Skip to content

Commit

Permalink
Merge pull request #1009 from NASA-PDS/devops#76
Browse files Browse the repository at this point in the history 
Image vulnerability scanning in support of safer devops
  • Loading branch information
@jordanpadams
jordanpadams authored Sep 27, 2024
2 parents a47d8b0 + 124afa4 commit 78115b9
Show file tree
Hide file tree
Showing 3 changed files with 46 additions and 4 deletions.
21 changes: 19 additions & 2 deletions .github/workflows/stable-cicd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
# A *private* key with which we can sign artifacts.
# ``OSSRH_USERNAME``
# Username for the Central Repository.
# ``OSSRH_USERNAME``
# ``OSSRH_PASSWORD``
# Password for the Central Repository.
#

Expand Down Expand Up @@ -102,8 +102,25 @@ jobs:
name: 🚢 Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: 🧱 Image Construction and Publication
name: 🧱 Image Construction and Local Publication
uses: docker/build-push-action@v6
with:
context: ./
file: ./docker/Dockerfile
build-args: tar_file=${{steps.gettartag.outputs.tar_file}}
platforms: linux/amd64,linux/arm64
push: false
load: true
tags: ${{secrets.DOCKERHUB_USERNAME}}/validate:${{steps.gettartag.outputs.image_tag}}
-
name: 🕵️‍♂️ Image Vulnerability Scanning
uses: anchore/scan-action@v4
with:
fail-build: true
severity-cutoff: critical
image: ${{secrets.DOCKERHUB_USERNAME}}/validate:${{steps.gettartag.outputs.image_tag}}
-
name: 🧱 Image Construction and Remote Publication
with:
context: ./
file: ./docker/Dockerfile
Expand Down
21 changes: 19 additions & 2 deletions .github/workflows/unstable-cicd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
# A *private* key with which we can sign artifacts.
# ``OSSRH_USERNAME``
# Username for the Central Repository.
# ``OSSRH_USERNAME``
# ``OSSRH_PASSWORD``
# Password for the Central Repository.


Expand Down Expand Up @@ -109,8 +109,25 @@ jobs:
file: ./docker/Dockerfile
build-args: tar_file=${{steps.gettar.outputs.tar_file}}
platforms: linux/amd64,linux/arm64
push: true
push: false
load: true
tags: ${{secrets.DOCKERHUB_USERNAME}}/validate:latest
-
name: 🕵️‍♂️ Image Vulnerability Scanning
uses: anchore/scan-action@v4
with:
fail-build: true
severity-cutoff: critical
image: ${{secrets.DOCKERHUB_USERNAME}}/validate:${{steps.gettartag.outputs.image_tag}}
-
name: 🧱 Image Construction and Remote Publication
with:
context: ./
file: ./docker/Dockerfile
build-args: tar_file=${{steps.gettartag.outputs.tar_file}}
platforms: linux/amd64,linux/arm64
push: true
tags: ${{secrets.DOCKERHUB_USERNAME}}/validate:${{steps.gettartag.outputs.image_tag}}

...

Expand Down
8 changes: 8 additions & 0 deletions .pre-commit-config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,11 @@ repos:
- --exclude-files '\.git.*'
- --exclude-files '\.pre-commit-config\.yaml'
- --exclude-files 'target'
- repo: local
hooks:
- id: grype-cve-scan
name: Grype Vulnerability Scan
description: Scans for dependency vulnerabilities. Fails if CRITICAL vulnerabilities detected.
entry: python3 -c "import os; import subprocess; import sys; os.environ['GRYPE_DB_AUTO_UPDATE'] = 'false'; result=subprocess.run(['grype', 'dir:.', '--fail-on', 'critical'], capture_output=True); print(result.stdout.decode()); print('CRITICAL level vulnerabilities found. To address issues, run scan via `grype dir:.`, then `git add` followed by `git commit` your fix or ignore via `git commit --no-verify`') if result.returncode != 0 else print('No CRITICAL level vulnerabilities found.'); sys.exit(result.returncode)"
language: system
verbose: true

0 comments on commit 78115b9

Please sign in to comment.