From b22ff4f8f79885d9f7d48efcf2c3b62e4ed9945a Mon Sep 17 00:00:00 2001 From: Ugo Mignon Date: Fri, 25 Apr 2025 15:16:52 +0200 Subject: [PATCH 1/6] feat(docker-build): enhance reporting --- .github/workflows/docker-build.yml | 105 +++++++++++++++-------------- 1 file changed, 55 insertions(+), 50 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 791e0ba..52ed833 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -66,14 +66,6 @@ jobs: username: ${{ secrets.username }} password: ${{ secrets.password }} - - name: Run Hadolint Dockerfile linter - if: ${{ inputs.hadolint }} - uses: hadolint/hadolint-action@v3.1.0 - with: - dockerfile: ${{ inputs.dockerfile }} - output-file: hadolint.txt - no-fail: true - - name: Build Docker Image if: ${{ inputs.push }} uses: docker/build-push-action@v6 @@ -91,6 +83,7 @@ jobs: docker save -o vuln-image.tar ${{ inputs.image-name }}:${{ inputs.image-tag }} - name: Run Trivy vulnerability scanner + id: trivy if: ${{ inputs.security-scan }} uses: aquasecurity/trivy-action@0.29.0 with: @@ -102,29 +95,32 @@ jobs: hide-progress: true output: trivy.txt - - name: Update Pull Request with Security Scan Results - uses: actions/github-script@v7 + - name: Find existing Trivy comment + if: github.event_name == 'pull_request' && inputs.security-scan && inputs.security-report == 'comment' + id: find_trivy + uses: peter-evans/find-comment@v3 + with: + issue-number: ${{ github.event.pull_request.number }} + comment-author: 'github-actions[bot]' + body-includes: 'Trivy Security Scan Results' + + - name: Create or update Trivy comment if: github.event_name == 'pull_request' && inputs.security-scan && inputs.security-report == 'comment' + uses: peter-evans/create-or-update-comment@v4 with: - script: | - const fs = require('fs'); - const trivyResults = fs.readFileSync('trivy.txt', 'utf8'); - - const output = ` + token: ${{ secrets.GITHUB_TOKEN }} + issue-number: ${{ github.event.pull_request.number }} + comment-id: ${{ steps.find_trivy.outputs.comment-id }} + edit-mode: replace + body: | + ### 🔒 Trivy Security Scan Results
Click to expand detailed results - - \`\`\` - ${trivyResults} - \`\`\` + + ```bash + ${{ steps.trivy.outputs.report }} + ```
- `; - - await github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output }); - name: Upload Trivy scan results to GitHub Security tab @@ -133,29 +129,38 @@ jobs: with: sarif_file: 'trivy-results.sarif' - - name: Update Pull Request with Hadolint Results - uses: actions/github-script@v7 + - name: Run Hadolint Dockerfile linter + id: hadolint + if: ${{ inputs.hadolint }} + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ inputs.dockerfile }} + output-file: hadolint.txt + no-fail: true + + - name: Find existing Hadolint comment + if: github.event_name == 'pull_request' && inputs.hadolint + id: find_hadolint + uses: peter-evans/find-comment@v3 + with: + issue-number: ${{ github.event.pull_request.number }} + comment-author: 'github-actions[bot]' + body-includes: 'Hadolint Dockerfile Lint Results' + + - name: Create or update Hadolint comment if: github.event_name == 'pull_request' && inputs.hadolint + uses: peter-evans/create-or-update-comment@v4 with: - script: | - const fs = require('fs'); - const hadolintResults = fs.readFileSync('hadolint.txt', 'utf8').trim(); - - if (hadolintResults.length > 0) { - const output = ` - ### 🐳 Hadolint Dockerfile Lint Results -
Click to expand - - \`\`\` - ${hadolintResults} - \`\`\` -
- `; - - await github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output - }); - } + token: ${{ secrets.GITHUB_TOKEN }} + issue-number: ${{ github.event.pull_request.number }} + comment-id: ${{ steps.find_hadolint.outputs.comment-id }} + edit-mode: replace + body: | + + ### 🐳 Hadolint Dockerfile Lint Results +
Click to expand + + ```bash + ${{ steps.hadolint.outputs.report }} + ``` +
From fbacaeb2ca8d69f5d87221ab63e1e68b77a6e38d Mon Sep 17 00:00:00 2001 From: Ugo Mignon Date: Fri, 25 Apr 2025 17:48:33 +0200 Subject: [PATCH 2/6] fix(docker-build): refine conditions for Hadolint comment creation --- .github/workflows/docker-build.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 52ed833..bfd3164 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -121,7 +121,6 @@ jobs: ${{ steps.trivy.outputs.report }} ``` - }); - name: Upload Trivy scan results to GitHub Security tab if: github.event_name == 'pull_request' && inputs.security-scan && inputs.security-report == 'sarif' @@ -148,7 +147,7 @@ jobs: body-includes: 'Hadolint Dockerfile Lint Results' - name: Create or update Hadolint comment - if: github.event_name == 'pull_request' && inputs.hadolint + if: github.event_name == 'pull_request' && inputs.hadolint && steps.hadolint.outputs.report != '' uses: peter-evans/create-or-update-comment@v4 with: token: ${{ secrets.GITHUB_TOKEN }} From 063c59366713b5a6b2571f6dffd0161d2de910e1 Mon Sep 17 00:00:00 2001 From: Ugo Mignon Date: Sun, 27 Apr 2025 23:15:22 +0200 Subject: [PATCH 3/6] feat(docker-build): add step to read Trivy report for pull request comments --- .github/workflows/docker-build.