|
1 | | -name: Build & Scan Containers |
| 1 | +name: Build & Scan with Sysdig (Docker Hub) |
2 | 2 |
|
3 | 3 | on: |
4 | 4 | push: |
5 | | - branches: |
6 | | - - main |
| 5 | + branches: [ main ] |
7 | 6 | pull_request: |
8 | | - branches: |
9 | | - - main |
| 7 | + branches: [ main ] |
10 | 8 |
|
11 | 9 | permissions: |
12 | 10 | contents: read |
13 | | - security-events: write # if need to upload SARIF or similar |
14 | 11 |
|
15 | 12 | jobs: |
16 | 13 | build-and-scan: |
17 | 14 | runs-on: ubuntu-latest |
| 15 | + |
18 | 16 | env: |
19 | | - REGISTRY_HOST: ghcr.io |
20 | | - REGISTRY_NAMESPACE: myorg # change to your org/user |
21 | | - VOTE_IMAGE: ${{ env.REGISTRY_HOST }}/${{ env.REGISTRY_NAMESPACE }}/vote:latest |
22 | | - WORKER_IMAGE: ${{ env.REGISTRY_HOST }}/${{ env.REGISTRY_NAMESPACE }}/worker:latest |
23 | | - RESULT_IMAGE: ${{ env.REGISTRY_HOST }}/${{ env.REGISTRY_NAMESPACE }}/result:latest |
| 17 | + REGISTRY: docker.io |
| 18 | + REPO: ${{ secrets.REGISTRY_USER }} |
| 19 | + SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }} |
| 20 | + SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} |
24 | 21 |
|
25 | 22 | steps: |
26 | | - - name: Checkout code |
27 | | - uses: actions/checkout@v5 |
| 23 | + - name: Checkout source |
| 24 | + uses: actions/checkout@v4 |
28 | 25 |
|
29 | 26 | - name: Set up Docker Buildx |
30 | | - uses: docker/setup-buildx-action@v2 |
| 27 | + uses: docker/setup-buildx-action@v3 |
31 | 28 |
|
32 | | - # Build vote |
33 | | - - name: Build vote image |
34 | | - uses: docker/build-push-action@v4 |
| 29 | + - name: Log in to Docker Hub |
| 30 | + uses: docker/login-action@v3 |
35 | 31 | with: |
36 | | - context: ./vote |
37 | | - file: ./vote/Dockerfile |
38 | | - tags: ${{ env.VOTE_IMAGE }} |
39 | | - push: false |
40 | | - load: true |
| 32 | + username: ${{ secrets.REGISTRY_USER }} |
| 33 | + password: ${{ secrets.REGISTRY_TOKEN }} |
| 34 | + |
| 35 | + # --- Build Containers --- |
| 36 | + - name: Build vote image |
| 37 | + run: docker build -t $REGISTRY/$REPO/vote:latest ./vote |
41 | 38 |
|
42 | | - # Build worker |
43 | 39 | - name: Build worker image |
44 | | - uses: docker/build-push-action@v4 |
45 | | - with: |
46 | | - context: ./worker |
47 | | - file: ./worker/Dockerfile |
48 | | - tags: ${{ env.WORKER_IMAGE }} |
49 | | - push: false |
50 | | - load: true |
| 40 | + run: docker build -t $REGISTRY/$REPO/worker:latest ./worker |
51 | 41 |
|
52 | | - # Build result |
53 | 42 | - name: Build result image |
54 | | - uses: docker/build-push-action@v4 |
55 | | - with: |
56 | | - context: ./result |
57 | | - file: ./result/Dockerfile |
58 | | - tags: ${{ env.RESULT_IMAGE }} |
59 | | - push: false |
60 | | - load: true |
| 43 | + run: docker build -t $REGISTRY/$REPO/result:latest ./result |
61 | 44 |
|
62 | | - # Run scan for vote |
| 45 | + # --- Install Sysdig Scanner --- |
| 46 | + - name: Install Sysdig CLI Scanner |
| 47 | + run: | |
| 48 | + curl -LO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest/sysdig-cli-scanner-linux-amd64 |
| 49 | + chmod +x sysdig-cli-scanner-linux-amd64 |
| 50 | + sudo mv sysdig-cli-scanner-linux-amd64 /usr/local/bin/sysdig-cli-scanner |
| 51 | + sysdig-cli-scanner --version |
| 52 | +
|
| 53 | + # --- Scan images --- |
63 | 54 | - name: Scan vote image |
64 | 55 | run: | |
65 | | - ./your-cli-scanner image ${{ env.VOTE_IMAGE }} --fail-on-findings |
66 | | - # optionally env vars, secrets, etc |
| 56 | + sysdig-cli-scanner --apiurl $SYSDIG_SECURE_URL --token $SYSDIG_SECURE_TOKEN $REGISTRY/$REPO/vote:latest |
67 | 57 |
|
68 | | - # Run scan for worker |
69 | 58 | - name: Scan worker image |
70 | 59 | run: | |
71 | | - ./your-cli-scanner image ${{ env.WORKER_IMAGE }} --fail-on-findings |
| 60 | + sysdig-cli-scanner --apiurl $SYSDIG_SECURE_URL --token $SYSDIG_SECURE_TOKEN $REGISTRY/$REPO/worker:latest |
72 | 61 |
|
73 | | - # Run scan for result |
74 | 62 | - name: Scan result image |
75 | 63 | run: | |
76 | | - ./your-cli-scanner image ${{ env.RESULT_IMAGE }} --fail-on-findings |
77 | | -
|
78 | | - # (Optional) push images if scans passed |
79 | | - - name: Login to registry |
80 | | - uses: docker/login-action@v2 |
81 | | - with: |
82 | | - registry: ${{ env.REGISTRY_HOST }} |
83 | | - username: ${{ secrets.REGISTRY_USER }} |
84 | | - password: ${{ secrets.REGISTRY_TOKEN }} |
| 64 | + sysdig-cli-scanner --apiurl $SYSDIG_SECURE_URL --token $SYSDIG_SECURE_TOKEN $REGISTRY/$REPO/result:latest |
85 | 65 |
|
| 66 | + # --- Optional: Push images to Docker Hub (only if scans passed) --- |
86 | 67 | - name: Push vote image |
87 | | - uses: docker/build-push-action@v4 |
88 | | - with: |
89 | | - context: ./vote |
90 | | - file: ./vote/Dockerfile |
91 | | - tags: ${{ env.VOTE_IMAGE }} |
92 | | - push: true |
93 | | - load: false |
| 68 | + run: docker push $REGISTRY/$REPO/vote:latest |
94 | 69 |
|
95 | 70 | - name: Push worker image |
96 | | - uses: docker/build-push-action@v4 |
97 | | - with: |
98 | | - context: ./worker |
99 | | - file: ./worker/Dockerfile |
100 | | - tags: ${{ env.WORKER_IMAGE }} |
101 | | - push: true |
102 | | - load: false |
| 71 | + run: docker push $REGISTRY/$REPO/worker:latest |
103 | 72 |
|
104 | 73 | - name: Push result image |
105 | | - uses: docker/build-push-action@v4 |
106 | | - with: |
107 | | - context: ./result |
108 | | - file: ./result/Dockerfile |
109 | | - tags: ${{ env.RESULT_IMAGE }} |
110 | | - push: true |
111 | | - load: false |
| 74 | + run: docker push $REGISTRY/$REPO/result:latest |
0 commit comments