Changed to run actions on all branches #21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Container Security Lab | |
| on: | |
| push: | |
| branches: | |
| - '*' | |
| pull_request: | |
| env: | |
| IMAGE_NAME: ${{ github.event.repository.name }} | |
| VERSION: 'latest' | |
| jobs: | |
| codeql: | |
| name: Run CodeQL SAST | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| - name: Install In-Toto | |
| run: | | |
| pip install in-toto | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: javascript-typescript | |
| - name: Run CodeQL and Record Provenance | |
| run: | | |
| in-toto-run --step "codeql-sast" --materials . --products . --key ${{ secrets.IN_TOTO_KEY }} -- github/codeql-action/autobuild@v3 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:javascript-typescript" | |
| build-push: | |
| name: Build and Push Container Image | |
| runs-on: ubuntu-latest | |
| needs: codeql | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install In-Toto | |
| run: | | |
| pip install in-toto | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to Dockerhub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Build and Publish Container Image and Record Provenance | |
| run: | | |
| in-toto-run --step "build-push" --materials . --products . --key ${{ secrets.IN_TOTO_KEY }} -- docker/build-push-action@v3 | |
| trivy: | |
| name: Run Trivy Scan | |
| runs-on: ubuntu-latest | |
| needs: build-push | |
| steps: | |
| - name: Install In-Toto | |
| run: | | |
| pip install in-toto | |
| - name: Install Trivy | |
| uses: aquasecurity/trivy-action@0.28.0 | |
| with: | |
| image-ref: '${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Record Trivy Scan Provenance | |
| run: | | |
| in-toto-run --step "trivy-scan" --materials . --products . --key ${{ secrets.IN_TOTO_KEY }} -- trivy | |
| sign: | |
| name: Sign Container Image with Cosign | |
| runs-on: ubuntu-latest | |
| needs: trivy | |
| steps: | |
| - name: Login to Dockerhub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Install Cosign and In-Toto | |
| run: | | |
| pip install in-toto | |
| curl -LO https://github.com/sigstore/cosign/releases/download/v1.13.1/cosign-linux-amd64 | |
| chmod +x cosign-linux-amd64 | |
| sudo mv cosign-linux-amd64 /usr/local/bin/cosign | |
| - name: Sign Container Image and Record Provenance | |
| run: | | |
| in-toto-run --step "cosign-sign" --materials . --products . --key ${{ secrets.IN_TOTO_KEY }} -- cosign sign --key-env COSIGN_KEY ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} | |
| validate-container: | |
| name: Validate Container Image | |
| runs-on: ubuntu-latest | |
| needs: sign | |
| steps: | |
| - name: Install Cosign and In-Toto | |
| run: | | |
| pip install in-toto | |
| curl -LO https://github.com/sigstore/cosign/releases/download/v1.13.1/cosign-linux-amd64 | |
| chmod +x cosign-linux-amd64 | |
| sudo mv cosign-linux-amd64 /usr/local/bin/cosign | |
| - name: Write public key to disk | |
| run: 'echo "$KEY" > cosign.key' | |
| shell: bash | |
| env: | |
| KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} | |
| - name: Verify Signature and Record Provenance | |
| run: | | |
| in-toto-run --step "validate-signature" --materials . --products . --key ${{ secrets.IN_TOTO_KEY }} -- cosign verify --key cosign.key ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} | |
| - uses: anchore/sbom-action@v0 | |
| with: | |
| image: ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} | |
| format: cyclonedx | |
| upload-artifact-retention: 30 | |
| env: | |
| COSIGN_KEY: ${{secrets.COSIGN_PUBLIC_KEY}} | |
| validate-attestation: | |
| name: Validate Attestation | |
| runs-on: ubunut-latest | |
| needs: validate-container | |
| steps: | |
| - name: Install In-Toto | |
| run: | | |
| pip install in-toto | |
| - name: Verify In-Toto Metadata | |
| run: | | |
| in-toto-verify --layout root.layout --layout-key ${{ secrets.IN_TOTO_PUBLIC_KEY }} |