This repository has been archived by the owner on Sep 27, 2024. It is now read-only.

Building Omnibus Image: Use the prebuilt semgrep-core binary from the official docker image. #18

Workflow file for this run

.github/workflows/image-delivery.yml at 40c3f32

	name: Build and Test Omnibus
	run-name: "Building Omnibus Image: ${{ github.event.head_commit.message }}"
	on:
	push:
	branches:
	- "**"

	jobs:
	delivery:
	runs-on: ubuntu-latest
	outputs:
	IMAGE_NAME: ghcr.io/cms-enterprise/batcave/omnibus:${{steps.vars.outputs.tag_name}}
	steps:
	- name: Set up QEMU
	uses: docker/setup-qemu-action@v3

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- uses: actions/checkout@v4

	- name: Set outputs
	id: vars
	run: \|
	echo "tag_name=${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
	if [[ $GITHUB_REF == refs/tags/v* ]]; then
	echo "tag_name=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT
	fi
	echo "VERSION=$(git describe --tags)" >> $GITHUB_ENV
	echo "GIT_COMMIT=$(git rev-parse HEAD)" >> $GITHUB_ENV
	echo "GIT_DESCRIPTION=$(git log -1 --pretty=%B \| head -n 1)" >> $GITHUB_ENV

	- name: Build and push
	uses: docker/build-push-action@v5
	with:
	push: true
	tags: ghcr.io/cms-enterprise/batcave/omnibus:${{ steps.vars.outputs.tag_name }}

	- name: job summary
	shell: bash
	run: \|
	echo "## Docker Action Image Build and Push Summary" >> $GITHUB_STEP_SUMMARY
	echo ":white_check_mark: Docker Action Image Build and Push" >> $GITHUB_STEP_SUMMARY
	echo ":white_check_mark: Image (Docker CLI): ghcr.io/cms-enterprise/batcave/omnibus:${{ steps.vars.outputs.tag_name }}" >> $GITHUB_STEP_SUMMARY

	grype:
	needs: [delivery]
	runs-on: ubuntu-latest
	container:
	image: ${{ needs.delivery.outputs.IMAGE_NAME }}
	env:
	IMAGE_NAME: ${{ needs.delivery.outputs.IMAGE_NAME }}
	GRYPE_CACHE_IMAGE: "${{ vars.BC_IMAGE_REPO }}/batcave/grype-vulndb-cache:latest"
	JUICE_SHOP_IMAGE: "bkimminich/juice-shop"
	steps:
	- name: Test Grype
	run: \|
	grype version
	oras pull ${{ env.GRYPE_CACHE_IMAGE }}
	grype db import vulndb.tar.gz
	grype db update
	grype db check
	grype ${{ env.JUICE_SHOP_IMAGE }} -o json --file report.json
	cat report.json \| jq .

	syft:
	needs: [delivery]
	runs-on: ubuntu-latest
	container:
	image: ${{ needs.delivery.outputs.IMAGE_NAME }}
	env:
	IMAGE_NAME: ${{ needs.delivery.outputs.IMAGE_NAME }}
	IMAGE_SBOM: ".artifacts/sbom/sbom.json"
	JUICE_SHOP_IMAGE: "bkimminich/juice-shop"
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Test Syft
	run: \|
	syft version
	syft ${{ env.JUICE_SHOP_IMAGE }} --scope=squashed -o json --file ${IMAGE_SBOM}
	cat ${IMAGE_SBOM}

	gitleaks:
	needs: [delivery]
	runs-on: ubuntu-latest
	container:
	image: ${{ needs.delivery.outputs.IMAGE_NAME }}
	env:
	ARTIFACT_FOLDER: ".artifacts"
	GITLEAKS_REPORT: ".artifacts/gitleaks/gitleaks_report.json"
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Test GitLeaks
	run: \|
	git config --global --add safe.directory '*'
	git clone https://github.com/juice-shop/juice-shop.git
	mkdir -p ${{ env.ARTIFACT_FOLDER }}/gitleaks
	touch ${{ env.GITLEAKS_REPORT }}
	echo "Starting Gitleaks Secrets Scan"
	gitleaks detect --exit-code 0 --verbose --source juice-shop --report-format json --report-path ${{ env.GITLEAKS_REPORT }}

