14
14
DOCKER_REPOSITORY_COMMAND : aws-asg-tags-command
15
15
DOCKER_REPOSITORY_LAMBDA : aws-asg-tags-lambda
16
16
17
+ AWS_S3_REGION : ${{ secrets.AWS_S3_REGION }}
18
+ SBOM_FILENAME : docker-sbom
19
+ NOTION_DATABASE_ID : ${{ secrets.NOTION_REPOS_DATABASE_ID }}
20
+
17
21
18
22
19
23
permissions :
49
53
steps :
50
54
- name : Version
51
55
id : version
52
- run : echo ::set-output name= value:: ${GITHUB_REF#refs/*/}
56
+ run : echo " value= ${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
53
57
54
58
55
59
build-command :
@@ -69,21 +73,66 @@ jobs:
69
73
restore-keys : |
70
74
${{ runner.os }}-spm-
71
75
76
+ - name : Build Docker Image
77
+ id : docker_build
78
+ uses : docker/build-push-action@v3
79
+ env :
80
+ DOCKER_IMAGE_TAG : ${{ env.DOCKER_REPOSITORY_COMMAND }}:${{ needs.prepare.outputs.version }}
81
+ with :
82
+ context : .
83
+ file : command.Dockerfile
84
+ push : false
85
+ load : true
86
+ tags : ${{ env.DOCKER_IMAGE_TAG }}
87
+
88
+ - name : Create Docker SBOM
89
+ uses : anchore/sbom-action@v0
90
+ with :
91
+ image : ${{ steps.docker_build.outputs.imageId }}
92
+ format : spdx-json
93
+ upload-release-assets : false
94
+ output-file : ${{ env.SBOM_FILENAME }}.spdx.json
95
+
96
+ - name : Scan SBOM
97
+ id : scan_sbom
98
+ uses : anchore/scan-action@v3
99
+ with :
100
+ sbom : ${{ env.SBOM_FILENAME }}.spdx.json
101
+ output-format : sarif
102
+ fail-build : false
103
+
104
+ - name : Determine number of noticiable vulnerabilities
105
+ id : count_vulnerabilities
106
+ run : echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
107
+
108
+ - name : Copy SBOM to S3
109
+ run : |
110
+ aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/command-${{ env.SBOM_FILENAME }}.spdx.json
111
+ aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/command-${{ env.SBOM_FILENAME }}-scan.sarif
112
+
113
+ - name : Update Notion Page
114
+ uses : ydataai/update-notion-page@v1
115
+ env :
116
+ STATUS_ICON : ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
117
+ STATUS_URL : ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-{3}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, 'manager', env.SBOM_FILENAME) }}
118
+ with :
119
+ notion_secret : ${{ secrets.NOTION_SECRET }}
120
+ notion_database_id : ${{ env.NOTION_DATABASE_ID }}
121
+ notion_database_query_filter : ' { "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }'
122
+ notion_page_update_properties : ' { "Docker Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }'
123
+
72
124
- name : Login to Dockerhub Registry
73
125
uses : docker/login-action@v2
74
126
with :
75
127
username : ${{ secrets.DOCKERHUB_USERNAME }}
76
128
password : ${{ secrets.DOCKERHUB_PASSWORD }}
77
129
78
- - name : Build and push docker image
79
- id : docker_build
80
- uses : docker/build-push-action@v3
130
+ - name : Push Docker Image
81
131
env :
82
132
DOCKER_IMAGE_TAG : ${{ env.DOCKERHUB_REGISTRY }}/${{ env.DOCKER_REPOSITORY_COMMAND }}:${{ needs.prepare.outputs.version }}
83
- with :
84
- file : command.Dockerfile
85
- push : true
86
- tags : ${{ env.DOCKER_IMAGE_TAG }}
133
+ run : |
134
+ docker tag ${{ steps.docker_build.outputs.imageId }} ${{ env.DOCKER_IMAGE_TAG }}
135
+ docker push ${{ env.DOCKER_IMAGE_TAG }}
87
136
88
137
89
138
build-lambda :
@@ -103,21 +152,66 @@ jobs:
103
152
restore-keys : |
104
153
${{ runner.os }}-spm-
105
154
155
+ - name : Build Docker Image
156
+ id : docker_build
157
+ uses : docker/build-push-action@v3
158
+ env :
159
+ DOCKER_IMAGE_TAG : ${{ env.DOCKER_REPOSITORY_LAMBDA }}:${{ needs.prepare.outputs.version }}
160
+ with :
161
+ context : .
162
+ file : lambda.Dockerfile
163
+ push : false
164
+ load : true
165
+ tags : ${{ env.DOCKER_IMAGE_TAG }}
166
+
167
+ - name : Create Docker SBOM
168
+ uses : anchore/sbom-action@v0
169
+ with :
170
+ image : ${{ steps.docker_build.outputs.imageId }}
171
+ format : spdx-json
172
+ upload-release-assets : false
173
+ output-file : ${{ env.SBOM_FILENAME }}.spdx.json
174
+
175
+ - name : Scan SBOM
176
+ id : scan_sbom
177
+ uses : anchore/scan-action@v3
178
+ with :
179
+ sbom : ${{ env.SBOM_FILENAME }}.spdx.json
180
+ output-format : sarif
181
+ fail-build : false
182
+
183
+ - name : Determine number of noticiable vulnerabilities
184
+ id : count_vulnerabilities
185
+ run : echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
186
+
187
+ - name : Copy SBOM to S3
188
+ run : |
189
+ aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/lambda-${{ env.SBOM_FILENAME }}.spdx.json
190
+ aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/lambda-${{ env.SBOM_FILENAME }}-scan.sarif
191
+
192
+ - name : Update Notion Page
193
+ uses : ydataai/update-notion-page@v1
194
+ env :
195
+ STATUS_ICON : ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
196
+ STATUS_URL : ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-{3}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, 'lambda', env.SBOM_FILENAME) }}
197
+ with :
198
+ notion_secret : ${{ secrets.NOTION_SECRET }}
199
+ notion_database_id : ${{ env.NOTION_DATABASE_ID }}
200
+ notion_database_query_filter : ' { "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }'
201
+ notion_page_update_properties : ' { "Docker Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }'
202
+
106
203
- name : Login to Dockerhub Registry
107
204
uses : docker/login-action@v2
108
205
with :
109
206
username : ${{ secrets.DOCKERHUB_USERNAME }}
110
207
password : ${{ secrets.DOCKERHUB_PASSWORD }}
111
208
112
- - name : Build and push docker image
113
- id : docker_build
114
- uses : docker/build-push-action@v3
209
+ - name : Push Docker Image
115
210
env :
116
211
DOCKER_IMAGE_TAG : ${{ env.DOCKERHUB_REGISTRY }}/${{ env.DOCKER_REPOSITORY_LAMBDA }}:${{ needs.prepare.outputs.version }}
117
- with :
118
- file : lambda.Dockerfile
119
- push : true
120
- tags : ${{ env.DOCKER_IMAGE_TAG }}
212
+ run : |
213
+ docker tag ${{ steps.docker_build.outputs.imageId }} ${{ env.DOCKER_IMAGE_TAG }}
214
+ docker push ${{ env.DOCKER_IMAGE_TAG }}
121
215
122
216
123
217
update-manifests :
0 commit comments