diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000000..c07e076d1a --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,99 @@ +env: + SYSDIG_SECURE_ENDPOINT: "https://app.us4.sysdig.com/secure" + REGISTRY_HOST: "docker.io" + +name: CIWF + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + build-and-scan: + runs-on: ubuntu-latest + + steps: + - name: Checkout source code + uses: actions/checkout@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Log in to DockerHub + run: echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin + + - name: Build vote image + run: docker build -t ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest ./vote + + - name: Build worker image + run: docker build -t ${{ secrets.DOCKER_USERNAME }}/voting-app-worker:latest ./worker + + - name: Build result image + run: docker build -t ${{ secrets.DOCKER_USERNAME }}/voting-app-result:latest ./result + + - name: Push vote image + run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest + + - name: Push worker image + run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-worker:latest + + - name: Push result image + run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-result:latest + + - name: Setup cache + uses: actions/cache@v3 + with: + path: cache + key: ${{ runner.os }}-cache-${{ hashFiles('**/sysdig-cli-scanner', '**/latest_version.txt', '**/db/main.db.meta.json', '**/scanner-cache/inlineScannerCache.db') }} + restore-keys: ${{ runner.os }}-cache- + + - name: Download sysdig-cli-scanner if needed + run: | + curl -sLO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt + mkdir -p ${GITHUB_WORKSPACE}/cache/db/ + if [ ! -f ${GITHUB_WORKSPACE}/cache/latest_version.txt ] || [ $(cat ./latest_version.txt) != $(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt) ]; then + cp ./latest_version.txt ${GITHUB_WORKSPACE}/cache/latest_version.txt + curl -sL -o ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)/linux/amd64/sysdig-cli-scanner" + chmod +x ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner + else + echo "sysdig-cli-scanner latest version already downloaded" + fi + + - name: Scan vote image with Sysdig + env: + SECURE_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} + run: | + ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ + --apiurl ${SYSDIG_SECURE_ENDPOINT} \ + docker://${REGISTRY_HOST}/${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest \ + --console-log \ + --dbpath=${GITHUB_WORKSPACE}/cache/db/ \ + --cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/ + + - name: Scan worker image with Sysdig + env: + SECURE_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} + run: | + ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ + --apiurl ${SYSDIG_SECURE_ENDPOINT} \ + ${{ secrets.DOCKER_USERNAME }}/voting-app-worker:latest \ + --console-log \ + --dbpath=${GITHUB_WORKSPACE}/cache/db/ \ + --cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/ + + - name: Scan result image with Sysdig + env: + SECURE_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} + run: | + ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ + --apiurl ${SYSDIG_SECURE_ENDPOINT} \ + ${{ secrets.DOCKER_USERNAME }}/voting-app-results:latest \ + --console-log \ + --dbpath=${GITHUB_WORKSPACE}/cache/db/ \ + --cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/ + + diff --git a/.github/workflows/iac-scan.yaml b/.github/workflows/iac-scan.yaml new file mode 100644 index 0000000000..f177eb1b42 --- /dev/null +++ b/.github/workflows/iac-scan.yaml @@ -0,0 +1,47 @@ +env: + SYSDIG_SECURE_ENDPOINT: "https://app.us4.sysdig.com/secure" + +name: IaC Scan + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + scan-iac: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Setup cache + uses: actions/cache@v3 + with: + path: cache + key: ${{ runner.os }}-cache-${{ hashFiles('**/sysdig-cli-scanner', '**/latest_version.txt', '**/db/main.db.meta.json', '**/scanner-cache/inlineScannerCache.db') }} + restore-keys: ${{ runner.os }}-cache- + + - name: Download sysdig-cli-scanner if needed + run: | + curl -sLO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt + mkdir -p ${GITHUB_WORKSPACE}/cache/db/ + if [ ! -f ${GITHUB_WORKSPACE}/cache/latest_version.txt ] || [ $(cat ./latest_version.txt) != $(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt) ]; then + cp ./latest_version.txt ${GITHUB_WORKSPACE}/cache/latest_version.txt + curl -sL -o ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)/linux/amd64/sysdig-cli-scanner" + chmod +x ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner + else + echo "sysdig-cli-scanner latest version already downloaded" + fi + + - name: Scan IaC with Sysdig CLI + env: + SECURE_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} + run: | + ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ + --apiurl ${SYSDIG_SECURE_ENDPOINT} --iac -r -f H \ + ./k8s-specifications