.GCP_SERVICE_ACCOUNT }}"
workload_identity_provider: "${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}"
- name: Scan Image
id: scan_image
run: |
SCAN_ID=$(gcloud artifacts docker images scan ${{ inputs.scan_remote == true && '--remote' || '' }} \
--format='value(response.scan)' \
${{ inputs.docker_image_name }}:${{ inputs.docker_image_tag }})
SCAN_OUTPUT=$(gcloud artifacts docker images list-vulnerabilities ${SCAN_ID} \
--format "${{ inputs.scan_output_format }}")
grep -q EFFECTIVE_SEVERITY <<< ${SCAN_OUTPUT} || EXIT_CODE=$?
if [[ ${EXIT_CODE} -eq 0 ]]; then
VULNERABILITIES_FOUND='true'
else
VULNERABILITIES_FOUND='false'
fi
# Escaping characters
SCAN_OUTPUT="${SCAN_OUTPUT//'%'/'%25'}"
SCAN_OUTPUT="${SCAN_OUTPUT//$'\n'/'%0A'}"
SCAN_OUTPUT="${SCAN_OUTPUT//$'\r'/'%0D'}"
echo ::set-output name=scan_output::"${SCAN_OUTPUT}"
echo ::set-output name=vulnerable::"${VULNERABILITIES_FOUND}"
[[ ${VULNERABILITIES_FOUND} == 'false' ]]
- name: Setup Jira cli
if: failure() && steps.scan_image.outputs.vulnerable == 'true'
uses: atlassian/gajira-cli@master
- name: Jira Login
if: failure() && steps.scan_image.outputs.vulnerable == 'true'
uses: atlassian/gajira-login@master
env:
JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
- name: Setting repo name
if: failure() && steps.scan_image.outputs.vulnerable == 'true'
run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV
shell: bash
- name: Check Jira issue existence
if: failure() && steps.scan_image.outputs.vulnerable == 'true'
id: issue_check
env:
JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
run: |
JIRA_ISSUES_COUNT="$(jira list \
--query 'creator = "${{ inputs.jira_issue_creator }}" and project = ${{ inputs.jira_project }} and issuetype = "${{ inputs.jira_issuetype }}" and status not in (Done, Archived) and created >= "-30d" and labels = ${{ env.REPOSITORY_NAME }}' | wc -l)"
echo ::set-output name=issues_found::"${JIRA_ISSUES_COUNT}"
- name: Create Jira Issue
id: create_jira_issue
if: failure() && steps.issue_check.outputs.issues_found == 0 && steps.scan_image.outputs.vulnerable == 'true'
uses: atlassian/gajira-create@master
with:
project: ${{ inputs.jira_project }}
issuetype: ${{ inputs.jira_issuetype }}
summary: |
Fix Vulnerability Issues found in ${{ env.REPOSITORY_NAME }}
description: |
GitHub Actions Run: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
Results:
{noformat}${{ steps.scan_image.outputs.scan_output }}{noformat}
fields: '{"labels": ["${{ env.REPOSITORY_NAME }}"]}'