Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

secure build pipeline #184

Open
wants to merge 3 commits into
base: develop
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 60 additions & 1 deletion .github/workflows/go-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -78,4 +78,63 @@ jobs:
- name: Upload scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
sarif_file: 'trivy-results.sarif'

Release:
needs: Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3

- name: Set up QEMU # Virtualization tool
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the use case for publishing snapshots? For dev/testing, I'd expect devs to build locally. I'm definitely open to the idea, but I'd like to document the use case.

- name: Build and push snapshot
if: startsWith(github.ref, 'refs/tags/v') != true
uses: docker/build-push-action@v4
with:
push: true
tags: rafttech/konfirm:${{ github.sha }}

- name: set RELEASE_VERSION
if: startsWith(github.ref, 'refs/tags/v')
run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
- name: Build and push release
if: startsWith(github.ref, 'refs/tags/v')
uses: docker/build-push-action@v4
with:
push: true
tags: rafttech/konfirm:${{ env.RELEASE_VERSION }}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as above regarding snapshots.

- name: Generate Snapshot SBOM
if: startsWith(github.ref, 'refs/tags/v')
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
format: 'spdx-json'
output: konfirm.sbom.json
image-ref: rafttech/konfirm:${{ github.sha }}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SBOMs are also available via GitHub, which uses go.mod/go.sum. That wouldn't include the base image, but I wonder if that wouldn't be more accurate for Go dependencies. Can the two be merged in some way, or can Trivy include the image scan and go.mod/sum?

- name: Generate Release SBOM
if: startsWith(github.ref, 'refs/tags/v')
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
format: 'spdx-json'
output: konfirm.sbom.json
image-ref: rafttech/konfirm:${{ env.RELEASE_VERSION }}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we upload the generated SBOM to Docker Hub? If so, can we add an attestation/signature?

- name: Upload SBOM to pipeline
uses: actions/upload-artifact@v3
with:
name: konfirm.sbom.json
path: konfirm.sbom.json
Loading