	cosign-crane:
	needs: [delivery]
	runs-on: ubuntu-latest
	container:
	image: ${{ needs.delivery.outputs.IMAGE_NAME }}
	env:
	APP_IMAGE: ${{ vars.BC_IMAGE_REPO }}/${{ github.repository }}:${{ github.sha }}
	steps:
	- name: Checkout
	uses: actions/[email protected]
	- name: Test Cosign/Crane
	run: \|
	cosign version
	crane version
	export TARGET_IMAGE=$(crane digest --full-ref ${{ env.APP_IMAGE }})
	echo "TARGET_IMAGE=${TARGET_IMAGE}"
	echo "Application Image Digest -> ${TARGET_IMAGE}"
	echo "Signing image using cosign with OIDC token"
	# TODO: Add this back in when we have a valid OIDC token
	# cosign sign --identity-token=$(cat /var/run/secrets/eks.amazonaws.com/serviceaccount/token) ${TARGET_IMAGE}

	gatecheck:
	needs: [delivery]
	runs-on: ubuntu-latest
	container:
	image: ${{ needs.delivery.outputs.IMAGE_NAME }}
	env:
	JUICE_SHOP_IMAGE: "bkimminich/juice-shop"
	steps:
	- name: Checkout
	uses: actions/[email protected]
	- name: Test Gatecheck
	run: \|
	gatecheck version
	gatecheck config init --output yaml
	echo "# Juice Shop Grype Scan Results" >> $GITHUB_STEP_SUMMARY
	grype ${{ env.JUICE_SHOP_IMAGE }} -o json \| gatecheck ls -i grype --epss --markdown >> $GITHUB_STEP_SUMMARY

	oras:
	needs: [delivery]
	runs-on: ubuntu-latest
	container:
	image: ${{ needs.delivery.outputs.IMAGE_NAME }}
	env:
	ARTIFACT_TYPE: application/vnd.cms.batcave.smoke-test+text
	SMOKE_TEST_IMAGE: "${{ vars.BC_IMAGE_REPO }}/batcave/omnibus-smoke-test:latest"
	steps:
	- name: Checkout
	uses: actions/[email protected]
	- name: Test Oras
	run: \|
	date > omnibus-smoke-test.txt
	cat omnibus-smoke-test.txt
	oras login ghcr.io -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }}
	oras push -v --artifact-type ${{ env.ARTIFACT_TYPE }} ${{ env.SMOKE_TEST_IMAGE }} omnibus-smoke-test.txt
	rm omnibus-smoke-test.txt
	ls -lah
	oras pull -v ${{ env.SMOKE_TEST_IMAGE }}
	cat omnibus-smoke-test.txt

	semgrep:
	needs: [delivery]
	runs-on: ubuntu-latest
	container:
	image: ${{ needs.delivery.outputs.IMAGE_NAME }}
	env:
	ARTIFACT_FOLDER: ".artifacts"
	steps:
	- name: Checkout
	uses: actions/[email protected]
	- name: Test Semgrep
	run: \|
	git config --global --add safe.directory /__w/batcave-omnibus/batcave-omnibus
	mkdir -p ${{ env.ARTIFACT_FOLDER }}/sast/
	osemgrep --help
	osemgrep ci --experimental --config auto --config p/owasp-top-ten --json > ${{ env.ARTIFACT_FOLDER }}/sast/semgrep-sast-report.json \|\| true
	cat ${{ env.ARTIFACT_FOLDER }}/sast/semgrep-sast-report.json

	clamav:
	needs: [delivery]
	runs-on: ubuntu-latest
	container:
	image: ${{ needs.delivery.outputs.IMAGE_NAME }}
	env:
	ARTIFACT_FOLDER: ".artifacts"
	steps:
	- name: Checkout
	uses: actions/[email protected]
	- name: Test ClamAV
	run: \|
	mkdir -p ${{ env.ARTIFACT_FOLDER }}/sast/
	freshclam
	clamscan --version
	clamscan -irv --scan-archive=yes --max-filesize=4000M --max-scansize=4000M --stdout . > ${{ env.ARTIFACT_FOLDER }}/sast/clamav-sast-report.txt \|\| true
	cat ${{ env.ARTIFACT_FOLDER }}/sast/clamav-sast-report.txt

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Building Omnibus Image: Use the prebuilt semgrep-core binary from the official docker image. #18

Workflow file

Building Omnibus Image: Use the prebuilt semgrep-core binary from the official docker image. #18

Jobs

Run details

Workflow file for this run