CI: Bump version to v5.6.0-92.16 #217
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Image Security Scan | |
on: | |
push: | |
branches: [master, test, dev] | |
pull_request: | |
branches: [master, test, dev] | |
schedule: | |
- cron: "30 5 14 * *" # Run this scan every sprint release cycle 14th of every month at 5:30 UTC | |
jobs: | |
nodejs-base-image: | |
name: nodejs-base-image | |
if: github.event.pull_request.head.repo.full_name == github.repository | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
env: | |
working-directory: ./openshift/4.0/templates/base-images | |
image-name: nodejs-14-ubi8 | |
tag: ${{secrets.NODEJS14_BASE_TAG}} # 1-35 | |
OPENSHIFT_NAMESPACE: 3cd915-tools | |
output-filename: nodejs14.txt | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Authenticate and set context | |
uses: redhat-actions/oc-login@v1 | |
env: | |
OPENSHIFT_USER: ${{secrets.OC_USERNAME_SA}} # service account gitaction in openshift will be used here! | |
OPENSHIFT_NAMESPACE: 3cd915-tools | |
SERVER_URL: ${{secrets.OPENSHIFT_SERVER}} | |
OPENSHIFT_REGISTRY: ${{secrets.OPENSHIFT_REGISTRY}} | |
with: | |
openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }} | |
openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} | |
- name: Login to OpenShift Container Registry | |
uses: docker/login-action@v1 | |
with: | |
registry: ${{secrets.OPENSHIFT_REGISTRY}} | |
username: ${{ secrets.OC_USERNAME_SA }} | |
password: ${{ secrets.OPENSHIFT_TOKEN }} | |
- name: Pull nodejs Base Image | |
env: | |
OPENSHIFT_NAMESPACE: 3cd915-tools | |
run: | | |
docker pull ${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}} | |
working-directory: ${{env.working-directory}} | |
- name: Scan nodejs14 Base Image with Aqua Trivy | |
id: scan | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}" | |
format: "table" | |
exit-code: "1" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
severity: "CRITICAL,HIGH" | |
output: ${{env.output-filename}} | |
- if: failure() && steps.scan.outcome == 'failure' | |
name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{env.image-name}}_scan_report | |
path: ./${{env.output-filename}} | |
retention-days: 3 | |
if-no-files-found: error | |
comment_nodejs_pr: | |
# this action will leave a comment in response to vulnerability scans performed on cotnainer image | |
if: always() && needs.nodejs-base-image.result == 'failure' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository | |
needs: nodejs-base-image | |
runs-on: ubuntu-latest | |
env: | |
working-directory: ./source/frontend | |
image-name: nodejs-14-ubi8 | |
tag: ${{secrets.NODEJS14_BASE_TAG}} | |
OPENSHIFT_NAMESPACE: 3cd915-tools | |
output-filename: nodejs14.txt | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download artifact | |
id: artifact | |
uses: actions/download-artifact@master | |
with: | |
name: ${{env.image-name}}_scan_report | |
path: ./${{env.image-name}} | |
- name: Get comment body | |
id: get-comment-body | |
if: steps.artifact.outcome == 'success' | |
run: | | |
cd ${{env.image-name}}/ | |
if [ -s ${{env.output-filename}} ]; then | |
body="$(cat ${{env.output-filename}})" | |
body="${body//'%'/'%25'}" | |
body="${body//$'\n'/'%0A'}" | |
body="${body//$'\r'/'%0D'}" | |
echo "::set-output name=body::$body" | |
fi | |
- name: Find Comment | |
if: github.event_name == 'pull_request' | |
uses: peter-evans/find-comment@v1 | |
id: fc | |
with: | |
issue-number: ${{ github.event.pull_request.number }} | |
comment-author: "github-actions[bot]" | |
body-includes: ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
- name: Comment on PR | |
if: steps.fc.outputs.comment-id == '' && steps.get-comment-body.outcome != 'failure' | |
env: | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
run: | | |
cd ${{env.image-name}}/ | |
if [ -s ${{env.output-filename}} ]; then | |
commentPR () { | |
gh pr comment $PRNUM -b "${1}" | |
} | |
PRNUM=${{ github.event.pull_request.number }} | |
PRBODY=$(cat ${{env.output-filename}}) | |
INDENTED='## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
```'${PRBODY}'```'; | |
commentPR "$INDENTED" | |
else | |
echo "No vulnerability detected in this image" | |
fi | |
- name: Update PR Comment | |
if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != '' | |
uses: peter-evans/create-or-update-comment@v1 | |
with: | |
comment-id: ${{ steps.fc.outputs.comment-id }} | |
