Update main.yml #43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CICD-Workshop | |
on: | |
push: | |
branches: | |
# 1.The pipeline should be triggered whenever this is a push to a branch name with the following pattern release/v<digit>.<digit> | |
- 'v[0-9]+.[0-9]+' | |
jobs: | |
security-scan: | |
# 8.The pipeline should not run if the commit message starts with #NORUN even | |
# if the branch name has the correct pattern. | |
# For example, the following push will not trigger your workflow | |
if: ${{ startsWith(github.event.head_commit.message, '#NORUN') != true }} | |
runs-on: ubuntu-latest | |
outputs: | |
total: ${{ steps.generate-secret.outputs.total }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Set timezone | |
run: | | |
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime | |
# 2.Perform a scan of the branch that triggered the workflow and generate a report in the table format | |
- name: Run Trivy vulnerability scanner in repo mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'fs' | |
ignore-unfixed: true | |
format: 'table' | |
output: 'trivy-results.txt' | |
severity: 'CRITICAL,HIGH' | |
- name: Count Critical and High vulnerabilities | |
id: count_vulnerabilities | |
run: | | |
if grep -q -e "CRITICAL" -e "HIGH" trivy-results.txt; then | |
echo "File contains" | |
else | |
echo "File does not contain" | |
fi | |
critical_count=$(grep 'CRITICAL' trivy-results.txt | wc -l) | |
high_count=$(grep 'HIGH' trivy-results.txt | wc -l) | |
total_count=$(($critical_count + $high_count)) | |
echo "total=$total_count" >> "$GITHUB_OUTPUT" | |
echo $total_count | |
# 3.If any vulnerabilities are found in the code base, | |
# send a message to the provided Slack channel. | |
# Upload the report produced in step 2 to the Slack channel. | |
send-message: | |
needs: [security-scan] | |
if: ${{ needs.security-scan.outputs.total > '1' }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: test | |
run: | | |
echo test | |
# - name: Send message to Slack | |
# uses: rtCamp/action-slack-notify@v2 | |
# env: | |
# SLACK_COLOR: '#FF0000' | |
# SLACK_TITLE: "Scan failed - Yway Chit Aung" | |
# SLACK_MESSAGE: | | |
# Failed trivy scan, see uploaded report | |
# SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} | |
# # Upload the report file to Slack | |
# - uses: MeilCli/slack-upload-file@v3 | |
# with: | |
# slack_token: ${{ secrets.SLACK_TOKEN }} | |
# channel_id: ${{ secrets.SLACK_CHANNEL_ID }} | |
# file_path: 'trivy-results.txt' | |
# initial_comment: 'Scan report by Yway Chit Aung' | |
# 4.If the scan produces no vulnerabilities, | |
# then containerized the application with the Dockerfile found in the source. | |
# You can use any image name but the image tag should be the GitHub commit hash; | |
build-and-push-docker: | |
needs: [send-message] | |
if: success() | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Set timezone | |
run: | | |
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime | |
- name: Login to Docker Hub | |
uses: docker/login-action@v1 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
# 5. After successfully building the image, push the image to your Docker Hub account. | |
- name: Push Docker Image | |
uses: docker/build-push-action@v5 | |
id: build-and-push | |
with: | |
push: true | |
tags: cleverest/test:${{ github.sha }} | |
# 6. Digitally sign the image that you have built and push in steps 4 and 5 | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@v3.5.0 | |
with: | |
cosign-release: 'v2.2.4' | |
- name: Digitally sign the image | |
run: | | |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${TAGS}@${DIGEST}" | |
env: | |
TAGS: cleverest/test:${{ github.sha }} | |
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
DIGEST: ${{ steps.build-and-push.outputs.digest }} | |
# 7.Send a notification to Slack on the successful run of the workflow. | |
# The notification should include all the following information | |
# - name: Send GitHub Action trigger data to Slack workflow | |
# uses: rtCamp/action-slack-notify@v2 | |
# env: | |
# SLACK_TITLE: "Image build and signed" | |
# SLACK_MESSAGE: | | |
# Name: Yway Chit Aung | |
# Matriculation: A0287270Y | |
# Email: e1285216@u.nus.edu | |
# GitHub: https://github.com/ywaychitaung/CI-CD-Workshop.git | |
# Docker: https://hub.docker.com/repository/docker/ywaychitaung/ci-cd-workshop/general | |
# SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} |