From 124afa4213cdfc958bb4b30b56b2e123198b7f2d Mon Sep 17 00:00:00 2001 From: Sean Kelly Date: Fri, 27 Sep 2024 10:15:34 -0500 Subject: [PATCH] Support of devops#76 --- .github/workflows/stable-cicd.yaml | 21 +++++++++++++++++++-- .github/workflows/unstable-cicd.yaml | 21 +++++++++++++++++++-- .pre-commit-config.yaml | 8 ++++++++ 3 files changed, 46 insertions(+), 4 deletions(-) diff --git a/.github/workflows/stable-cicd.yaml b/.github/workflows/stable-cicd.yaml index 99990e181..1ba0f124b 100644 --- a/.github/workflows/stable-cicd.yaml +++ b/.github/workflows/stable-cicd.yaml @@ -14,7 +14,7 @@ # A *private* key with which we can sign artifacts. # ``OSSRH_USERNAME`` # Username for the Central Repository. -# ``OSSRH_USERNAME`` +# ``OSSRH_PASSWORD`` # Password for the Central Repository. # @@ -102,8 +102,25 @@ jobs: name: 🚢 Docker Buildx uses: docker/setup-buildx-action@v3 - - name: 🧱 Image Construction and Publication + name: 🧱 Image Construction and Local Publication uses: docker/build-push-action@v6 + with: + context: ./ + file: ./docker/Dockerfile + build-args: tar_file=${{steps.gettartag.outputs.tar_file}} + platforms: linux/amd64,linux/arm64 + push: false + load: true + tags: ${{secrets.DOCKERHUB_USERNAME}}/validate:${{steps.gettartag.outputs.image_tag}} + - + name: 🕵️‍♂️ Image Vulnerability Scanning + uses: anchore/scan-action@v4 + with: + fail-build: true + severity-cutoff: critical + image: ${{secrets.DOCKERHUB_USERNAME}}/validate:${{steps.gettartag.outputs.image_tag}} + - + name: 🧱 Image Construction and Remote Publication with: context: ./ file: ./docker/Dockerfile diff --git a/.github/workflows/unstable-cicd.yaml b/.github/workflows/unstable-cicd.yaml index c61ad542b..2155c9ee2 100644 --- a/.github/workflows/unstable-cicd.yaml +++ b/.github/workflows/unstable-cicd.yaml @@ -14,7 +14,7 @@ # A *private* key with which we can sign artifacts. # ``OSSRH_USERNAME`` # Username for the Central Repository. -# ``OSSRH_USERNAME`` +# ``OSSRH_PASSWORD`` # Password for the Central Repository. @@ -109,8 +109,25 @@ jobs: file: ./docker/Dockerfile build-args: tar_file=${{steps.gettar.outputs.tar_file}} platforms: linux/amd64,linux/arm64 - push: true + push: false + load: true tags: ${{secrets.DOCKERHUB_USERNAME}}/validate:latest + - + name: 🕵️‍♂️ Image Vulnerability Scanning + uses: anchore/scan-action@v4 + with: + fail-build: true + severity-cutoff: critical + image: ${{secrets.DOCKERHUB_USERNAME}}/validate:${{steps.gettartag.outputs.image_tag}} + - + name: 🧱 Image Construction and Remote Publication + with: + context: ./ + file: ./docker/Dockerfile + build-args: tar_file=${{steps.gettartag.outputs.tar_file}} + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{secrets.DOCKERHUB_USERNAME}}/validate:${{steps.gettartag.outputs.image_tag}} ... diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8c598c9f9..4f6552315 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -17,3 +17,11 @@ repos: - --exclude-files '\.git.*' - --exclude-files '\.pre-commit-config\.yaml' - --exclude-files 'target' +- repo: local + hooks: + - id: grype-cve-scan + name: Grype Vulnerability Scan + description: Scans for dependency vulnerabilities. Fails if CRITICAL vulnerabilities detected. + entry: python3 -c "import os; import subprocess; import sys; os.environ['GRYPE_DB_AUTO_UPDATE'] = 'false'; result=subprocess.run(['grype', 'dir:.', '--fail-on', 'critical'], capture_output=True); print(result.stdout.decode()); print('CRITICAL level vulnerabilities found. To address issues, run scan via `grype dir:.`, then `git add` followed by `git commit` your fix or ignore via `git commit --no-verify`') if result.returncode != 0 else print('No CRITICAL level vulnerabilities found.'); sys.exit(result.returncode)" + language: system + verbose: true