From baf82dcbe3270855876821a2636cdf187d5e20b9 Mon Sep 17 00:00:00 2001 From: chinyikuo Date: Fri, 5 Jul 2024 03:35:15 +0000 Subject: [PATCH 01/14] 0705 --- .github/workflows/image-scan.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index dd9a342..2a60c62 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -14,13 +14,13 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - # https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs + ## https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: 'ubuntu:impish-20210711' + image-ref: 'mysql:oracle' format: 'table' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' \ No newline at end of file + severity: 'CRITICAL,HIGH' From 70f03c22a1d7e6da7ac038a59d615245bca109fa Mon Sep 17 00:00:00 2001 From: chinyikuo Date: Fri, 5 Jul 2024 03:38:25 +0000 Subject: [PATCH 02/14] 0705 --- .github/workflows/image-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 2a60c62..40fb5a1 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -9,7 +9,7 @@ on: jobs: scan: name: Scan Docker Image - runs-on: [runner-2, self-hosted] + runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v3 From 192cb5f8979e726398a601aa6961598ea10d370d Mon Sep 17 00:00:00 2001 From: chinyikuo Date: Fri, 5 Jul 2024 05:22:17 +0000 Subject: [PATCH 03/14] 0705Test --- .github/workflows/image-scan.yaml | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 40fb5a1..c87be1e 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -15,10 +15,30 @@ jobs: uses: actions/checkout@v3 ## https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs - - name: Run Trivy vulnerability scanner + - name: Nginx uses: aquasecurity/trivy-action@master with: - image-ref: 'mysql:oracle' + image-ref: 'nginx:latest' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + - name: Wordpress + uses: aquasecurity/trivy-action@master + with: + image-ref: 'wordpress:latest' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + - name: Mysql + uses: aquasecurity/trivy-action@master + with: + image-ref: 'mysql:8' format: 'table' exit-code: '1' ignore-unfixed: true From 78b7138daa886c0cb9b5bdb2112764090aed7445 Mon Sep 17 00:00:00 2001 From: chinyikuo Date: Fri, 5 Jul 2024 05:24:06 +0000 Subject: [PATCH 04/14] 0705test2 --- .github/workflows/image-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index c87be1e..56f0fca 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -9,7 +9,7 @@ on: jobs: scan: name: Scan Docker Image - runs-on: ubuntu-latest + runs-on: [runner-2, self-hosted] steps: - name: Checkout code uses: actions/checkout@v3 From d1263e4ecb6b956cbb58b49247c2e3cbcbbd4b2d Mon Sep 17 00:00:00 2001 From: chinyikuo Date: Fri, 5 Jul 2024 05:26:00 +0000 Subject: [PATCH 05/14] 0705-3 --- .github/workflows/image-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 56f0fca..9bd2d84 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -9,7 +9,7 @@ on: jobs: scan: name: Scan Docker Image - runs-on: [runner-2, self-hosted] + runs-on: ubuntu:latest steps: - name: Checkout code uses: actions/checkout@v3 From 9e8e395f4cb8a96ae233c0d51abe0dcc80a15d65 Mon Sep 17 00:00:00 2001 From: chinyikuo Date: Fri, 5 Jul 2024 05:28:29 +0000 Subject: [PATCH 06/14] 0705-4 --- .github/workflows/image-scan.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 9bd2d84..78726fa 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -24,7 +24,6 @@ jobs: ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - - name: Wordpress uses: aquasecurity/trivy-action@master with: @@ -34,7 +33,6 @@ jobs: ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - - name: Mysql uses: aquasecurity/trivy-action@master with: From a274c8473c36a89ea0c0460807fadc5605474aeb Mon Sep 17 00:00:00 2001 From: chinyikuo Date: Fri, 5 Jul 2024 05:31:57 +0000 Subject: [PATCH 07/14] 0705-5 --- .github/workflows/image-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 78726fa..562fc46 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -9,7 +9,7 @@ on: jobs: scan: name: Scan Docker Image - runs-on: ubuntu:latest + runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v3 From 24c2b1d4f6ae9d8f2d50aa4d6e4f4381da44bb46 Mon Sep 17 00:00:00 2001 From: chinyikuo Date: Fri, 5 Jul 2024 05:35:13 +0000 Subject: [PATCH 08/14] 0705-6 --- .github/workflows/image-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 562fc46..718d2b4 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -38,7 +38,7 @@ jobs: with: image-ref: 'mysql:8' format: 'table' - exit-code: '1' + exit-code: '0' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' From 0aa1e3834f973311ac67592ff12e46898822b4f3 Mon Sep 17 00:00:00 2001 From: chinyikuo Date: Fri, 5 Jul 2024 05:53:20 +0000 Subject: [PATCH 09/14] lesson --- .github/workflows/image-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 718d2b4..81ac0aa 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -9,7 +9,7 @@ on: jobs: scan: name: Scan Docker Image - runs-on: ubuntu-latest + runs-on: [runner-2, self-hosted] steps: - name: Checkout code uses: actions/checkout@v3 From 968aae92e7f0cbf2ea6ecab8873e950e28b163a1 Mon Sep 17 00:00:00 2001 From: chinyikuo Date: Fri, 5 Jul 2024 06:02:04 +0000 Subject: [PATCH 10/14] lesson --- .github/workflows/image-scan.