From 321b7b4ceeaa3a393c81e2d9604cdb6b75209639 Mon Sep 17 00:00:00 2001 From: Daan Date: Thu, 17 Oct 2024 12:52:34 +0200 Subject: [PATCH 1/3] Modified GitHub workflows --- ...odeql-analysis.yml => codeql-analyze.yaml} | 8 +-- .github/workflows/docker-analyze.yaml | 47 ++++++++++++++++ .github/workflows/docker-build.yaml | 38 +++++++++++++ .github/workflows/main.yml | 56 ------------------- 4 files changed, 89 insertions(+), 60 deletions(-) rename .github/workflows/{codeql-analysis.yml => codeql-analyze.yaml} (93%) create mode 100644 .github/workflows/docker-analyze.yaml create mode 100644 .github/workflows/docker-build.yaml delete mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analyze.yaml similarity index 93% rename from .github/workflows/codeql-analysis.yml rename to .github/workflows/codeql-analyze.yaml index 59c192e4..18796f2a 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analyze.yaml @@ -38,11 +38,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -53,7 +53,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -67,4 +67,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/docker-analyze.yaml b/.github/workflows/docker-analyze.yaml new file mode 100644 index 00000000..340fa903 --- /dev/null +++ b/.github/workflows/docker-analyze.yaml @@ -0,0 +1,47 @@ +name: Docker-Analyze + +on: + schedule: + - cron: "0 0 * * *" # Daily at midnight UTC + workflow_dispatch: + inputs: + trigger-build: + description: 'Trigger a manual build and push' + default: 'true' + +env: + DOCKER_IMAGE: dselen/wgdashboard + +jobs: + docker_analyze: + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Log in to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_PASSWORD }} + + - name: Install Docker Scout + run: | + echo "Installing Docker Scout..." + curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- + echo "Docker Scout installed successfully." + - name: Analyze Docker image with Docker Scout + id: analyze-image + run: | + echo "Analyzing Docker image with Docker Scout..." + docker scout cves ${{ env.DOCKER_IMAGE }}:latest > scout-results.txt + cat scout-results.txt + echo "Docker Scout analysis completed." + - name: Fail if critical CVEs are found + run: | + if grep -q "CRITICAL" scout-results.txt; then + echo "Critical vulnerabilities found! Failing the job." + exit 1 + fi diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml new file mode 100644 index 00000000..be5c6fb9 --- /dev/null +++ b/.github/workflows/docker-build.yaml @@ -0,0 +1,38 @@ +name: Docker-Build + +on: + schedule: + - cron: "0 0 * * *" # Daily at midnight UTC + workflow_dispatch: + inputs: + trigger-build: + description: 'Trigger a manual build and push' + default: 'true' + +env: + DOCKER_IMAGE: dselen/wgdashboard + +jobs: + docker_build: + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Log in to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_PASSWORD }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build and export + uses: docker/build-push-action@v6 + with: + context: . + push: true + tags: ${{ env.DOCKER_IMAGE }}:latest diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml deleted file mode 100644 index 5c097e7f..00000000 --- a/.github/workflows/main.yml +++ /dev/null @@ -1,56 +0,0 @@ -name: Docker Image Build and Analysis - -on: - schedule: - - cron: "0 0 * * *" # Schedule the workflow to run daily at midnight (UTC time). Adjust the time if needed. - workflow_dispatch: # Manual run trigger - inputs: - trigger-build: - description: 'Trigger a manual build and push' - default: 'true' - -jobs: - build-and-analyze: - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - - name: Log in to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Build Docker image - id: build-image - run: | - echo "Building Docker image..." - docker build -t my-app-image:latest . - echo "Docker image built successfully." - - - name: Install Docker Scout - run: | - echo "Installing Docker Scout..." - curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- - echo "Docker Scout installed successfully." - - - name: Analyze Docker image with Docker Scout - id: analyze-image - run: | - echo "Analyzing Docker image with Docker Scout..." - docker scout cves my-app-image:latest > scout-results.txt - cat scout-results.txt # Print the report to the workflow logs for easy viewing - echo "Docker Scout analysis completed." - - - name: Post Comment on Issue or PR - run: | - COMMENT="**Docker Image Build and Analysis Report**\n\nThe Docker image was built and analyzed successfully.\n\n**Build Summary:**\n- Image Tag: my-app-image:latest\n\n**Analysis Report:**\n\`\`\`\n$(cat scout-results.txt)\n\`\`\`" - - # Post comment using GitHub API - curl -X POST \ - -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ - -H "Accept: application/vnd.github.v3+json" \ - -d "{\"body\": \"$COMMENT\"}" \ - "https://api.github.com/repos/NOXCIS/WGDashboard/issues/1/comments" # Replace '1' with the issue or PR number From 10984754730e81b1923619980adc184669d58978 Mon Sep 17 00:00:00 2001 From: Daan Date: Mon, 21 Oct 2024 12:07:33 +0200 Subject: [PATCH 2/3] Changed failing criteria --- .github/workflows/docker-analyze.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-analyze.yaml b/.github/workflows/docker-analyze.yaml index 340fa903..2cfbb0ac 100644 --- a/.github/workflows/docker-analyze.yaml +++ b/.github/workflows/docker-analyze.yaml @@ -41,7 +41,10 @@ jobs: echo "Docker Scout analysis completed." - name: Fail if critical CVEs are found run: | - if grep -q "CRITICAL" scout-results.txt; then - echo "Critical vulnerabilities found! Failing the job." + if grep -q "0C" scout-results.txt; then + echo "No critical vulnerabilities found! Continueing." + exit 0 + else + echo "At least one critical vulnerabilities found! Exiting." exit 1 fi From cfe59774e712a6b6528bc3a9ad60eb2e2abf790b Mon Sep 17 00:00:00 2001 From: Daan Date: Mon, 21 Oct 2024 12:09:53 +0200 Subject: [PATCH 3/3] Changed Docker image names: dselen -> donaldzou --- .github/workflows/docker-build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml index be5c6fb9..39b0ae05 100644 --- a/.github/workflows/docker-build.yaml +++ b/.github/workflows/docker-build.yaml @@ -10,7 +10,7 @@ on: default: 'true' env: - DOCKER_IMAGE: dselen/wgdashboard + DOCKER_IMAGE: donaldzou/wgdashboard jobs: docker_build: