chore(deps): update gcr.io/paketo-buildpacks/spring-boot docker tag t… #13139
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Build | |
permissions: {} | |
# Run this workflow every time a new commit pushed to your repository | |
on: # yamllint disable-line rule:truthy | |
- push | |
env: | |
IMAGE_NAME: ghcr.io/${{ github.repository }}:${{ ( github.ref_name == github.event.repository.default_branch ) && 'latest' || format('ci-{0}', github.sha ) }} | |
jobs: | |
build: | |
permissions: | |
packages: write | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
- uses: DavidAnson/markdownlint-cli2-action@eb5ca3ab411449c66620fe7f1b3c9e10547144b0 # v18 | |
with: | |
globs: | | |
**/*.md | |
#**/node_modules | |
#**/.gradle | |
#**/.git | |
- uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3 | |
with: | |
strict: true | |
- run: | | |
# shellcheck shell=sh | |
sudo apt-get install -y git shellcheck | |
sudo curl --fail -Ls "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64" -o /usr/local/bin/yq | |
sudo chmod +x /usr/local/bin/yq | |
git ls-files --exclude='*.sh' --ignored -c -z | xargs -0r shellcheck -P SCRIPTDIR -x | |
git ls-files --exclude='.github/**/*.yml' --ignored -c | while IFS= read -r file; do | |
yq eval '.[] | select(tag=="!!map").[].steps.[].run | select(. != null ) | path | ".[\"" + join("\"].[\"") + "\"]"' "${file}" | while IFS= read -r selector; do | |
set +e | |
script=$(yq eval "${selector}" "${file}") | |
status=$? | |
set -e | |
if [ $status -ne 0 ]; then | |
>&2 printf "\nError getting the contents of the selector %s in the file %s:\n\nThe YAML may be malformed." "${selector}" "${file}" | |
exit 1 | |
fi | |
if ! printf '%s' "${script}" | shellcheck -x -; then | |
>&2 printf "\nError in %s in the script specified in %s:\n%s\n" "${file}" "${selector}" "${script}" | |
exit 1 | |
fi | |
done | |
done | |
- name: Validate Gradle wrapper | |
uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4 | |
- uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4 | |
with: | |
java-version: "21" | |
distribution: "liberica" | |
cache: "gradle" | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4 | |
- name: Build with Gradle | |
run: | | |
# shellcheck shell=sh | |
# gradle's build task will build, assemble, and test the project. | |
./gradlew build bootBuildImage --imageName "${IMAGE_NAME}" --publishImage | |
env: | |
DOCKER_USERNAME: ${{ github.actor }} | |
DOCKER_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
- name: upload build reports | |
if: success() || failure() # always run even if the previous step fails | |
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4 | |
with: | |
name: build-reports | |
path: build/reports/ | |
- name: upload build jar | |
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4 | |
with: | |
name: jar | |
path: build/libs/jumpstart.jar | |
checkov: | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
- name: Checkov GitHub Action | |
uses: bridgecrewio/checkov-action@66419f9444e2736cf7e36b4789a2a39fe93c8b92 # v12 | |
with: | |
directory: . | |
# This will add both a CLI output to the console and create a results.sarif file | |
quiet: true # optional: display only failed checks | |
output_format: cli,sarif | |
output_file_path: console,results.sarif | |
- name: Upload SARIF file | |
uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3 | |
# Results are generated only on a success or failure | |
# this is required since GitHub by default won't run the next step | |
# when the previous one has failed. Security checks that do not pass will 'fail'. | |
# An alternative is to add `continue-on-error: true` to the previous step | |
# Or 'soft_fail: true' to checkov. | |
if: success() || failure() | |
