From f4d201e13cd07abc38367e7d5a2618b3af0046cb Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Tue, 30 Jul 2024 15:13:59 -0700 Subject: [PATCH 01/26] Create inti ci.yaml initial ci yaml --- .github/workflows/ci.yaml | 59 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 .github/workflows/ci.yaml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000000..8a28df515a --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,59 @@ +name: CIWF + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + build-and-scan: + runs-on: ubuntu-latest + + steps: + - name: Checkout source code + uses: actions/checkout@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Log in to DockerHub + run: echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin + + - name: Build vote image + run: docker build -t ${DOCKER_USERNAME}/voting-app-vote:latest ./vote + + - name: Build worker image + run: docker build -t ${DOCKER_USERNAME}/voting-app-worker:latest ./worker + + - name: Build result image + run: docker build -t ${DOCKER_USERNAME}/voting-app-result:latest ./result + + - name: Push vote image + run: docker push ${DOCKER_USERNAME}/voting-app-vote:latest + + - name: Push worker image + run: docker push ${DOCKER_USERNAME}/voting-app-worker:latest + + - name: Push result image + run: docker push ${DOCKER_USERNAME}/voting-app-result:latest + + - name: Scan vote image with Sysdig + run: | + sysdig-cli scan ${DOCKER_USERNAME}/voting-app-vote:latest + env: + SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} + + - name: Scan worker image with Sysdig + run: | + sysdig-cli scan ${DOCKER_USERNAME}/voting-app-worker:latest + env: + SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} + + - name: Scan result image with Sysdig + run: | + sysdig-cli scan ${DOCKER_USERNAME}/voting-app-result:latest + env: + SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} From 55883df50e5d8c62a107a59faab5a65959171536 Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Tue, 30 Jul 2024 15:18:08 -0700 Subject: [PATCH 02/26] Add sysdig cli add sysdig cli --- .github/workflows/ci.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 8a28df515a..8dd55bad15 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -40,6 +40,9 @@ jobs: - name: Push result image run: docker push ${DOCKER_USERNAME}/voting-app-result:latest + - name: Install Sysdig CLI + run: curl -sL https://download.sysdig.com/stable/install-sysdig | sudo bash + - name: Scan vote image with Sysdig run: | sysdig-cli scan ${DOCKER_USERNAME}/voting-app-vote:latest From 82575ed25bae2ec478b4bb1ee73b5a503527d05a Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Tue, 30 Jul 2024 15:32:53 -0700 Subject: [PATCH 03/26] Update ci.yaml iterate build fix for GH --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 8dd55bad15..c7907c6ae1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -23,7 +23,7 @@ jobs: run: echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin - name: Build vote image - run: docker build -t ${DOCKER_USERNAME}/voting-app-vote:latest ./vote + run: docker build -t ${DOCKER_USERNAME}/voting-app-vote:latest ../../vote - name: Build worker image run: docker build -t ${DOCKER_USERNAME}/voting-app-worker:latest ./worker From cb6482eecf7ab6ffcf9d51580efe65334b3f68dc Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Tue, 30 Jul 2024 15:35:24 -0700 Subject: [PATCH 04/26] Update ci.yaml --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c7907c6ae1..9f32d83825 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -23,7 +23,7 @@ jobs: run: echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin - name: Build vote image - run: docker build -t ${DOCKER_USERNAME}/voting-app-vote:latest ../../vote + run: docker build -t ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest ./vote - name: Build worker image run: docker build -t ${DOCKER_USERNAME}/voting-app-worker:latest ./worker From caa4591d6b7f601721dabba3188dc6f5a44d786e Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Tue, 30 Jul 2024 15:37:32 -0700 Subject: [PATCH 05/26] Update ci.yaml fixing secret refs --- .github/workflows/ci.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 9f32d83825..342e91eca9 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -26,37 +26,37 @@ jobs: run: docker build -t ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest ./vote - name: Build worker image - run: docker build -t ${DOCKER_USERNAME}/voting-app-worker:latest ./worker + run: docker build -t ${{ secrets.DOCKER_USERNAME }}/voting-app-worker:latest ./worker - name: Build result image - run: docker build -t ${DOCKER_USERNAME}/voting-app-result:latest ./result + run: docker build -t ${{ secrets.DOCKER_USERNAME }}/voting-app-result:latest ./result - name: Push vote image - run: docker push ${DOCKER_USERNAME}/voting-app-vote:latest + run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest - name: Push worker image - run: docker push ${DOCKER_USERNAME}/voting-app-worker:latest + run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-worker:latest - name: Push result image - run: docker push ${DOCKER_USERNAME}/voting-app-result:latest + run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-result:latest - name: Install Sysdig CLI run: curl -sL https://download.sysdig.com/stable/install-sysdig | sudo bash - name: Scan vote image with Sysdig run: | - sysdig-cli scan ${DOCKER_USERNAME}/voting-app-vote:latest + sysdig-cli scan ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest env: SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} - name: Scan worker image with Sysdig run: | - sysdig-cli scan ${DOCKER_USERNAME}/voting-app-worker:latest + sysdig-cli scan ${{ secrets.DOCKER_USERNAME }}/voting-app-worker:latest env: SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} - name: Scan result image with Sysdig run: | - sysdig-cli scan ${DOCKER_USERNAME}/voting-app-result:latest + sysdig-cli scan ${{ secrets.DOCKER_USERNAME }}/voting-app-result:latest env: SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} From 7c105fd51bc6bcc03ad21e6d1fc8da1e3b2e823f Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Tue, 30 Jul 2024 16:21:57 -0700 Subject: [PATCH 06/26] Update ci.yaml testing cont --- .github/workflows/ci.yaml | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 342e91eca9..7b529ac66e 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,3 +1,6 @@ +env: + SYSDIG_SECURE_ENDPOINT: "https://secure.sysdig.com" + name: CIWF on: @@ -40,12 +43,33 @@ jobs: - name: Push result image run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-result:latest - - name: Install Sysdig CLI - run: curl -sL https://download.sysdig.com/stable/install-sysdig | sudo bash + - name: Setup cache + uses: actions/cache@v3 + with: + path: cache + key: ${{ runner.os }}-cache-${{ hashFiles('**/sysdig-cli-scanner', '**/latest_version.txt', '**/db/main.db.meta.json', '**/scanner-cache/inlineScannerCache.db') }} + restore-keys: ${{ runner.os }}-cache- + + - name: Download sysdig-cli-scanner if needed + run: | + curl -sLO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt + mkdir -p ${GITHUB_WORKSPACE}/cache/db/ + if [ ! -f ${GITHUB_WORKSPACE}/cache/latest_version.txt ] || [ $(cat ./latest_version.txt) != $(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt) ]; then + cp ./latest_version.txt ${GITHUB_WORKSPACE}/cache/latest_version.txt + curl -sL -o ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)/linux/amd64/sysdig-cli-scanner" + chmod +x ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner + else + echo "sysdig-cli-scanner latest version already downloaded" + fi - name: Scan vote image with Sysdig run: | - sysdig-cli scan ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest + ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ + --apiurl ${SYSDIG_SECURE_ENDPOINT} \ + ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest \ + --console-log \ + --dbpath=${GITHUB_WORKSPACE}/cache/db/ \ + --cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/ ||true env: SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} From 1881e25272271b8fe2ac811b464a1513468d4db1 Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Tue, 30 Jul 2024 16:25:39 -0700 Subject: [PATCH 07/26] Update ci.yaml more fixes --- .github/workflows/ci.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 7b529ac66e..08a80f38b5 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -63,6 +63,8 @@ jobs: fi - name: Scan vote image with Sysdig + env: + SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} run: | ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ --apiurl ${SYSDIG_SECURE_ENDPOINT} \ @@ -70,8 +72,6 @@ jobs: --console-log \ --dbpath=${GITHUB_WORKSPACE}/cache/db/ \ --cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/ ||true - env: - SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} - name: Scan worker image with Sysdig run: | From c2dbf8c2fb77587a1be958d28259ed4675ce3482 Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Tue, 30 Jul 2024 16:32:03 -0700 Subject: [PATCH 08/26] Update ci.yaml test --- .github/workflows/ci.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 08a80f38b5..918ee4e7a6 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -68,10 +68,7 @@ jobs: run: | ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ --apiurl ${SYSDIG_SECURE_ENDPOINT} \ - ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest \ - --console-log \ - --dbpath=${GITHUB_WORKSPACE}/cache/db/ \ - --cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/ ||true + ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest - name: Scan worker image with Sysdig run: | From 62fe9bb6bbc108e662d8dbee614f91de29e46e50 Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Tue, 30 Jul 2024 16:38:20 -0700 Subject: [PATCH 09/26] Update ci.yaml Secure api token --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 918ee4e7a6..a790ab31a4 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -64,7 +64,7 @@ jobs: - name: Scan vote image with Sysdig env: - SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} + SECURE_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} run: | ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ --apiurl ${SYSDIG_SECURE_ENDPOINT} \ From ecdcc7900572b73af64ab94551ee133a814d9ef8 Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Tue, 30 Jul 2024 16:42:00 -0700 Subject: [PATCH 10/26] Update ci.yaml setting up db --- .github/workflows/ci.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a790ab31a4..493162c3f3 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -68,7 +68,10 @@ jobs: run: | ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ --apiurl ${SYSDIG_SECURE_ENDPOINT} \ - ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest + ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest \ + --console-log \ + --dbpath=${GITHUB_WORKSPACE}/cache/db/ \ + --cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/ - name: Scan worker image with Sysdig run: | From 632dbe914501880c87cf83510bba94a43233df1a Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Wed, 31 Jul 2024 11:40:01 -0700 Subject: [PATCH 11/26] Update ci.yaml fixed Endpoint for --apiurl cli param --- .github/workflows/ci.yaml | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 493162c3f3..7df1827ac8 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,5 +1,5 @@ env: - SYSDIG_SECURE_ENDPOINT: "https://secure.sysdig.com" + SYSDIG_SECURE_ENDPOINT: "https://app.us4.sysdig.com/secure" name: CIWF @@ -74,13 +74,23 @@ jobs: --cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/ - name: Scan worker image with Sysdig - run: | - sysdig-cli scan ${{ secrets.DOCKER_USERNAME }}/voting-app-worker:latest env: - SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} + SECURE_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} + run: | + ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ + --apiurl ${SYSDIG_SECURE_ENDPOINT} \ + ${{ secrets.DOCKER_USERNAME }}/voting-app-worker:latest \ + --console-log \ + --dbpath=${GITHUB_WORKSPACE}/cache/db/ \ + --cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/ - name: Scan result image with Sysdig - run: | - sysdig-cli scan ${{ secrets.DOCKER_USERNAME }}/voting-app-result:latest env: - SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} + SECURE_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} + run: | + ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ + --apiurl ${SYSDIG_SECURE_ENDPOINT} \ + ${{ secrets.DOCKER_USERNAME }}/voting-app-results:latest \ + --console-log \ + --dbpath=${GITHUB_WORKSPACE}/cache/db/ \ + --cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/ From 5fd9009f4e3a19f2b1555a79acddc2b4bba34fd4 Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Wed, 31 Jul 2024 12:22:25 -0700 Subject: [PATCH 12/26] Update ci.yaml registry host --- .github/workflows/ci.