From 4434d7bb4d726f41e12672f2b475ac9efc41cc8b Mon Sep 17 00:00:00 2001 From: kimgoetzke <120580433+kimgoetzke@users.noreply.github.com> Date: Wed, 8 Feb 2023 10:51:16 +0000 Subject: [PATCH 1/7] Update branch and empty release notes --- latest-release-notes.txt | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/latest-release-notes.txt b/latest-release-notes.txt index 12605b3..9a5a671 100644 --- a/latest-release-notes.txt +++ b/latest-release-notes.txt @@ -1,3 +1 @@ -- Renamed workflow steps to allow easier selection to make branch protection rules easier to set up -- Updated README.md -- Added branch protection \ No newline at end of file +- ... \ No newline at end of file From b712455099fb551b08292519c074e1f270ef289b Mon Sep 17 00:00:00 2001 From: kimgoetzke <120580433+kimgoetzke@users.noreply.github.com> Date: Thu, 9 Feb 2023 09:07:59 +0000 Subject: [PATCH 2/7] Add Trivy vulnerability scan --- .github/workflows/basic-ci-feature-workflow.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/basic-ci-feature-workflow.yml b/.github/workflows/basic-ci-feature-workflow.yml index 10edee1..0c54898 100644 --- a/.github/workflows/basic-ci-feature-workflow.yml +++ b/.github/workflows/basic-ci-feature-workflow.yml @@ -45,3 +45,14 @@ jobs: registry: docker.io username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'docker.io/${{ secrets.DOCKERHUB_USERNAME }}/${{ secrets.DOCKERHUB_REPOSITORY }}:${{ github.sha }}' + output: 'trivy-results' + exit-code: '1' + severity: 'CRITICAL,HIGH' + env: + TRIVY_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} + TRIVY_PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }} + From 3fc20bb4feaec97f9b90cfbc8c65cd14d8b9a19d Mon Sep 17 00:00:00 2001 From: kimgoetzke <120580433+kimgoetzke@users.noreply.github.com> Date: Thu, 9 Feb 2023 09:12:23 +0000 Subject: [PATCH 3/7] Fix indentation error --- .github/workflows/basic-ci-feature-workflow.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/basic-ci-feature-workflow.yml b/.github/workflows/basic-ci-feature-workflow.yml index 0c54898..ef293f3 100644 --- a/.github/workflows/basic-ci-feature-workflow.yml +++ b/.github/workflows/basic-ci-feature-workflow.yml @@ -49,10 +49,11 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: 'docker.io/${{ secrets.DOCKERHUB_USERNAME }}/${{ secrets.DOCKERHUB_REPOSITORY }}:${{ github.sha }}' + format: 'table' output: 'trivy-results' exit-code: '1' severity: 'CRITICAL,HIGH' - env: - TRIVY_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - TRIVY_PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }} + env: + TRIVY_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} + TRIVY_PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }} From af2763a88e7ed669722becedbef18516fbc2efa8 Mon Sep 17 00:00:00 2001 From: kimgoetzke <120580433+kimgoetzke@users.noreply.github.com> Date: Thu, 9 Feb 2023 09:15:38 +0000 Subject: [PATCH 4/7] Amend image ref name --- .github/workflows/basic-ci-feature-workflow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/basic-ci-feature-workflow.yml b/.github/workflows/basic-ci-feature-workflow.yml index ef293f3..66b497d 100644 --- a/.github/workflows/basic-ci-feature-workflow.yml +++ b/.github/workflows/basic-ci-feature-workflow.yml @@ -48,7 +48,7 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: 'docker.io/${{ secrets.DOCKERHUB_USERNAME }}/${{ secrets.DOCKERHUB_REPOSITORY }}:${{ github.sha }}' + image-ref: 'docker.io/${{ secrets.DOCKERHUB_USERNAME }}/${{ secrets.DOCKERHUB_REPOSITORY }}:${{ github.ref_name }}_latest' format: 'table' output: 'trivy-results' exit-code: '1' From 2396365f91741d422bbbb57ed68cb9ce22602bd0 Mon Sep 17 00:00:00 2001 From: kimgoetzke <120580433+kimgoetzke@users.noreply.github.com> Date: Thu, 9 Feb 2023 09:27:08 +0000 Subject: [PATCH 5/7] Test JSON output and remove exit code 1 --- .github/workflows/basic-ci-feature-workflow.