test

Signed-off-by: Sertac Ozercan <[email protected]>
project-copacetic · Jan 16, 2024 · 070364a · 070364a
1 parent 2e7b5d6
commit 070364a
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 9 deletions.
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -0,0 +1,64 @@
+name: Patch images
+on:
+  workflow_dispatch:
+jobs:
+  patch:
+    runs-on: ubuntu-latest
+    # used for pushing patched image to GHCR
+    permissions:
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        # provide relevant list of images to scan on each run
+        images:
+          - "docker.io/library/nginx:1.21.6"
+          - "docker.io/openpolicyagent/opa:0.46.0"
+          - "docker.io/library/hello-world:latest"
+    steps:
+      # generate trivy report for fixable OS package vulnerabilities
+      - name: Generate Trivy Report
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1
+        with:
+          scan-type: "image"
+          format: "json"
+          output: "report.json"
+          ignore-unfixed: true
+          vuln-type: "os"
+          image-ref: ${{ matrix.images }}
+
+        # check if there are OS package vulnerabilities
+      - name: Check vulnerability count
+        id: vuln_count
+        run: |
+          report_file="report.json"
+          vuln_count=$(jq '[.Results[] | select(.Class=="os-pkgs") | .Vulnerabilities[]] | length' "$report_file")
+          echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
+
+        # copa action will only run if there are vulnerabilities
+      - name: Copa Action
+        if: steps.vuln_count.outputs.vuln_count != '0'
+        id: copa
+        # using latest (v1) version for illustrative purposes. make sure to pin to a digest for security and stability
+        uses: project-copacetic/copa-action@v1
+        with:
+          image: ${{ matrix.images }}
+          image-report: "report.json"
+          patched-tag: "patched"
+          buildkit-version: "v0.11.6" # optional, default is latest
+          copa-version: "0.6.0" # optional, default is latest
+
+        # for other registries, see https://github.com/docker/login-action#usage
+      - name: Login to GHCR
+        if: steps.copa.conclusion == 'success'
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker Push Patched Image
+        if: steps.login.conclusion == 'success'
+        run: |
+          docker images
+          # docker push ${{ steps.copa.outputs.patched-image }}
diff --git a/README.md b/README.md
@@ -25,12 +25,14 @@ Copacetic Action is supported with Copa version 0.3.0 and later.
 ## Example usage
 
 ```yaml
+name: Patch images
 on: [push]
-
 jobs:
-    test:
+    patch:
         runs-on: ubuntu-latest
-
+        # used for pushing patched image to GHCR
+        permissions:
+          packages: write
         strategy:
           fail-fast: false
           matrix:
@@ -39,8 +41,8 @@ jobs:
               - "docker.io/library/nginx:1.21.6"
               - "docker.io/openpolicyagent/opa:0.46.0"
               - "docker.io/library/hello-world:latest"
-
         steps:
+          # generate trivy report for fixable OS package vulnerabilities
         - name: Generate Trivy Report
           uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1
           with:
@@ -51,16 +53,19 @@ jobs:
             vuln-type: 'os'
             image-ref: ${{ matrix.images }}
 
-        - name: Check Vuln Count
+          # check if there are OS package vulnerabilities
+        - name: Check vulnerability count
           id: vuln_count
           run: |
             report_file="report.json"
             vuln_count=$(jq '[.Results[] | select(.Class=="os-pkgs") | .Vulnerabilities[]] | length' "$report_file")
             echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
 
+          # copa action will only run if there are vulnerabilities
         - name: Copa Action
           if: steps.vuln_count.outputs.vuln_count != '0'
           id: copa
+          # using latest (v1) version for illustrative purposes. make sure to pin to a digest for security and stability
           uses: project-copacetic/copa-action@v1
           with:
             image: ${{ matrix.images }}
@@ -69,13 +74,14 @@ jobs:
             buildkit-version: 'v0.11.6' # optional, default is latest
             copa-version: '0.6.0' # optional, default is latest
 
-        - name: Login to Docker Hub
+          # for other registries, see https://github.com/docker/login-action#usage
+        - name: Login to GHCR
           if: steps.copa.conclusion == 'success'
-          id: login
           uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
           with:
-            username: 'user'
-            password: ${{ secrets.DOCKERHUB_TOKEN }}
+            registry: ghcr.io
+            username: ${{ github.actor }}
+            password: ${{ secrets.GITHUB_TOKEN }}
 
         - name: Docker Push Patched Image
           if: steps.login.conclusion == 'success'