-
Notifications
You must be signed in to change notification settings - Fork 421
136 lines (117 loc) · 5.46 KB
/
build-scan-push-to-dockerhub.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# Define the name of your workflow.
name: build-scan-push-to-dockerhub
# Specify when this workflow should run (on a push event to the 'main' branch).
# This will run after the push event completes successfully.
# The code will already be in the repository, so the workflow can access it.
on:
push:
branches: ["main"]
jobs:
docker:
runs-on: ubuntu-latest
# Define permissions required for the workflow to run.
permissions:
actions: read
contents: read
security-events: write
# Use a matrix strategy to scan and build multiple Dockerfiles (containers).
strategy:
matrix:
container_name:
- database
- database_admin
- ldap
- ldap_admin
- www
steps:
# Step 1: Check out the mutillidae repository codebase into the `mutillidae` directory.
- name: Check out the mutillidae codebase
uses: actions/checkout@main
with:
repository: webpwnized/mutillidae
path: mutillidae # Check out the code to this directory
# Step 2: Check out the mutillidae-docker repository codebase into the `mutillidae-docker` directory.
- name: Check out the mutillidae-docker codebase
uses: actions/checkout@main
with:
repository: webpwnized/mutillidae-docker
path: mutillidae-docker # Check out the code to this directory
# Step 3: Set the version to the version of Mutillidae,
# not the mutillidae-docker build project.
- name: Get version from version file
working-directory: mutillidae # Set working directory to mutillidae
run: |
echo "Version of Mutillidae: $(cat version)"
VERSION=$(cat version)
echo "VERSION=$VERSION" >> $GITHUB_ENV
shell: bash
# Step 4: Set up QEMU on the runner to support different architectures.
- name: Set up QEMU on the runner
uses: docker/setup-qemu-action@master
# Step 5: Set up Docker Buildx, a CLI plugin that allows for multi-platform builds.
- name: Set up Docker Buildx on the runner
uses: docker/setup-buildx-action@master
# Step 6: Log in to Docker Hub using secrets stored in the GitHub repository.
- name: Login to Docker Hub
uses: docker/login-action@master
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
# Step 7: Cache Trivy database to reduce repeated downloads
- name: Cache Trivy database
uses: actions/cache@v4
with:
path: ~/.cache/trivy
key: trivy-db-cache-${{ runner.os }}-${{ hashFiles('**/*.lock') }}
restore-keys: |
trivy-db-cache-${{ runner.os }}
# ----------------------------------------------------------------------------
# Loop over each container defined in the matrix to build, scan, and push.
# ----------------------------------------------------------------------------
# Step 8: Print the current container name being processed (from matrix).
- name: Print Current Container Name
run: |
echo "STATUS: Currently working on container: ${{ matrix.container_name }}"
shell: bash
# Step 9: Build and load the container using Docker Buildx.
- name: Build and Load Container
uses: docker/build-push-action@master
with:
context: mutillidae-docker/.build/${{ matrix.container_name }}/ # Adjust path based on the working directory
file: mutillidae-docker/.build/${{ matrix.container_name }}/Dockerfile
load: true
tags: webpwnized/mutillidae:${{ matrix.container_name }}
# Step 10: Run the Trivy vulnerability scanner on the built container.
- name: Run Trivy vulnerability scanner on Container
uses: aquasecurity/trivy-action@master
with:
image-ref: 'webpwnized/mutillidae:${{ matrix.container_name }}'
format: 'sarif'
output: '${{ matrix.container_name }}-trivy-scan-results.sarif'
# Step 11: Print the Trivy scan results to the console.
- name: Print Trivy scan results to the console
run: |
cat '${{ matrix.container_name }}-trivy-scan-results.sarif'
shell: bash
# Step 12: Upload Trivy scan results to the GitHub Security tab.
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@main
with:
sarif_file: '${{ matrix.container_name }}-trivy-scan-results.sarif'
category: ${{ matrix.container_name }}
# Step 13: Push the container to Docker Hub.
- name: Push Container
uses: docker/build-push-action@master
with:
context: mutillidae-docker/.build/${{ matrix.container_name }}/ # Adjust path based on the working directory
file: mutillidae-docker/.build/${{ matrix.container_name }}/Dockerfile
push: true
tags: webpwnized/mutillidae:${{ matrix.container_name }}
# Step 14: Push the container with the version number to Docker Hub.
- name: Push Container with version number
uses: docker/build-push-action@master
with:
context: mutillidae-docker/.build/${{ matrix.container_name }}/ # Adjust path based on the working directory
file: mutillidae-docker/.build/${{ matrix.container_name }}/Dockerfile
push: true
tags: webpwnized/mutillidae:${{ matrix.container_name }}-${{ env.VERSION }}