issue-number: ${{ github.event.pull_request.number }} | |
body: | | |
## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
``` echo "${{ steps.get-comment-body.outputs.body }}"``` | |
edit-mode: replace | |
reactions: confused | |
nginx-base-image: | |
name: nginx-base-image | |
if: github.event.pull_request.head.repo.full_name == github.repository | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
env: | |
working-directory: ./openshift/s2i/nginx-runtime | |
image-name: nginx-base | |
tag: ${{secrets.NGINX_BASE_TAG}} # mainline | |
OPENSHIFT_NAMESPACE: 3cd915-tools | |
output-filename: nginx-base.txt | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Authenticate and set context | |
uses: redhat-actions/oc-login@v1 | |
env: | |
OPENSHIFT_USER: ${{secrets.OC_USERNAME_SA}} | |
OPENSHIFT_NAMESPACE: 3cd915-tools | |
SERVER_URL: ${{secrets.OPENSHIFT_SERVER}} | |
OPENSHIFT_REGISTRY: ${{secrets.OPENSHIFT_REGISTRY}} | |
with: | |
openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }} | |
openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} | |
- name: Login to OpenShift Container Registry | |
uses: docker/login-action@v1 | |
with: | |
registry: ${{secrets.OPENSHIFT_REGISTRY}} | |
username: ${{ secrets.OC_USERNAME_SA }} | |
password: ${{ secrets.OPENSHIFT_TOKEN }} | |
- name: Pull Nginx Runtime Base Image | |
run: | | |
docker pull ${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}} | |
working-directory: ${{env.working-directory}} | |
- name: Scan Nginx Runtime Base Image with Aqua Trivy | |
id: scan | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}" | |
format: "table" | |
exit-code: "1" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
severity: "CRITICAL,HIGH" | |
output: ${{env.output-filename}} | |
- if: failure() && steps.scan.outcome == 'failure' | |
name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{env.image-name}}_scan_report | |
path: ./${{env.output-filename}} | |
retention-days: 3 | |
comment_nginx_pr: | |
# this action will leave a comment in response to vulnerability scans performed on cotnainer image | |
if: always() && needs.nginx-base-image.result == 'failure' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository | |
needs: nginx-base-image | |
runs-on: ubuntu-latest | |
env: | |
working-directory: ./source/frontend | |
image-name: nginx-base | |
tag: ${{secrets.NGINX_BASE_TAG}} | |
output-filename: nginx-base.txt | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download artifact | |
id: artifact | |
uses: actions/download-artifact@master | |
with: | |
name: ${{env.image-name}}_scan_report | |
path: ./${{env.image-name}} | |
- name: Get comment body | |
id: get-comment-body | |
if: steps.artifact.outcome == 'success' | |
run: | | |
cd ${{env.image-name}}/ | |
if [ -s ${{env.output-filename}} ]; then | |
body="$(cat ${{env.output-filename}})" | |
body="${body//'%'/'%25'}" | |
body="${body//$'\n'/'%0A'}" | |
body="${body//$'\r'/'%0D'}" | |
echo "::set-output name=body::$body" | |
fi | |
- name: Find Comment | |
if: github.event_name == 'pull_request' | |
uses: peter-evans/find-comment@v1 | |
id: fc | |
with: | |
issue-number: ${{ github.event.pull_request.number }} | |
comment-author: "github-actions[bot]" | |
body-includes: ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
- name: Comment on PR | |
if: steps.fc.outputs.comment-id == '' && steps.get-comment-body.outcome != 'failure' | |
env: | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
run: | | |
cd ${{env.image-name}}/ | |
if [ -s ${{env.output-filename}} ]; then | |
commentPR () { | |
gh pr comment $PRNUM -b "${1}" | |
} | |
PRNUM=${{ github.event.pull_request.number }} | |
PRBODY=$(cat ${{env.output-filename}}) | |
INDENTED='## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
```'${PRBODY}'```'; | |
commentPR "$INDENTED" | |
else | |
echo "No vulnerability detected in this image" | |
fi | |
- name: Update PR Comment | |
if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != '' | |
uses: peter-evans/create-or-update-comment@v1 | |
with: | |
comment-id: ${{ steps.fc.outputs.comment-id }} | |
issue-number: ${{ github.event.pull_request.number }} | |
body: | | |
## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
``` echo "${{ steps.get-comment-body.outputs.body }}"``` | |
edit-mode: replace | |
reactions: confused | |
build_frontend: | |
if: always() && github.event.pull_request.head.repo.full_name == github.repository | |