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 7df1827ac8..76a8f407c2 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,5 +1,6 @@ env: SYSDIG_SECURE_ENDPOINT: "https://app.us4.sysdig.com/secure" + REGISTRY_HOST: "https://hub.docker.com" name: CIWF @@ -68,7 +69,7 @@ jobs: run: | ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ --apiurl ${SYSDIG_SECURE_ENDPOINT} \ - ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest \ + ${REGISTRY_HOST}/${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest \ --console-log \ --dbpath=${GITHUB_WORKSPACE}/cache/db/ \ --cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/ From df9ac7f50aac9990628858d915be0f6a0137adcc Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Wed, 31 Jul 2024 12:32:31 -0700 Subject: [PATCH 13/26] Update ci.yaml --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 76a8f407c2..b9a7012453 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -69,7 +69,7 @@ jobs: run: | ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ --apiurl ${SYSDIG_SECURE_ENDPOINT} \ - ${REGISTRY_HOST}/${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest \ + docker://${REGISTRY_HOST}/${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest \ --console-log \ --dbpath=${GITHUB_WORKSPACE}/cache/db/ \ --cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/ From 8fbc808ab7cc6f54a3fe191da42b84ff2804bd61 Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Wed, 31 Jul 2024 12:35:39 -0700 Subject: [PATCH 14/26] Update ci.yaml --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b9a7012453..6edd4c7301 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,6 +1,6 @@ env: SYSDIG_SECURE_ENDPOINT: "https://app.us4.sysdig.com/secure" - REGISTRY_HOST: "https://hub.docker.com" + REGISTRY_HOST: "https://hub.docker.com/r" name: CIWF From 6b32749597f49da3a30cdeeb9421fb3d4b1042bc Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Wed, 31 Jul 2024 12:37:30 -0700 Subject: [PATCH 15/26] Update ci.yaml --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6edd4c7301..6c9d6283d9 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -69,7 +69,7 @@ jobs: run: | ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ --apiurl ${SYSDIG_SECURE_ENDPOINT} \ - docker://${REGISTRY_HOST}/${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest \ + ${REGISTRY_HOST}/${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest \ --console-log \ --dbpath=${GITHUB_WORKSPACE}/cache/db/ \ --cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/ From 6f0252d066515a143d769d01f3927a92ce9238a8 Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Wed, 31 Jul 2024 12:46:07 -0700 Subject: [PATCH 16/26] Update ci.yaml --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6c9d6283d9..f12605c590 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -69,7 +69,7 @@ jobs: run: | ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ --apiurl ${SYSDIG_SECURE_ENDPOINT} \ - ${REGISTRY_HOST}/${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest \ + docker://${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest \ --console-log \ --dbpath=${GITHUB_WORKSPACE}/cache/db/ \ --cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/ From 9a206a8fc101b31f1c7e230ee016b14c3a4f8140 Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Wed, 31 Jul 2024 12:48:05 -0700 Subject: [PATCH 17/26] Update ci.yaml --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index f12605c590..e5bdd8c51b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -27,7 +27,7 @@ jobs: run: echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin - name: Build vote image - run: docker build -t ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest ./vote + run: docker build -t ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest . - name: Build worker image run: docker build -t ${{ secrets.DOCKER_USERNAME }}/voting-app-worker:latest ./worker From 62627b7128a09499dc1018b00041486287695de5 Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Wed, 31 Jul 2024 13:01:13 -0700 Subject: [PATCH 18/26] Update ci.yaml tests --- .github/workflows/ci.