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/basic-ci-feature-workflow.yml b/.github/workflows/basic-ci-feature-workflow.yml index 66b497d..378ffc0 100644 --- a/.github/workflows/basic-ci-feature-workflow.yml +++ b/.github/workflows/basic-ci-feature-workflow.yml @@ -49,9 +49,9 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: 'docker.io/${{ secrets.DOCKERHUB_USERNAME }}/${{ secrets.DOCKERHUB_REPOSITORY }}:${{ github.ref_name }}_latest' - format: 'table' - output: 'trivy-results' - exit-code: '1' + format: 'json' + output: 'trivy-results.json' + exit-code: '0' severity: 'CRITICAL,HIGH' env: TRIVY_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} From 9475fbf7e646a9f8b32614231584d69beced2feb Mon Sep 17 00:00:00 2001 From: kimgoetzke <120580433+kimgoetzke@users.noreply.github.com> Date: Thu, 9 Feb 2023 09:43:56 +0000 Subject: [PATCH 6/7] Upload Trivy report as artifact --- .github/workflows/basic-ci-feature-workflow.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/basic-ci-feature-workflow.yml b/.github/workflows/basic-ci-feature-workflow.yml index 378ffc0..c99d11d 100644 --- a/.github/workflows/basic-ci-feature-workflow.yml +++ b/.github/workflows/basic-ci-feature-workflow.yml @@ -56,4 +56,9 @@ jobs: env: TRIVY_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} TRIVY_PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Upload Trivy results + uses: actions/upload-artifact@v3 + with: + name: trivy-vulnerability-scan-result + path: trivy-results.json From 823467589ce27334a88eb2ca5b5fbc766a84ea7f Mon Sep 17 00:00:00 2001 From: kimgoetzke <120580433+kimgoetzke@users.noreply.github.com> Date: Thu, 9 Feb 2023 10:03:14 +0000 Subject: [PATCH 7/7] Update README.md and latest_release_notes.txt --- .github/workflows/basic-ci-feature-workflow.yml | 4 ++-- README.md | 10 ++++++---- latest-release-notes.txt | 2 +- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/basic-ci-feature-workflow.yml b/.github/workflows/basic-ci-feature-workflow.yml index c99d11d..c26030c 100644 --- a/.github/workflows/basic-ci-feature-workflow.yml +++ b/.github/workflows/basic-ci-feature-workflow.yml @@ -51,8 +51,8 @@ jobs: image-ref: 'docker.io/${{ secrets.DOCKERHUB_USERNAME }}/${{ secrets.DOCKERHUB_REPOSITORY }}:${{ github.ref_name }}_latest' format: 'json' output: 'trivy-results.json' - exit-code: '0' - severity: 'CRITICAL,HIGH' + exit-code: '1' + severity: 'CRITICAL' env: TRIVY_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} TRIVY_PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }} diff --git a/README.md b/README.md index a4e2fe0..74f521b 100644 --- a/README.md +++ b/README.md @@ -14,9 +14,11 @@ Branches created with a name starting with `feature-` trigger the GitHub Actions 2. Build application, run all tests and build scan 3. Upload Gradle build reports and attach as artifact to action 4. Upload Jacoco test coverage reports and attach as artifact to action -5. Create Docker image and upload to DockerHub +5. Create Docker images and upload to DockerHub +6. Run Trivy vulnerability scan and fail if critical vulnerabilities detected* +7. Upload vulnerability scan results as artifact to action -Docker images are named automatically: `feature-{name}-v{github.run_number}`. +A new Docker image `feature-{name}_v{github.run_number}` is created and `feature-{name}_latest` is overwritten. ### Main/release workflow @@ -26,11 +28,11 @@ Only branches with the `feature-` prefix are permitted to push to main. Changes 2. Set up Java 3. Validate Gradle wrapper 2. Build application, run all tests and build scan -3. Create Docker image and upload to DockerHub +3. Create Docker images and upload to DockerHub 4. Create a release on GitHub 5. Use content of `latest_release_notes.txt` as release notes body -Docker images are named automatically: `main-v{github.run_number}`. Release is named `v{github.run_number}`. +A new Docker image `main_v{github.run_number}` is created and `main_latest` is overwritten. Release is named `v{github.run_number}`. ### Branch protection ![ci-diagram.svg](ci-diagram.svg) \ No newline at end of file diff --git a/latest-release-notes.txt b/latest-release-notes.txt index 9a5a671..5ee701d 100644 --- a/latest-release-notes.txt +++ b/latest-release-notes.txt @@ -1 +1 @@ -- ... \ No newline at end of file +- Added Trivy vulnerability scans to feature workflow \ No newline at end of file