forked from MacnicaDevOps/scribe-poc
-
Notifications
You must be signed in to change notification settings - Fork 0
79 lines (70 loc) · 2.54 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
name: Docker Image CI with provenance
env:
APP_NAME: MacGithub
PRODUCT_VERSION: 1.2.6
on:
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Generate signed SBOM for repo content clone
uses: scribe-security/action-bom@master
with:
target: 'git:.'
scribe-enable: true
product-key: ${{ env.APP_NAME }}
product-version: ${{env.PRODUCT_VERSION}} #${{env.GITHUB_RUN_NUM}}
scribe-client-secret: ${{ secrets.SCRIBE_CLIENT_TOKEN }}
components: commits,packages,files,dep
format: attest
config: .valint.yaml
verbose: 2
- name: Build the Docker image
run: docker build . --file Dockerfile --tag buildimage:${{github.run_number}}
- name: Generate signed SBOM for docker image
uses: scribe-security/action-bom@master
with:
target: 'buildimage:${{github.run_number}}'
scribe-enable: true
product-key: ${{ env.APP_NAME }}
product-version: ${{env.PRODUCT_VERSION}} #${{env.GITHUB_RUN_NUM}}
scribe-client-secret: ${{ secrets.SCRIBE_CLIENT_TOKEN }}
format: attest
config: .valint.yaml
verbose: 2
- name: Generate SLSA provenance docker image
uses: scribe-security/action-slsa@master
with:
target: 'buildimage:${{github.run_number}}'
scribe-enable: true
product-key: ${{ env.APP_NAME }}
product-version: ${{env.PRODUCT_VERSION}} #${{env.GITHUB_RUN_NUM}}
scribe-client-secret: ${{ secrets.SCRIBE_CLIENT_TOKEN }}
format: attest
config: .valint.yaml
verbose: 2
- name: Run the Docker image
run: |
docker run --rm --name web -p 8080:8080 -d "buildimage:${{github.run_number}}"
sleep 1 && curl http://localhost:8080
docker stop web
# - name: "Twistlock Vuln/Compliance check"
# env:
# pc_user: ${{ secrets.PC_USER }}
# pc_pass: ${{ secrets.PC_PASS }}
# pc_url: ${{ secrets.PC_URL }}
# run: |
# curl -k -u "${pc_user}:${pc_pass}" --output twistcli "${pc_url}/api/v1/util/twistcli"
# chmod a+x twistcli
# sudo ./twistcli images scan --address "${pc_url}" -u "${pc_user}" -p "${pc_pass}" "buildimage:${{github.run_number}}" --details
# - name: "Triage vulnerabilities"
# run: |
# ./getPrismaData.sh
# ./triage.sh