needs: [nodejs-base-image, nginx-base-image] | |
name: pims-frontend | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
env: | |
working-directory: ./source/frontend | |
image-name: pims-app | |
tag: latest | |
OPENSHIFT_NAMESPACE: 3cd915-tools | |
output-filename: pims-app.txt | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Authenticate and set context | |
uses: redhat-actions/oc-login@v1 | |
env: | |
# These can be stored in secrets, if desired. | |
OPENSHIFT_USER: ${{secrets.OC_USERNAME_SA}} | |
OPENSHIFT_NAMESPACE: 3cd915-tools | |
SERVER_URL: ${{secrets.OPENSHIFT_SERVER}} | |
OPENSHIFT_REGISTRY: ${{secrets.OPENSHIFT_REGISTRY}} | |
with: | |
openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }} | |
openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} | |
- name: Login to OpenShift Container Registry | |
uses: docker/login-action@v1 | |
with: | |
registry: ${{secrets.OPENSHIFT_REGISTRY}} | |
username: ${{ secrets.OC_USERNAME_SA }} | |
password: ${{ secrets.OPENSHIFT_TOKEN }} | |
- name: Pull PIMS App React Frontend Image | |
env: | |
OPENSHIFT_NAMESPACE: 3cd915-tools | |
run: | | |
docker pull ${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}} | |
working-directory: ${{env.working-directory}} | |
- name: Scan PIMS React Frontend Image with Aqua Trivy | |
id: scan | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}" | |
format: "table" | |
exit-code: "1" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
severity: "CRITICAL,HIGH" | |
output: ${{env.output-filename}} | |
- if: failure() && steps.scan.outcome == 'failure' | |
name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{env.image-name}}_scan_report | |
path: ./${{env.output-filename}} | |
retention-days: 3 | |
comment_app_pr: | |
# this action will leave a comment in response to credential scans performed on pull requests | |
if: always() && needs.build_frontend.result == 'failure' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository | |
needs: build_frontend | |
runs-on: ubuntu-latest | |
env: | |
working-directory: ./source/frontend | |
image-name: pims-app | |
tag: latest | |
output-filename: pims-app.txt | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download artifact | |
id: artifact | |
uses: actions/download-artifact@master | |
with: | |
name: ${{env.image-name}}_scan_report | |
path: ./${{env.image-name}} | |
- name: Get comment body | |
id: get-comment-body | |
if: steps.artifact.outcome == 'success' | |
run: | | |
cd ${{env.image-name}}/ | |
if [ -s ${{env.output-filename}} ]; then | |
body="$(cat ${{env.output-filename}})" | |
body="${body//'%'/'%25'}" | |
body="${body//$'\n'/'%0A'}" | |
body="${body//$'\r'/'%0D'}" | |
echo "::set-output name=body::$body" | |
fi | |
- name: Find Comment | |
if: github.event_name == 'pull_request' | |
uses: peter-evans/find-comment@v1 | |
id: fc | |
with: | |
issue-number: ${{ github.event.pull_request.number }} | |
comment-author: "github-actions[bot]" | |
body-includes: ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
- name: Comment on PR | |
if: steps.fc.outputs.comment-id == '' && steps.get-comment-body.outcome != 'failure' | |
env: | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
run: | | |
cd ${{env.image-name}}/ | |
if [ -s ${{env.output-filename}} ]; then | |
commentPR () { | |
gh pr comment $PRNUM -b "${1}" | |
} | |
PRNUM=${{ github.event.pull_request.number }} | |
PRBODY=$(cat ${{env.output-filename}}) | |
INDENTED='## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
```'${PRBODY}'```'; | |
commentPR "$INDENTED" | |
else | |
echo "No vulnerability detected in this image" | |
fi | |
- name: Update PR Comment | |
if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != '' | |
uses: peter-evans/create-or-update-comment@v1 | |
with: | |
comment-id: ${{ steps.fc.outputs.comment-id }} | |
issue-number: ${{ github.event.pull_request.number }} | |
body: | | |
## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
``` echo "${{ steps.get-comment-body.outputs.body }}"``` | |
edit-mode: replace | |
reactions: confused | |
aspnet-runtime: | |
name: aspnet-runtime | |
if: github.event.pull_request.head.repo.full_name == github.repository | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
env: | |
working-directory: ./openshift/4.0/templates/base-images/dotnet50 | |
image-name: dotnet-aspnet | |
tag: "5.0" | |