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index bfd3164..413ab3d 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -95,6 +95,14 @@ jobs: hide-progress: true output: trivy.txt + - name: Read Trivy report file + id: read_trivy + if: github.event_name == 'pull_request' && inputs.security-scan && inputs.security-report == 'comment' + run: | + echo "report<> "$GITHUB_OUTPUT" + cat trivy.txt >> "$GITHUB_OUTPUT" + echo "EOF" >> "$GITHUB_OUTPUT" + - name: Find existing Trivy comment if: github.event_name == 'pull_request' && inputs.security-scan && inputs.security-report == 'comment' id: find_trivy @@ -118,7 +126,7 @@ jobs:
Click to expand detailed results ```bash - ${{ steps.trivy.outputs.report }} + ${{ steps.read_trivy.outputs.report }} ```
From 6036cf821491638c4c47aa2231d2c280f1582560 Mon Sep 17 00:00:00 2001 From: Ugo Mignon Date: Mon, 28 Apr 2025 06:55:11 +0200 Subject: [PATCH 4/6] fix(docker-build): update Hadolint comment creation to read report from file --- .github/workflows/docker-build.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 413ab3d..35ca71f 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -145,6 +145,14 @@ jobs: output-file: hadolint.txt no-fail: true + - name: Read Hadolint report file + id: read_hadolint + if: ${{ inputs.hadolint }} + run: | + echo "report<> "$GITHUB_OUTPUT" + cat hadolint.txt >> "$GITHUB_OUTPUT" + echo "EOF" >> "$GITHUB_OUTPUT" + - name: Find existing Hadolint comment if: github.event_name == 'pull_request' && inputs.hadolint id: find_hadolint @@ -155,7 +163,7 @@ jobs: body-includes: 'Hadolint Dockerfile Lint Results' - name: Create or update Hadolint comment - if: github.event_name == 'pull_request' && inputs.hadolint && steps.hadolint.outputs.report != '' + if: github.event_name == 'pull_request' && inputs.hadolint && steps.read_hadolint.outputs.report != '' uses: peter-evans/create-or-update-comment@v4 with: token: ${{ secrets.GITHUB_TOKEN }} @@ -165,9 +173,9 @@ jobs: body: | ### 🐳 Hadolint Dockerfile Lint Results -
Click to expand +
Click to expand detailed results ```bash - ${{ steps.hadolint.outputs.report }} + ${{ steps.read_hadolint.outputs.report }} ```
From eb92e6dac6a0c0fec862163cf588f82264d31675 Mon Sep 17 00:00:00 2001 From: Ugo Mignon Date: Mon, 28 Apr 2025 07:14:32 +0200 Subject: [PATCH 5/6] fix(docker-build): improve Hadolint comment handling by adding report reading step --- .github/workflows/docker-build.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 35ca71f..0a027f6 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -153,9 +153,17 @@ jobs: cat hadolint.txt >> "$GITHUB_OUTPUT" echo "EOF" >> "$GITHUB_OUTPUT" + - name: Read Hadolint report file + id: read_hadolint + if: ${{ inputs.hadolint }} + run: | + echo "report<> "$GITHUB_OUTPUT" + cat hadolint.txt >> "$GITHUB_OUTPUT" + echo "EOF" >> "$GITHUB_OUTPUT" + - name: Find existing Hadolint comment - if: github.event_name == 'pull_request' && inputs.hadolint id: find_hadolint + if: ${{ inputs.hadolint }} uses: peter-evans/find-comment@v3 with: issue-number: ${{ github.event.pull_request.number }} @@ -163,7 +171,7 @@ jobs: body-includes: 'Hadolint Dockerfile Lint Results' - name: Create or update Hadolint comment - if: github.event_name == 'pull_request' && inputs.hadolint && steps.read_hadolint.outputs.report != '' + if: ${{ inputs.hadolint && steps.read_hadolint.outputs.report != '' }} uses: peter-evans/create-or-update-comment@v4 with: token: ${{ secrets.GITHUB_TOKEN }} From bde6feb5526470813bcb2cb605bfbbaebc0b0b49 Mon Sep 17 00:00:00 2001 From: Ugo Mignon Date: Mon, 28 Apr 2025 07:19:02 +0200 Subject: [PATCH 6/6] fix(docker-build): remove redundant Hadolint report reading step --- .github/workflows/docker-build.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 0a027f6..aa0d1ff 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -153,14 +153,6 @@ jobs: cat hadolint.txt >> "$GITHUB_OUTPUT" echo "EOF" >> "$GITHUB_OUTPUT" - - name: Read Hadolint report file - id: read_hadolint - if: ${{ inputs.hadolint }} - run: | - echo "report<> "$GITHUB_OUTPUT" - cat hadolint.txt >> "$GITHUB_OUTPUT" - echo "EOF" >> "$GITHUB_OUTPUT" - - name: Find existing Hadolint comment id: find_hadolint if: ${{ inputs.hadolint }}