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e5bdd8c51b..47b6c4c921 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -27,7 +27,7 @@ jobs: run: echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin - name: Build vote image - run: docker build -t ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest . + run: docker build -t ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest ./vote - name: Build worker image run: docker build -t ${{ secrets.DOCKER_USERNAME }}/voting-app-worker:latest ./worker @@ -35,15 +35,6 @@ jobs: - name: Build result image run: docker build -t ${{ secrets.DOCKER_USERNAME }}/voting-app-result:latest ./result - - name: Push vote image - run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest - - - name: Push worker image - run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-worker:latest - - - name: Push result image - run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-result:latest - - name: Setup cache uses: actions/cache@v3 with: @@ -95,3 +86,12 @@ jobs: --console-log \ --dbpath=${GITHUB_WORKSPACE}/cache/db/ \ --cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/ + + - name: Push vote image + run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest + + - name: Push worker image + run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-worker:latest + + - name: Push result image + run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-result:latest From 7a458bb7520471e106967adf7f00442ceba2d2e1 Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Wed, 31 Jul 2024 13:45:56 -0700 Subject: [PATCH 19/26] Update ci.yaml docker.io --- .github/workflows/ci.yaml | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 47b6c4c921..c07e076d1a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,6 +1,6 @@ env: SYSDIG_SECURE_ENDPOINT: "https://app.us4.sysdig.com/secure" - REGISTRY_HOST: "https://hub.docker.com/r" + REGISTRY_HOST: "docker.io" name: CIWF @@ -35,6 +35,15 @@ jobs: - name: Build result image run: docker build -t ${{ secrets.DOCKER_USERNAME }}/voting-app-result:latest ./result + - name: Push vote image + run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest + + - name: Push worker image + run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-worker:latest + + - name: Push result image + run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-result:latest + - name: Setup cache uses: actions/cache@v3 with: @@ -60,7 +69,7 @@ jobs: run: | ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ --apiurl ${SYSDIG_SECURE_ENDPOINT} \ - docker://${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest \ + docker://${REGISTRY_HOST}/${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest \ --console-log \ --dbpath=${GITHUB_WORKSPACE}/cache/db/ \ --cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/ @@ -87,11 +96,4 @@ jobs: --dbpath=${GITHUB_WORKSPACE}/cache/db/ \ --cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/ - - name: Push vote image - run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-vote:latest - - - name: Push worker image - run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-worker:latest - - name: Push result image - run: docker push ${{ secrets.DOCKER_USERNAME }}/voting-app-result:latest From 00887b2a09db41bbfac35a90b33e2cf29f47735b Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Wed, 31 Jul 2024 16:20:19 -0700 Subject: [PATCH 20/26] Create iac-scan.yaml --- .github/workflows/iac-scan.yaml | 47 +++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 .github/workflows/iac-scan.yaml diff --git a/.github/workflows/iac-scan.yaml b/.github/workflows/iac-scan.yaml new file mode 100644 index 0000000000..7933d6aaae --- /dev/null +++ b/.github/workflows/iac-scan.yaml @@ -0,0 +1,47 @@ +env: + SYSDIG_SECURE_ENDPOINT: "https://app.us4.sysdig.com/secure" + +name: IaC Scan + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + scan-iac: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Setup cache + uses: actions/cache@v3 + with: + path: cache + key: ${{ runner.os }}-cache-${{ hashFiles('**/sysdig-cli-scanner', '**/latest_version.txt', '**/db/main.db.meta.json', '**/scanner-cache/inlineScannerCache.db') }} + restore-keys: ${{ runner.os }}-cache- + + - name: Download sysdig-cli-scanner if needed + run: | + curl -sLO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt + mkdir -p ${GITHUB_WORKSPACE}/cache/db/ + if [ ! -f ${GITHUB_WORKSPACE}/cache/latest_version.txt ] || [ $(cat ./latest_version.txt) != $(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt) ]; then + cp ./latest_version.txt ${GITHUB_WORKSPACE}/cache/latest_version.txt + curl -sL -o ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)/linux/amd64/sysdig-cli-scanner" + chmod +x ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner + else + echo "sysdig-cli-scanner latest version already downloaded" + fi + + - name: Scan IaC with Sysdig CLI + env: + SECURE_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} + run: | + ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ + --apiurl ${SYSDIG_SECURE_ENDPOINT} -r -f H \ + /home/user/vote From b649c5b1a166f7f74617fe3a6cdaa559e02b5b6d Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Wed, 31 Jul 2024 16:24:43 -0700 Subject: [PATCH 21/26] Update iac-scan.yaml add iac --- .github/workflows/iac-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/iac-scan.yaml b/.github/workflows/iac-scan.yaml index 7933d6aaae..a03574f722 100644 --- a/.github/workflows/iac-scan.yaml +++ b/.github/workflows/iac-scan.yaml @@ -43,5 +43,5 @@ jobs: SECURE_API_TOKEN: ${{ secrets.SYSDIG_API_TOKEN }} run: | ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ - --apiurl ${SYSDIG_SECURE_ENDPOINT} -r -f H \ + --apiurl ${SYSDIG_SECURE_ENDPOINT} --iac -r -f H \ /home/user/vote From 544516ff1138ab1afb5b03897f41e2ae34b70e2d Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Wed, 31 Jul 2024 16:27:33 -0700 Subject: [PATCH 22/26] Update iac-scan.yaml path --- .github/workflows/iac-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/iac-scan.yaml b/.github/workflows/iac-scan.yaml index a03574f722..8d6c13d0ee 100644 --- a/.github/workflows/iac-scan.yaml +++ b/.github/workflows/iac-scan.yaml @@ -44,4 +44,4 @@ jobs: run: | ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ --apiurl ${SYSDIG_SECURE_ENDPOINT} --iac -r -f H \ - /home/user/vote + /home/user/example-voting-app/vote From 0293e9c539231b3325cffc84a096191116f42845 Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Wed, 31 Jul 2024 16:29:05 -0700 Subject: [PATCH 23/26] Update iac-scan.yaml path --- .github/workflows/iac-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/iac-scan.yaml b/.github/workflows/iac-scan.yaml index 8d6c13d0ee..048ceaf09f 100644 --- a/.github/workflows/iac-scan.yaml +++ b/.github/workflows/iac-scan.yaml @@ -44,4 +44,4 @@ jobs: run: | ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ --apiurl ${SYSDIG_SECURE_ENDPOINT} --iac -r -f H \ - /home/user/example-voting-app/vote + /home/user/hesterch/example-voting-app/vote From 3cb58bc663a160ded751a120a6f2bf28cd471123 Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Wed, 31 Jul 2024 16:43:49 -0700 Subject: [PATCH 24/26] Update iac-scan.yaml path --- .github/workflows/iac-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/iac-scan.yaml b/.github/workflows/iac-scan.yaml index 048ceaf09f..6e103d3e08 100644 --- a/.github/workflows/iac-scan.yaml +++ b/.github/workflows/iac-scan.yaml @@ -44,4 +44,4 @@ jobs: run: | ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ --apiurl ${SYSDIG_SECURE_ENDPOINT} --iac -r -f H \ - /home/user/hesterch/example-voting-app/vote + ../../vote From 05af4ba73ce7be737008ac7d73ea65178d05b695 Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Wed, 31 Jul 2024 16:46:24 -0700 Subject: [PATCH 25/26] Update iac-scan.yaml --- .github/workflows/iac-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/iac-scan.yaml b/.github/workflows/iac-scan.yaml index 6e103d3e08..32180ebe42 100644 --- a/.github/workflows/iac-scan.yaml +++ b/.github/workflows/iac-scan.yaml @@ -44,4 +44,4 @@ jobs: run: | ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ --apiurl ${SYSDIG_SECURE_ENDPOINT} --iac -r -f H \ - ../../vote + ./vote From 78cc2b9d13bb1cc4149f6934fa1d918c7b67cb7b Mon Sep 17 00:00:00 2001 From: Chris H <92892352+hesterch@users.noreply.github.com> Date: Wed, 31 Jul 2024 16:49:56 -0700 Subject: [PATCH 26/26] Update iac-scan.yaml try K8S folder (err) --- .github/workflows/iac-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/iac-scan.yaml b/.github/workflows/iac-scan.yaml index 32180ebe42..f177eb1b42 100644 --- a/.github/workflows/iac-scan.yaml +++ b/.github/workflows/iac-scan.yaml @@ -44,4 +44,4 @@ jobs: run: | ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \ --apiurl ${SYSDIG_SECURE_ENDPOINT} --iac -r -f H \ - ./vote + ./k8s-specifications