From 00a8365ee75cccf2f8fb970582300dc369c2bcbd Mon Sep 17 00:00:00 2001 From: Ugo Date: Thu, 6 Mar 2025 12:25:18 +0100 Subject: [PATCH 1/4] fix(docker-build): fix types --- .github/workflows/docker-build.yml | 102 +++++++++++++++++++++++------ 1 file changed, 82 insertions(+), 20 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 7c6393b..57a6225 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -17,17 +17,21 @@ on: required: true security-scan: description: 'Enable Security Scan' - default: 'true' + default: true + type: boolean + hadolint: + description: 'Enable Hadolint' + default: true type: boolean push: description: 'Push Docker Image to Registry' - default: 'false' + default: false type: boolean secrets: dockerhub-username: - required: true + required: false dockerhub-pat: - required: true + required: false jobs: build: @@ -42,7 +46,23 @@ jobs: - name: Set up QEMU uses: docker/setup-qemu-action@v3 + - name: Login to Docker Hub + if: ${{ inputs.push }} + uses: docker/login-action@v3 + with: + username: ${{ secrets.dockerhub-username }} + password: ${{ secrets.dockerhub-pat }} + + - name: Run Hadolint Dockerfile linter + if: ${{ inputs.hadolint }} + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ inputs.dockerfile }} + output-file: hadolint.txt + no-fail: true + - name: Build Docker Image + if: ${{ inputs.push }} uses: docker/build-push-action@v6 with: context: . @@ -51,30 +71,72 @@ jobs: push: ${{ inputs.push }} tags: ${{ inputs.image-name }}:${{ inputs.image-tag }} + - name: Build Docker Image as Tarball + if: ${{ inputs.security-scan }} + run: | + docker build -t ${{ inputs.image-name }}:${{ inputs.image-tag }} -f ${{ inputs.dockerfile }} . + docker save -o vuln-image.tar ${{ inputs.image-name }}:${{ inputs.image-tag }} + - name: Run Trivy vulnerability scanner if: ${{ inputs.security-scan }} uses: aquasecurity/trivy-action@0.29.0 with: - image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }} + input: vuln-image.tar format: 'table' - exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' hide-progress: true output: trivy.txt - - name: Publish Trivy Output to Summary - if: ${{ inputs.security-scan }} - run: | - if [[ -s trivy.txt ]]; then - { - echo "### Security Output" - echo "
Click to expand" - echo "" - echo '```terraform' - cat trivy.txt - echo '```' - echo "
" - } >> $GITHUB_STEP_SUMMARY - fi + - name: Update Pull Request with Security Scan Results + uses: actions/github-script@v7 + if: github.event_name == 'pull_request' && inputs.security-scan + with: + script: | + const fs = require('fs'); + const trivyResults = fs.readFileSync('trivy.txt', 'utf8'); + + const output = ` + ### 🔒 Trivy Security Scan Results +
Click to expand detailed results + + \`\`\` + ${trivyResults} + \`\`\` +
+ `; + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }); + + - name: Update Pull Request with Hadolint Results + uses: actions/github-script@v7 + if: github.event_name == 'pull_request' && inputs.hadolint + with: + script: | + const fs = require('fs'); + const hadolintResults = fs.readFileSync('hadolint.txt', 'utf8').trim(); + + if (hadolintResults.length > 0) { + const output = ` + ### 🐳 Hadolint Dockerfile Lint Results +
Click to expand + + \`\`\` + ${hadolintResults} + \`\`\` +
+ `; + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }); + } From 0e5e2572c11ad2822ddce9ed45bfc4bd87c5c613 Mon Sep 17 00:00:00 2001 From: Ugo Date: Tue, 11 Mar 2025 16:52:02 +0100 Subject: [PATCH 2/4] feat(docker-build): add registry input and update secret names --- .github/workflows/docker-build.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 57a6225..97ebb15 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -27,10 +27,14 @@ on: description: 'Push Docker Image to Registry' default: false type: boolean + registry: + description: 'Docker Registry' + default: 'docker.io' + type: string secrets: - dockerhub-username: + username: required: false - dockerhub-pat: + password: required: false jobs: @@ -50,8 +54,9 @@ jobs: if: ${{ inputs.push }} uses: docker/login-action@v3 with: - username: ${{ secrets.dockerhub-username }} - password: ${{ secrets.dockerhub-pat }} + registry: ${{ inputs.registry }} + username: ${{ secrets.username }} + password: ${{ secrets.password }} - name: Run Hadolint Dockerfile linter if: ${{ inputs.hadolint }} From 47714b05e38ea34a647f9dcf95efeb125e0ccf3b Mon Sep 17 00:00:00 2001 From: Ugo Date: Tue, 11 Mar 2025 17:01:47 +0100 Subject: [PATCH 3/4] feat(docker-build): add context input for Docker build --- .github/workflows/docker-build.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 97ebb15..16dff97 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -27,6 +27,10 @@ on: description: 'Push Docker Image to Registry' default: false type: boolean + context: + description: 'Path to Docker Build Context' + default: '.' + type: string registry: description: 'Docker Registry' default: 'docker.io' @@ -70,7 +74,7 @@ jobs: if: ${{ inputs.push }} uses: docker/build-push-action@v6 with: - context: . + context: ${{ inputs.context }} file: ${{ inputs.dockerfile }} platforms: linux/amd64,linux/arm64 push: ${{ inputs.push }} From 1af316863ef1f46948252dd72425627541aa0873 Mon Sep 17 00:00:00 2001 From: Ugo Date: Tue, 11 Mar 2025 17:15:58 +0100 Subject: [PATCH 4/4] feat(docker-build): add context input to Docker build command --- .github/workflows/docker-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 16dff97..2f4a778 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -83,7 +83,7 @@ jobs: - name: Build Docker Image as Tarball if: ${{ inputs.security-scan }} run: | - docker build -t ${{ inputs.image-name }}:${{ inputs.image-tag }} -f ${{ inputs.dockerfile }} . + docker build -t ${{ inputs.image-name }}:${{ inputs.image-tag }} -f ${{ inputs.dockerfile }} ${{ inputs.context }} docker save -o vuln-image.tar ${{ inputs.image-name }}:${{ inputs.image-tag }} - name: Run Trivy vulnerability scanner