Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/integrate docker scout with git hub actions #564

Merged
merged 3 commits into from
Jun 8, 2024
Merged

Feature/integrate docker scout with git hub actions #564

merged 3 commits into from
Jun 8, 2024

Conversation

sinadarbouy
Copy link
Collaborator

@sinadarbouy sinadarbouy commented Jun 7, 2024
edited by mostafa
Loading

Ticket(s)

Closes #510

Description

This PR introduces a new GitHub Actions workflow titled "Vulnerability Comparison." The workflow is designed to build a Docker image for each pull request and perform a vulnerability comparison using Docker Scout.
Additionally, this PR upgrades the Git version from 2.45.1-r0 to 2.45.2-r0 in the Dockerfile.

Git Version Upgrade

The Git version has been upgraded from 2.45.1-r0 to 2.45.2-r0. The previous version 2.45.1-r0 was not available in golang:1.22-alpine3.20, necessitating this upgrade.

Workflow Details

  • Trigger: Runs on every pull request to any branch.
  • Environment Variables:
    • IMAGE_NAME: The name of the Docker image repository (derived from the GitHub repository).
    • SHA: The SHA of the commit to build the Docker image from.
  • Jobs:
    • vulnerability-comparison:
      • Runs on: ubuntu-latest
      • Permissions: Write access to pull requests
      • Steps:
        1. Checkout code: Checks out the code at the pull request's commit SHA.
        2. Set short SHA: Extracts a short version of the commit SHA for tagging the Docker image.
        3. Set up Docker Buildx: Prepares the environment for building Docker images using Buildx.
        4. Authenticate to Docker: Logs into Docker using credentials stored in GitHub Secrets.
        5. Build and push Docker image: Builds the Docker image and load it.
        6. Docker Scout Security Analysis: Compares the newly built image with the latest image in docker hub and reports vulnerabilities.

@sinadarbouy
added github action for Docker Scout compare
fd2a5d8 
added Docker Scout step

set correct secrets for DOCKERHUB
@sinadarbouy
upgrade git version
170435f 
--(2.45.1-r0) is not available in the Alpine repositories, and a newer version (2.45.2-r0) is available instead
@sinadarbouy sinadarbouy force-pushed the feature/integrate_docker_scout_with_gitHub_actions branch from 967b1a5 to 170435f Compare June 7, 2024 15:19
@sinadarbouy
Copy link
Collaborator Author

Docker Scout needs to authenticate with Docker Hub. The current step uses DOCKERHUB_USERNAME and DOCKERHUB_TOKEN, which I got them from the release workflow. but, it seems the vulnerability comparison workflow cannot access these secrets. @mostafa

@mostafa mostafa force-pushed the feature/integrate_docker_scout_with_gitHub_actions branch from 95f2eb7 to 170435f Compare June 7, 2024 21:26
mostafa
mostafa approved these changes Jun 8, 2024
View reviewed changes
Copy link
Member

@mostafa mostafa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sinadarbouy

Thanks for your contribution! 🙏

@mostafa mostafa merged commit 1a86b96 into gatewayd-io:main Jun 8, 2024
2 of 3 checks passed
This was referenced Jun 8, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mostafa mostafa mostafa approved these changes

Assignees

@sinadarbouy sinadarbouy

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Use Docker Scout in CI/CD workflows
2 participants
@sinadarbouy @mostafa