Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update and rename image.yaml to container_image.yaml #50

Merged
merged 1 commit into from
Oct 22, 2024

Conversation

venkatamutyala
Copy link
Contributor

@venkatamutyala venkatamutyala commented Oct 2, 2024

PR Type

enhancement, configuration changes


Description

  • Added a new GitHub Actions workflow (container_image.yaml) to automate the publishing of Docker images to GHCR.io.
  • Configured the workflow to set up QEMU, Docker buildx, and log into the registry.
  • Included steps to extract Docker metadata and build/push Docker images with caching.
  • Removed the outdated workflow (image.yaml) for building and pushing Docker images.

Changes walkthrough 📝

Relevant files
Enhancement
container_image.yaml
Add GitHub Actions workflow for Docker image publishing   

.github/workflows/container_image.yaml

  • Added a new GitHub Actions workflow to publish Docker images to
    GHCR.io.
  • Configured environment variables for registry and image name.
  • Included steps for setting up QEMU, Docker buildx, and logging into
    the registry.
  • Added steps to extract Docker metadata and build/push Docker images.
  • +56/-0   
    Configuration changes
    image.yaml
    Remove outdated Docker image workflow                                       

    .github/workflows/image.yaml

  • Removed the old GitHub Actions workflow for building and pushing
    Docker images.
  • +0/-10   

    💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

    Copy link

    sonarqubecloud bot commented Oct 2, 2024

    Copy link

    PR Reviewer Guide 🔍

    Here are some key observations to aid the review process:

    ⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
    🧪 No relevant tests
    🔒 Security concerns

    Potential security risk:
    The workflow is configured to run on every push (line 3), which could potentially be exploited for denial of service attacks or to consume excessive GitHub Actions minutes. Consider limiting the workflow to specific branches or events to mitigate this risk. Additionally, the workflow is pushing images on every non-pull request event (line 51), which might lead to unintended image publications. It's recommended to add more specific conditions for when to push images, such as only on pushes to the main branch or on release events.

    ⚡ Recommended focus areas for review

    Security Concern
    The workflow is triggered on every push, which might lead to unnecessary builds and potential abuse.

    Best Practice
    The push step is not conditional, potentially pushing images on pull requests which is usually not desired.

    Copy link

    PR Code Suggestions ✨

    Explore these optional code suggestions:

    CategorySuggestion                                                                                                                                    Score
    Security
    Add a vulnerability scanning step before pushing the Docker image

    Add a step to scan the Docker image for vulnerabilities before pushing it to the
    registry. This can be done using tools like Trivy or Snyk. This step will help
    ensure that the image being pushed doesn't contain known vulnerabilities.

    .github/workflows/container_image.yaml [46-56]

    -- name: Build and push Docker image
    -  id: build-and-push
    +- name: Build Docker image
    +  id: build
       uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
       with:
         context: .
    -    push: ${{ github.event_name != 'pull_request' }}
    +    push: false
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
         provenance: false
         cache-from: type=gha
         cache-to: type=gha,mode=max
     
    +- name: Scan image for vulnerabilities
    +  uses: aquasecurity/trivy-action@master
    +  with:
    +    image-ref: ${{ steps.meta.outputs.tags }}
    +    format: 'table'
    +    exit-code: '1'
    +    ignore-unfixed: true
    +    vuln-type: 'os,library'
    +    severity: 'CRITICAL,HIGH'
    +
    +- name: Push Docker image
    +  if: success() && github.event_name != 'pull_request'
    +  uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
    +  with:
    +    context: .
    +    push: true
    +    tags: ${{ steps.meta.outputs.tags }}
    +    labels: ${{ steps.meta.outputs.labels }}
    +
    • Apply this suggestion
    Suggestion importance[1-10]: 9

    Why: Adding a vulnerability scanning step is a significant security enhancement, ensuring that only secure images are pushed to the registry, thus preventing potential security risks.

    9
    Enable Docker content trust to ensure only signed images are pushed

    Enable Docker content trust by setting DOCKER_CONTENT_TRUST=1 in the environment.
    This ensures that only signed images are pushed to the registry, enhancing the
    security and integrity of your container images.

    .github/workflows/container_image.yaml [5-7]

     env:
       REGISTRY: ghcr.io
       IMAGE_NAME: ${{ github.repository }}
    +  DOCKER_CONTENT_TRUST: 1
    • Apply this suggestion
    Suggestion importance[1-10]: 8

    Why: Enabling Docker content trust enhances security by ensuring that only signed images are pushed, which helps maintain the integrity and authenticity of the images.

    8
    Add a step to verify the integrity of the workflow file

    Add a step to verify the integrity of the workflow file itself. This can be done by
    calculating and checking the hash of the workflow file against a known good value.
    This helps prevent unauthorized modifications to the workflow.

    .github/workflows/container_image.yaml [16-18]

     steps:
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
     
    +  - name: Verify workflow integrity
    +    run: |
    +      WORKFLOW_HASH=$(sha256sum .github/workflows/container_image.yaml | cut -d ' ' -f 1)
    +      EXPECTED_HASH="<known_good_hash_value>"
    +      if [ "$WORKFLOW_HASH" != "$EXPECTED_HASH" ]; then
    +        echo "Workflow file integrity check failed"
    +        exit 1
    +      fi
    +
    • Apply this suggestion
    Suggestion importance[1-10]: 7

    Why: Verifying the integrity of the workflow file adds an extra layer of security by ensuring that the workflow has not been tampered with, although it requires maintaining a known good hash value.

    7
    Best practice
    Refine the workflow trigger conditions to run only on specific events

    Consider adding a condition to the 'on' trigger to limit when this workflow runs.
    For example, you might want to run this workflow only on pushes to specific branches
    or when tags are created. This can help reduce unnecessary workflow runs and save on
    GitHub Actions minutes.

    .github/workflows/container_image.yaml [3]

    -on: [push]
    +on:
    +  push:
    +    branches: [main, develop]
    +  tags:
    +    - 'v*'
    • Apply this suggestion
    Suggestion importance[1-10]: 8

    Why: This suggestion improves the workflow efficiency by limiting its execution to specific branches and tags, which can save GitHub Actions minutes and reduce unnecessary runs.

    8

    💡 Need additional feedback ? start a PR chat

    @venkatamutyala venkatamutyala merged commit f84b17c into main Oct 22, 2024
    4 of 5 checks passed
    @venkatamutyala venkatamutyala deleted the venkatamutyala-patch-1 branch October 22, 2024 17:07
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Projects
    None yet
    Development

    Successfully merging this pull request may close these issues.

    2 participants