-
Notifications
You must be signed in to change notification settings - Fork 0
151 lines (134 loc) · 4.43 KB
/
docker-build.yml
File metadata and controls
151 lines (134 loc) · 4.43 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: Build, Test and Push Docker Image
on:
workflow_call:
inputs:
dockerfile:
description: 'Path to Dockerfile'
default: 'Dockerfile'
type: string
image-name:
description: 'Name of Docker Image'
type: string
required: true
image-tag:
description: 'Tag of Docker Image'
type: string
required: true
security-scan:
description: 'Enable Security Scan'
default: true
type: boolean
hadolint:
description: 'Enable Hadolint'
default: true
type: boolean
push:
description: 'Push Docker Image to Registry'
default: false
type: boolean
context:
description: 'Path to Docker Build Context'
default: '.'
type: string
registry:
description: 'Docker Registry'
default: 'docker.io'
type: string
secrets:
username:
required: false
password:
required: false
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Login to Docker Hub
if: ${{ inputs.push }}
uses: docker/login-action@v3
with:
registry: ${{ inputs.registry }}
username: ${{ secrets.username }}
password: ${{ secrets.password }}
- name: Run Hadolint Dockerfile linter
if: ${{ inputs.hadolint }}
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: ${{ inputs.dockerfile }}
output-file: hadolint.txt
no-fail: true
- name: Build Docker Image
if: ${{ inputs.push }}
uses: docker/build-push-action@v6
with:
context: ${{ inputs.context }}
file: ${{ inputs.dockerfile }}
platforms: linux/amd64,linux/arm64
push: ${{ inputs.push }}
tags: ${{ inputs.image-name }}:${{ inputs.image-tag }}
- name: Build Docker Image as Tarball
if: ${{ inputs.security-scan }}
run: |
docker build -t ${{ inputs.image-name }}:${{ inputs.image-tag }} -f ${{ inputs.dockerfile }} ${{ inputs.context }}
docker save -o vuln-image.tar ${{ inputs.image-name }}:${{ inputs.image-tag }}
- name: Run Trivy vulnerability scanner
if: ${{ inputs.security-scan }}
uses: aquasecurity/trivy-action@0.29.0
with:
input: vuln-image.tar
format: 'table'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
hide-progress: true
output: trivy.txt
- name: Update Pull Request with Security Scan Results
uses: actions/github-script@v7
if: github.event_name == 'pull_request' && inputs.security-scan
with:
script: |
const fs = require('fs');
const trivyResults = fs.readFileSync('trivy.txt', 'utf8');
const output = `
### 🔒 Trivy Security Scan Results
<details><summary>Click to expand detailed results</summary>
\`\`\`
${trivyResults}
\`\`\`
</details>
`;
await github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
});
- name: Update Pull Request with Hadolint Results
uses: actions/github-script@v7
if: github.event_name == 'pull_request' && inputs.hadolint
with:
script: |
const fs = require('fs');
const hadolintResults = fs.readFileSync('hadolint.txt', 'utf8').trim();
if (hadolintResults.length > 0) {
const output = `
### 🐳 Hadolint Dockerfile Lint Results
<details><summary>Click to expand</summary>
\`\`\`
${hadolintResults}
\`\`\`
</details>
`;
await github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
});
}