Skip to content

Docker

Docker #281

Workflow file for this run

# Copyright 2022 Goldman Sachs
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Docker
on:
schedule:
- cron: "0 0 * * 2" # every Tuesday on default/base branch
push:
branches:
- master
paths:
- "**/Dockerfile"
pull_request:
paths:
- "**/Dockerfile"
workflow_dispatch: {}
jobs:
release:
name: Run Image Checks
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
module: [legend-depot-server, legend-depot-store-server]
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build simplified Docker image for checks
# NOTE: if this gets more complicated, consider having this as a bash script
run: mkdir -p ./${{ matrix.module }}/target && touch ./${{ matrix.module }}/target/${{ matrix.module }}-dummy.jar && docker build --quiet --tag local/${{ matrix.module }}:${{ github.sha }} ./${{ matrix.module }}
- name: Scan image for security issues
uses: aquasecurity/[email protected]
with:
# TODO: we should probably also setup misconfiguration scanning
# See https://github.com/aquasecurity/trivy-action#using-trivy-to-scan-infrastucture-as-code
scan-type: image
image-ref: local/${{ matrix.module }}:${{ github.sha }}
format: table
exit-code: 1
# Ignore unpatched/unfixed vulnerabilities/CVEs
ignore-unfixed: true
severity: CRITICAL
# Manually increase timeout as the default 2-minute is not enough
# See https://github.com/aquasecurity/trivy/issues/802
timeout: 10m