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 81ac0aa..f8c8fb1 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -42,3 +42,7 @@ jobs: ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' + - name: Test + run: + docker ps + shell: bash From a8bc004dc128148a72cc74041706bb61ea095ec3 Mon Sep 17 00:00:00 2001 From: chinyikuo Date: Fri, 5 Jul 2024 06:07:45 +0000 Subject: [PATCH 11/14] lesson --- .github/workflows/image-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index f8c8fb1..1e20767 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -43,6 +43,6 @@ jobs: vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - name: Test - run: + run: | docker ps shell: bash From 15f535bc7a5222dc85eb52dce4408cbd2677e68a Mon Sep 17 00:00:00 2001 From: chinyikou Date: Fri, 5 Jul 2024 14:11:39 +0800 Subject: [PATCH 12/14] Update image-scan.yaml --- .github/workflows/image-scan.yaml | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 1e20767..610e06e 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -13,7 +13,6 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v3 - ## https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs - name: Nginx uses: aquasecurity/trivy-action@master @@ -24,25 +23,25 @@ jobs: ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - - name: Wordpress - uses: aquasecurity/trivy-action@master - with: + - name: Wordpress + uses: aquasecurity/trivy-action@master + with: image-ref: 'wordpress:latest' format: 'table' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - - name: Mysql - uses: aquasecurity/trivy-action@master - with: + - name: Mysql + uses: aquasecurity/trivy-action@master + with: image-ref: 'mysql:8' format: 'table' exit-code: '0' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - - name: Test - run: | + - name: Test + run: | docker ps - shell: bash + shell: bash From 814174612bcb05ea605841640709c40efdbe1d2f Mon Sep 17 00:00:00 2001 From: chinyikuo Date: Fri, 5 Jul 2024 06:21:19 +0000 Subject: [PATCH 13/14] lesson --- .cache/ans/single/compose.yaml | 6 +++--- .github/workflows/image-scan.yaml | 7 ++++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.cache/ans/single/compose.yaml b/.cache/ans/single/compose.yaml index babe355..d5133ef 100644 --- a/.cache/ans/single/compose.yaml +++ b/.cache/ans/single/compose.yaml @@ -1,7 +1,7 @@ services: nginx: image: nginx:latest - container_name: nginx + container_name: user1-nginx volumes: - ./nginx.conf:/etc/nginx/nginx.conf:ro ports: @@ -21,7 +21,7 @@ services: wordpress: image: wordpress:latest - container_name: wordpress + container_name: user1-wordpress environment: WORDPRESS_DB_HOST: db WORDPRESS_DB_USER: exampleuser @@ -43,7 +43,7 @@ services: db: image: mysql:8 - container_name: db + container_name: user-db environment: MYSQL_ROOT_PASSWORD: examplepass MYSQL_DATABASE: exampledb diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 610e06e..6951526 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -19,7 +19,7 @@ jobs: with: image-ref: 'nginx:latest' format: 'table' - exit-code: '1' + exit-code: '0' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' @@ -28,7 +28,7 @@ jobs: with: image-ref: 'wordpress:latest' format: 'table' - exit-code: '1' + exit-code: '0' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' @@ -43,5 +43,6 @@ jobs: severity: 'CRITICAL,HIGH' - name: Test run: | - docker ps + cd .cache/ans/single + docker compose up -d shell: bash From 0bcf3bb8455478a0ff1fa93729f37f27654f5c7e Mon Sep 17 00:00:00 2001 From: chinyikuo Date: Fri, 5 Jul 2024 06:23:51 +0000 Subject: [PATCH 14/14] lesson --- .cache/ans/single/compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.cache/ans/single/compose.yaml b/.cache/ans/single/compose.yaml index d5133ef..4915927 100644 --- a/.cache/ans/single/compose.yaml +++ b/.cache/ans/single/compose.yaml @@ -43,7 +43,7 @@ services: db: image: mysql:8 - container_name: user-db + container_name: user1-db environment: MYSQL_ROOT_PASSWORD: examplepass MYSQL_DATABASE: exampledb