Skip to content

Docker Image CI with provenance #22

Docker Image CI with provenance

Docker Image CI with provenance #22

Workflow file for this run

name: Docker Image CI with provenance
env:
APP_NAME: MacGithub
PRODUCT_VERSION: 1.2.4
on:
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Build the Docker image
run: docker build . --file Dockerfile --tag buildimage:${{github.run_number}}
- name: Generate signed SBOM for repo content clone
uses: scribe-security/action-bom@master
with:
target: 'git:.'
scribe-enable: true
product-key: ${{ env.APP_NAME }}
product-version: ${{env.PRODUCT_VERSION}} #${{env.GITHUB_RUN_NUM}}
scribe-client-secret: ${{ secrets.SCRIBE_CLIENT_TOKEN }}
components: commits,packages,files,dep
format: attest
config: .valint.yaml
verbose: 2
- name: Generate signed SBOM for docker image
uses: scribe-security/action-bom@master
with:
target: 'buildimage:${{github.run_number}}'
scribe-enable: true
product-key: ${{ env.APP_NAME }}
product-version: ${{env.PRODUCT_VERSION}} #${{env.GITHUB_RUN_NUM}}
scribe-client-secret: ${{ secrets.SCRIBE_CLIENT_TOKEN }}
format: attest
config: .valint.yaml
verbose: 2
- name: Generate SLSA provenance docker image
uses: scribe-security/action-slsa@master
with:
target: 'buildimage:${{github.run_number}}'
scribe-enable: true
product-key: ${{ env.APP_NAME }}
product-version: ${{env.PRODUCT_VERSION}} #${{env.GITHUB_RUN_NUM}}
scribe-client-secret: ${{ secrets.SCRIBE_CLIENT_TOKEN }}
format: attest
config: .valint.yaml
verbose: 2
- name: Run the Docker image
run: |
docker run --rm --name web -p 8080:8080 -d "buildimage:${{github.run_number}}"
sleep 1 && curl http://localhost:8080
docker stop web
# - name: "Twistlock Vuln/Compliance check"
# env:
# pc_user: ${{ secrets.PC_USER }}
# pc_pass: ${{ secrets.PC_PASS }}
# pc_url: ${{ secrets.PC_URL }}
# run: |
# curl -k -u "${pc_user}:${pc_pass}" --output twistcli "${pc_url}/api/v1/util/twistcli"
# chmod a+x twistcli
# sudo ./twistcli images scan --address "${pc_url}" -u "${pc_user}" -p "${pc_pass}" "buildimage:${{github.run_number}}" --details
# - name: "Triage vulnerabilities"
# run: |
# ./getPrismaData.sh
# ./triage.sh