with: | |
sarif_file: results.sarif | |
scap: | |
needs: build | |
permissions: | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
runs-on: ubuntu-latest | |
container: | |
image: alpine:3.21.0@sha256:21dc6063fd678b478f57c0e13f47560d0ea4eeba26dfc947b2a4f81f686b9f45 | |
env: | |
SCAP_SECURITY_GUIDE_VERSION: "0.1.75" | |
MICROSOFT_SARIF_MULTITOOL_VERSION: "4.5.4" | |
MITRE_SAF_VERSION: "1.4.16" | |
SSG_DIR: "ssg" | |
steps: | |
- name: Install prerequisites | |
run: | | |
# shellcheck shell=sh | |
set -eu | |
apk add curl docker jq openscap-docker npm gcompat unzip | |
npm install -g "@microsoft/sarif-multitool@${MICROSOFT_SARIF_MULTITOOL_VERSION}" | |
# Specify the sinon version to use. | |
# Remove sinon from this line when sinon 16.1.2 (or later) is released, or when using MITRE_SAF_VERSION that includes https://github.com/mitre/saf/pull/1919 | |
npm install -g sinon@16.1.0 "@mitre/saf@${MITRE_SAF_VERSION}" | |
mkdir -p "${SSG_DIR}" | |
curl "https://github.com/ComplianceAsCode/content/releases/download/v${SCAP_SECURITY_GUIDE_VERSION}/scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}.zip" -Lso "${SSG_DIR}/ssg.zip" | |
unzip "${SSG_DIR}/ssg.zip" -d "${SSG_DIR}" | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Pull the docker image to scan | |
run: | | |
# shellcheck shell=sh | |
set -eu | |
# oscap-docker requires the image to have been pulled | |
docker pull "${IMAGE_NAME}" | |
- name: Run openscap | |
run: | | |
# shellcheck shell=sh | |
set -eu | |
# extract /etc/os-release | |
container_id=$(docker create "${IMAGE_NAME}") | |
if ! docker export "${container_id}" | tar -tvf - | grep -E '\setc/os-release( ->.*)?$' > /dev/null 2>&1 ; then | |
>&2 echo "The operating system used by ${IMAGE_NAME} could not be detected." | |
>&2 echo "Images that are not based on an operating system (such as distroless images) cannot be scanned by SCAP." | |
exit 1 | |
fi | |
docker cp -L "$container_id:/etc/os-release" . | |
docker rm "$container_id" | |
unset container_id | |
# determine which ssg to use based on /etc/os-release | |
# see https://www.freedesktop.org/software/systemd/man/os-release.html | |
version_id=$(awk -F= '$1=="VERSION_ID" { print $2 ;}' os-release | sed 's/"//g') | |
id=$(awk -F= '$1=="ID" { print $2 ;}' os-release | sed 's/"//g') | |
if [ "${id}" = "ubuntu" ] && echo "${version_id}" | grep -qE '^18\.04(\..*)?$' ; then | |
ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-ubuntu1804-ds.xml" | |
elif [ "${id}" = "ubuntu" ] && echo "${version_id}" | grep -qE '^20\.04(\..*)?$' ; then | |
ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-ubuntu2004-ds.xml" | |
elif [ "${id}" = "ubuntu" ] && echo "${version_id}" | grep -qE '^22\.04(\..*)?$' ; then\ | |
ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-ubuntu2204-ds.xml" | |
elif [ "${id}" = "centos" ] && echo "${version_id}" | grep -qE '^7(\..*)?$' ; then | |
ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-centos7-ds.xml" | |
elif [ "${id}" = "centos" ] && echo "${version_id}" | grep -qE '^8(\..*)?$' ; then | |
ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-centos8-ds.xml" | |
elif [ "${id}" = "ol" ] && echo "${version_id}" | grep -qE '^7(\..*)?$' ; then | |
ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-ol7-ds.xml" | |
elif [ "${id}" = "ol" ] && echo "${version_id}" | grep -qE '^8(\..*)?$' ; then | |
ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-ol8-ds.xml" | |
elif [ "${id}" = "ol" ] && echo "${version_id}" | grep -qE '^9(\..*)?$' ; then | |
ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-ol9-ds.xml" | |
elif [ "${id}" = "rhel" ] && echo "${version_id}" | grep -qE '^7(\..*)?$' ; then | |
ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-rhel7-ds.xml" | |
elif [ "${id}" = "rhel" ] && echo "${version_id}" | grep -qE '^8(\..*)?$' ; then | |
ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-rhel8-ds.xml" | |
elif [ "${id}" = "rhel" ] && echo "${version_id}" | grep -qE '^9(\..*)?$' ; then | |
ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-rhel9-ds.xml" | |
elif [ "${id}" = "sles" ] && echo "${version_id}" | grep -qE '^12(\..*)?$' ; then | |
ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-sle12-ds.xml" | |
elif [ "${id}" = "sles" ] && echo "${version_id}" | grep -qE '^15(\..*)?$' ; then | |
ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-sle15-ds.xml" | |
else | |
>&2 echo "There is no configuration available for ${id} ${version_id}" | |
exit 1 | |
fi | |
# Select the profile to use. The first profile that exists in the ssg is used. | |
for profile in xccdf_org.ssgproject.content_profile_cis_level2_server xccdf_org.ssgproject.content_profile_cis xccdf_org.ssgproject.content_profile_standard; do | |
if oscap info --profiles "${SSG_DIR}/${ssg}" | grep -qF "${profile}:"; then | |
echo "Selected profile: ${profile}" | |
break; | |
fi | |
done | |
set +e | |
oscap-docker image "${IMAGE_NAME}" xccdf eval --verbose ERROR --fetch-remote-resources --profile "${profile}" --results "openscap-report.xml" --report "openscap-report.html" "${SSG_DIR}/${ssg}" | |
OSCAP_EXIT_CODE=$? | |
set -e | |
case "${OSCAP_EXIT_CODE}" in | |
0) | |
echo "All rules passed" | |
;; | |
1) | |
>&2 echo "An error occurred during evaluation" | |
exit 2 | |
;; | |
2) | |
echo "There is at least one rule with either fail or unknown result" | |
;; | |
*) | |
>&2 echo "openscap returned an unexpected exit status of $OSCAP_EXIT_CODE" | |
exit "$OSCAP_EXIT_CODE" | |
;; | |
esac | |
- name: Convert xml to hdf | |
run: | | |
# shellcheck shell=sh | |
set -eu | |
saf convert xccdf_results2hdf -i "openscap-report.xml" -o openscap-report.hdf | |
- name: Convert hdf to sarif | |
run: | | |
# shellcheck shell=sh | |
set -eu | |
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 sarif-multitool convert -t Hdf -o openscap-report.sarif openscap-report.hdf.json | |
- name: filter results that shouldn't be GitHub security alerts | |
# Hopefully GitHub adds support for SARIF's "kind" eliminating the need for this step: https://github.com/orgs/community/discussions/65477 | |
run: | | |
# shellcheck shell=sh | |
set -eu | |
jq 'del(.runs[].results[] | select(.kind == "notApplicable" or .kind == "pass" or .kind == "informational" ))' openscap-report.sarif > filtered.sarif | |
mv filtered.sarif openscap-report.sarif | |
- name: Upload reports | |
if: success() || failure() # always run even if the previous step fails | |
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4 | |
with: | |
name: openscap-reports | |
path: | | |
openscap-report.html | |
openscap-report.xml | |
openscap-report.hdf.json | |
openscap-report.sarif | |
- name: Upload SARIF file | |
uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3 | |
# Results are generated only on a success or failure | |
# this is required since GitHub by default won't run the next step | |
# when the previous one has failed. Security checks that do not pass will 'fail'. | |
# An alternative is to add `continue-on-error: true` to the previous step | |
if: success() || failure() | |
with: | |
sarif_file: openscap-report.sarif |