Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CI上でコンテナイメージの脆弱性スキャン対応 #320

Merged
merged 4 commits into from
Dec 8, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 48 additions & 0 deletions .github/actions/prepare-docker-image/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
name: Prepare Docker Image
description: Prepare Docker Image for CI
inputs:
docker_image_tag_ci:
description: Docker Image Tag for CI
required: true

runs:
using: composite
steps:
- uses: actions/checkout@v4
- name: Prepare for ci
shell: bash
id: prepare-for-ci
run: |
echo "WWWUSER=$(id -u)" >> $GITHUB_ENV
echo "WWWUSER=$(id -u)" >> $GITHUB_OUTPUT
echo "WWWGROUP=$(id -g)" >> $GITHUB_ENV
echo "WWWGROUP=$(id -g)" >> $GITHUB_OUTPUT
- name: Cache Docker Registry
uses: actions/cache@v3
with:
path: /tmp/docker-registry
key: docker-registry-${{ github.ref }}-${{ github.sha }}
restore-keys: |
docker-registry-${{ github.ref }}
docker-registry-
- name: Boot-up Local Docker Registry
shell: bash
run: docker run -d -p 5000:5000 --restart=always --name registry -v /tmp/docker-registry:/var/lib/registry registry:2
- name: Wait for Docker Registry
shell: bash
run: npx wait-on tcp:5000
- name: Get Docker Image Tag
shell: bash
env:
TAG: ${{ inputs.docker_image_tag_ci }}
run: |
echo "DOCKER_IMAGE_TAG_CI=$TAG" >> $GITHUB_ENV
echo TAG $TAG
- name: Docker Compose Pull
shell: bash
run: |
docker pull localhost:5000/jetdisc-ci:${{ inputs.docker_image_tag_ci }}
# - name: List docker images in registry
# shell: bash
# run: |
# curl -X GET http://localhost:5000/v2/_catalog
4 changes: 3 additions & 1 deletion .github/workflows/cd-for-main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,12 @@ jobs:
echo "JETDISC_VERSION=$(cat package.json | jq -r '.version')" >> $GITHUB_ENV
- name: Check Docker Hub
id: check_docker_hub
# NOTE: 実験用にすでに存在しててもOUTPUT吐き出す
run: |
DOCKER_HUB_TAGS=$(curl -s ${{ env.DOCKER_TAG_API_URI }} | jq -r '.results[] | .name')
if echo "$DOCKER_HUB_TAGS" | grep -q "^$JETDISC_VERSION$"; then
echo "Tag $JETDISC_VERSION already exists on Docker Hub."
echo "JETDISC_VERSION=$JETDISC_VERSION" >> $GITHUB_OUTPUT
else
echo "Tag $JETDISC_VERSION does not exist on Docker Hub."
echo "tag_exists=false" >> $GITHUB_OUTPUT
Expand All @@ -48,7 +50,7 @@ jobs:
Build-and-Push-to-Docker-Hub:
needs:
- Prepare
if: ${{ needs.Prepare.outputs.tag_exists == 'false' }}
# if: ${{ needs.Prepare.outputs.tag_exists == 'false' }}
with:
JETDISC_VERSION: ${{ needs.Prepare.outputs.JETDISC_VERSION }}
IMAGE_REPOSITORY: na2na
Expand Down
9 changes: 9 additions & 0 deletions .github/workflows/cd-for-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,3 +44,12 @@ jobs:
uses: ./.github/workflows/ci.yml
secrets: inherit
needs: prepare
image-build-for-ci:
uses: ./.github/workflows/image-build.yml
secrets: inherit
image-scan:
uses: ./.github/workflows/image-scan.yml
secrets: inherit
needs: image-build-for-ci
with:
docker_image_tag_ci: ${{ needs.image-build-for-ci.outputs.docker_image_tag_ci }}
59 changes: 59 additions & 0 deletions .github/workflows/image-build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
name: Image build
on:
workflow_call:
outputs:
docker_image_tag_ci:
description: Docker image tag for CI
value: ${{ jobs.image-build.outputs.docker_image_tag_ci }}
workflow_dispatch:

jobs:
image-build:
runs-on:
- ubuntu-latest
outputs:
docker_image_tag_ci: ${{ steps.generate_docker_image_tag.outputs.docker_image_tag_ci }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Cache Docker Build Cache
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: docker-build-cache-${{ github.ref }}-${{ github.sha }}
restore-keys: |
docker-build-cache-${{ github.ref }}
docker-build-cache-
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: network=host
- name: Generate Docker Image Tag
id: generate_docker_image_tag
run: |
SHA=${{ github.sha }}
TAG=$(TZ=UTC-9 date '+%Y%m')-${SHA:0:7}
echo "DOCKER_IMAGE_TAG_CI=$TAG" >> $GITHUB_ENV
echo TAG $TAG
echo "docker_image_tag_ci=$TAG" >> $GITHUB_OUTPUT
- name: Cache Docker Registry
uses: actions/cache@v3
with:
path: /tmp/docker-registry
key: docker-registry-${{ github.ref }}-${{ github.sha }}
restore-keys: |
docker-registry-${{ github.ref }}
docker-registry-
- name: Boot-up Local Docker Registry
run: docker run -d -p 5000:5000 --restart=always --name registry -v /tmp/docker-registry:/var/lib/registry registry:2
- name: Wait for Docker Registry
run: npx wait-on tcp:5000
- name: Build Docker Image
run: |
docker buildx bake \
-f 'infra/docker/image-bake.hcl' \
--builder="${{ steps.buildx.outputs.name }}" \
--set='app.tags=localhost:5000/jetdisc-ci:${{ steps.generate_docker_image_tag.outputs.docker_image_tag_ci }}' \
--set='app.platform=linux/amd64' \
--push
31 changes: 31 additions & 0 deletions .github/workflows/image-scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
name: Image Scan
on:
workflow_call:
inputs:
docker_image_tag_ci:
required: true
type: string
secrets: {}

env:
COMPOSE_FILE: compose.ci.yml

jobs:
build:
name: Image Scan
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: Prepare Docker Image
uses: ./.github/actions/prepare-docker-image
with:
docker_image_tag_ci: ${{ inputs.DOCKER_IMAGE_TAG_CI }}
- name: Container Scan
uses: aquasecurity/trivy-action@master
with:
image-ref: "localhost:5000/jetdisc-ci:${{ inputs.DOCKER_IMAGE_TAG_CI }}"
format: "table"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"