From 52cb6d03386ab66c343638bbac5b6831dc27f922 Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Mon, 9 Dec 2024 09:58:30 +0000 Subject: [PATCH] remove old content --- .github/workflows/main.yaml | 105 +--------------------------------- Dockerfile | 26 --------- hadolint.yaml | 3 - script.py | 6 -- trivy-configs/dockerfile.yaml | 10 ---- trivy-configs/image-scan.yaml | 13 ----- 6 files changed, 1 insertion(+), 162 deletions(-) delete mode 100644 Dockerfile delete mode 100644 hadolint.yaml delete mode 100644 script.py delete mode 100644 trivy-configs/dockerfile.yaml delete mode 100644 trivy-configs/image-scan.yaml diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 674a118..2c88a6d 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -10,112 +10,9 @@ defaults: run: shell: bash -env: - HADOLINT_IMAGE: "ghcr.io/hadolint/hadolint:latest" - TRIVY_IMAGE: "ghcr.io/aquasecurity/trivy:latest" - jobs: build: - runs-on: ubuntu-22.04 - permissions: - security-events: write - # only required for workflows in private repositories - # actions: read - # contents: read + runs-on: ubuntu-24.04 steps: - name: Checkout repo uses: actions/checkout@v4 - - name: Pull images - run: | - docker pull "${HADOLINT_IMAGE}" - docker pull "${TRIVY_IMAGE}" - - name: Run Trivy - Dockerfile check - run: | - config="trivy-configs/dockerfile.yaml" - if [ ! -f "./${config}" ]; then - echo "Error: Missing ./configs/${config}" - exit 1 - fi - docker run \ - --rm \ - -v $HOME/.cache/trivy:/root/.cache \ - -v "$(pwd)":/repo \ - "${TRIVY_IMAGE}" \ - config \ - --config "/repo/${config}" \ - /repo/Dockerfile - - name: Run hadolint - run: | - docker run \ - --rm \ - -i \ - -v "$(pwd)":/repo \ - "${HADOLINT_IMAGE}" \ - hadolint \ - --config /repo/hadolint.yaml \ - - < Dockerfile - - name: Build Docker image - run: | - img="ghcr.io/$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')" - version="$(grep _VERSION= Dockerfile | cut -d'"' -f2)" - image_revision="$(grep _IMAGE_REVISION= Dockerfile | cut -d'"' -f2)" - tag="${version}-${image_revision}" - build_ctx=$(mktemp -d) - cp -t "${build_ctx}" script.py - docker build -f Dockerfile --tag "${img}:${tag}" --tag "${img}:latest" "${build_ctx}" - echo "img=${img}" >> "${GITHUB_ENV}" - echo "tag=${tag}" >> "${GITHUB_ENV}" - - name: Run Trivy - image scan - run: | - reports_dir=$(mktemp -d) - docker inspect --format="{{index .Id}}" "${img}:${tag}" > "${reports_dir}/image-id.txt" - - config="trivy-configs/image-scan.yaml" - if [ ! -f "./${config}" ]; then - echo "Error: Missing ./configs/${config}" - exit 1 - fi - - # Generate SARIF report for GitHub Security - docker run \ - --rm \ - -v /var/run/docker.sock:/var/run/docker.sock \ - -v $HOME/.cache/trivy:/root/.cache \ - -v "${reports_dir}":/reports \ - -v "$(pwd)":/repo \ - "${TRIVY_IMAGE}" \ - image \ - --config "/repo/${config}" \ - --format sarif \ - --output /reports/image-scan.sarif \ - "${img}:${tag}" - - # Generate SBOM - docker run \ - --rm \ - -v /var/run/docker.sock:/var/run/docker.sock \ - -v $HOME/.cache/trivy:/root/.cache \ - -v "${reports_dir}":/reports \ - -v $(pwd):/repo \ - "${TRIVY_IMAGE}" \ - image \ - --config "/repo/${config}" \ - --format cyclonedx \ - --output /reports/trivy-sbom.json \ - "${img}:${tag}" - echo "reports_dir=${reports_dir}" >> "$GITHUB_ENV" - - name: Upload artifacts to GHA - uses: actions/upload-artifact@v4 - with: - name: 'trivy-reports' - path: '${{ env.reports_dir }}/' - # - name: Upload SARIF report - # uses: github/codeql-action/upload-sarif@v3 - # with: - # sarif_file: '${{ env.reports_dir }}/image-scan.sarif' - # token: "${{ secrets.GITHUB_TOKEN }}" - # - name: push image - # run: | - # echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin - # docker push "$img:$tag" - # docker push "$img:latest" diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 1d380f1..0000000 --- a/Dockerfile +++ /dev/null @@ -1,26 +0,0 @@ -FROM debian:12-slim@sha256:67f3931ad8cb1967beec602d8c0506af1e37e8d73c2a0b38b181ec5d8560d395 - -ARG PACKAGE_VERSION="1.2.3" -ARG PACKAGE_IMAGE_REVISION="1" - -RUN : \ - && apt-get update -qq \ - && DEBIAN_FRONTEND=noninteractive apt-get upgrade -qq -y --no-install-recommends \ - && DEBIAN_FRONTEND=noninteractive apt-get install \ - -qq -y --no-install-recommends \ - ca-certificates \ - curl \ - python3 \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* \ - && : - -RUN mkdir /safe_data /safe_outputs /scratch - -WORKDIR /src -COPY script.py script.py - -RUN groupadd --system nonroot && useradd --no-log-init --system --gid nonroot nonroot -USER nonroot - -ENTRYPOINT ["python3", "script.py"] diff --git a/hadolint.yaml b/hadolint.yaml deleted file mode 100644 index a6d3f21..0000000 --- a/hadolint.yaml +++ /dev/null @@ -1,3 +0,0 @@ -ignored: - # Ignore "Pin versions in apt get install" - - DL3008 diff --git a/script.py b/script.py deleted file mode 100644 index ed09bce..0000000 --- a/script.py +++ /dev/null @@ -1,6 +0,0 @@ -def main() -> int: - print("Hello, world!") - return 0 - -if __name__ == "__main__": - raise SystemExit(main()) diff --git a/trivy-configs/dockerfile.yaml b/trivy-configs/dockerfile.yaml deleted file mode 100644 index d693d5c..0000000 --- a/trivy-configs/dockerfile.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -misconfiguration: - check-bundle-repository: ghcr.io/aquasecurity/trivy-checks:0 - scanners: - - dockerfile -severity: - - MEDIUM - - HIGH - - CRITICAL -exit-code: 1 diff --git a/trivy-configs/image-scan.yaml b/trivy-configs/image-scan.yaml deleted file mode 100644 index 5596438..0000000 --- a/trivy-configs/image-scan.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -scan: - scanners: - - vuln - - secret -severity: - - UNKNOWN - - LOW - - MEDIUM - - HIGH - - CRITICAL -include-non-failures: true -timeout: 30m