fix: publish docker github action #34
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Vulnerability scans Workflow | |
| on: | |
| # WARN: secrets not available from pull_request forks | |
| push: | |
| branches: | |
| # - "app-start-test" | |
| - "dev" | |
| - "next" | |
| # schedule: | |
| # # - cron: "0 0 * * 0" # every Sunday at midnight | |
| # - cron: "0 0 * * *" # every day at midnight | |
| workflow_dispatch: {} | |
| jobs: | |
| build-linux: | |
| env: | |
| # required for local testing without risking pulling the wrong image | |
| TEST_TAG: gipo999/tomcat-webapp-boilerplate:test | |
| permissions: | |
| security-events: write | |
| packages: read | |
| issues: write | |
| actions: read | |
| contents: read | |
| if: github.event.pull_request.draft == false | |
| name: Vulnerability scans Job | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout sources Step | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| - name: Setup CI environment | |
| uses: ./.github/actions/ci-setup | |
| # run the gradle check and build tasks | |
| - name: Build with Gradle Wrapper Step | |
| # buildWar runs check, test, war tasks | |
| # at this point we won't know if the app will run in a container | |
| run: ./gradlew buildWar | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@125fc84a9a348dbcf27191600683ec096ec9021c # v4.4.1 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| - name: Setup DOCKER environment | |
| uses: ./.github/actions/docker-setup | |
| # test the docker image | |
| - name: Build, run and health check container | |
| uses: ./.github/actions/build-run-testcontainer | |
| with: | |
| docker_tag: ${{ env.TEST_TAG }} | |
| port_maps: "8080:8080" | |
| load: true | |
| push: false | |
| # attack | |
| - name: Attack container CI | |
| uses: ./.github/actions/attack | |
| # if: github.event_name == 'push' | |
| with: | |
| docker_tag: ${{ env.TEST_TAG }} | |
| pat: ${{ secrets.PAT }} | |
| snyk_token: ${{ secrets.SNYK_TOKEN }} | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| # | |
| # NOTE: for now, code security reports are difficult as we | |
| # require parsing of all outputs and conversion to sarif | |
| # this for every tool that doesn't have it builtin | |
| # | |
| - name: create all folders | |
| run: | | |
| mkdir -p ./docs/gh-pages/zap | |
| mkdir -p ./docs/gh-pages/nmap | |
| mkdir -p ./docs/gh-pages/wapiti | |
| mkdir -p ./docs/gh-pages/snyk-container | |
| - name: add links to docs/gh-pages/index.html | |
| run: | | |
| echo "<a href='/tomcat-webapp-boilerplate/zap/report_html.html'>ZAP Report</a>" >> ./docs/gh-pages/index.html | |
| echo "<a href='/tomcat-webapp-boilerplate/zap/report_json.json'>ZAP Report json</a>" >> ./docs/gh-pages/index.html | |
| echo "<a href='/tomcat-webapp-boilerplate/wapiti/report.html'>Wapiti Report</a>" >> ./docs/gh-pages/index.html | |
| echo "<a href='/tomcat-webapp-boilerplate/snyk-container/snyk-container.json'>Snyk Container Report</a>" >> ./docs/gh-pages/index.html | |
| echo "<a href='/tomcat-webapp-boilerplate/nmap/vulner-output.log'>Nmap Vulnerabilities Report</a>" >> ./docs/gh-pages/index.html | |
| echo "<a href='/tomcat-webapp-boilerplate/nmap/direct-output.log'>Nmap Direct Report</a>" >> ./docs/gh-pages/index.html | |
| echo "<a href='/tomcat-webapp-boilerplate/nmap/vulscan-output.log'>Nmap Vulscan Report</a>" >> ./docs/gh-pages/index.html | |
| # | |
| # Copy zap report to docs/gh-pages/zap | |
| - name: Copy zap report to docs/gh-pages/zap | |
| run: mv ./report_html.html ./docs/gh-pages/zap/report_html.html | |
| - name: Copy zap report to docs/gh-pages/zap | |
| run: mv ./report_json.json ./docs/gh-pages/zap/report_json.json | |
| - name: Copy snyk-container.sarif report to docs/gh-pages/snyk-container | |
| run: mv ./snyk-container.sarif ./docs/gh-pages/snyk-container/snyk-container.json | |
| - name: Copy nmap report to docs/gh-pages/nmap | |
| # requires sudo as docker container creating those files runs as root | |
| run: | | |
| sudo mv ./nmap-reports/vulner/vulner-output.log ./docs/gh-pages/nmap/vulner-output.log | |
| sudo mv ./nmap-reports/direct/direct-output.log ./docs/gh-pages/nmap/direct-output.log | |
| sudo mv ./nmap-reports/vulscan/vulscan-output.log ./docs/gh-pages/nmap/vulscan-output.log | |
| # | |
| # post all results to github pages | |
| - name: Deploy to GitHub Pages | |
| uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4 | |
| if: github.ref == 'refs/heads/dev' | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| publish_dir: ./docs/gh-pages | |
| # we don't care about windows for this app since it only runs on linux | |
| # | |
| # we don't care about windows for this app since it only runs on linux |