OPENSHIFT_NAMESPACE: 3cd915-tools | |
output-filename: dotnet-aspnet.txt | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Authenticate and set context | |
uses: redhat-actions/oc-login@v1 | |
env: | |
# These can be stored in secrets, if desired. | |
OPENSHIFT_USER: ${{secrets.OC_USERNAME_SA}} | |
OPENSHIFT_NAMESPACE: 3cd915-tools | |
SERVER_URL: ${{secrets.OPENSHIFT_SERVER}} | |
OPENSHIFT_REGISTRY: ${{secrets.OPENSHIFT_REGISTRY}} | |
with: | |
openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }} | |
openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} | |
- name: Login to OpenShift Container Registry | |
uses: docker/login-action@v1 | |
with: | |
registry: ${{secrets.OPENSHIFT_REGISTRY}} | |
username: ${{ secrets.OC_USERNAME_SA }} | |
password: ${{ secrets.OPENSHIFT_TOKEN }} | |
- name: Pull aspnet dotnet5 runtime Base Image | |
run: | | |
docker pull ${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}} | |
working-directory: ${{env.working-directory}} | |
- name: Scan dotnet5 SDK and runtime Image with Aqua Trivy | |
id: scan | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}" | |
format: "table" | |
exit-code: "1" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
severity: "CRITICAL,HIGH" | |
output: ${{env.output-filename}} | |
- if: failure() && steps.scan.outcome == 'failure' | |
name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{env.image-name}}_scan_report | |
path: ./${{env.output-filename}} | |
retention-days: 3 | |
comment_aspnet_pr: | |
# this action will leave a comment in response to credential scans performed on pull requests | |
if: always() && needs.aspnet-runtime.result == 'failure' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository | |
needs: aspnet-runtime | |
runs-on: ubuntu-latest | |
env: | |
working-directory: ./openshift/4.0/templates/base-images/dotnet50 | |
image-name: dotnet-aspnet | |
tag: "5.0" | |
output-filename: dotnet-aspnet.txt | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download artifact | |
id: artifact | |
uses: actions/download-artifact@master | |
with: | |
name: ${{env.image-name}}_scan_report | |
path: ./${{env.image-name}} | |
- name: Get comment body | |
id: get-comment-body | |
if: steps.artifact.outcome == 'success' | |
run: | | |
cd ${{env.image-name}}/ | |
if [ -s ${{env.output-filename}} ]; then | |
body="$(cat ${{env.output-filename}})" | |
body="${body//'%'/'%25'}" | |
body="${body//$'\n'/'%0A'}" | |
body="${body//$'\r'/'%0D'}" | |
echo "::set-output name=body::$body" | |
fi | |
- name: Find Comment | |
if: github.event_name == 'pull_request' | |
uses: peter-evans/find-comment@v1 | |
id: fc | |
with: | |
issue-number: ${{ github.event.pull_request.number }} | |
comment-author: "github-actions[bot]" | |
body-includes: ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
- name: Comment on PR | |
if: steps.fc.outputs.comment-id == '' && steps.get-comment-body.outcome != 'failure' | |
env: | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
run: | | |
cd ${{env.image-name}}/ | |
if [ -s ${{env.output-filename}} ]; then | |
commentPR () { | |
gh pr comment $PRNUM -b "${1}" | |
} | |
PRNUM=${{ github.event.pull_request.number }} | |
PRBODY=$(cat ${{env.output-filename}}) | |
INDENTED='## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
```'${PRBODY}'```'; | |
commentPR "$INDENTED" | |
else | |
echo "No vulnerability detected in this image" | |
fi | |
- name: Update PR Comment | |
if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != '' | |
uses: peter-evans/create-or-update-comment@v1 | |
with: | |
comment-id: ${{ steps.fc.outputs.comment-id }} | |
issue-number: ${{ github.event.pull_request.number }} | |
body: | | |
## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
``` echo "${{ steps.get-comment-body.outputs.body }}"``` | |
edit-mode: replace | |
reactions: confused | |
dotnet-sdk: | |
name: dotnet5-sdk | |
if: github.event.pull_request.head.repo.full_name == github.repository | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
env: | |
working-directory: ./openshift/4.0/templates/base-images/dotnet50 | |
image-name: dotnet-sdk | |
tag: "5.0" | |
OPENSHIFT_NAMESPACE: 3cd915-tools | |
output-filename: dotnet-sdk.txt | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Authenticate and set context | |
uses: redhat-actions/oc-login@v1 | |
env: | |
# These can be stored in secrets, if desired. | |
OPENSHIFT_USER: ${{secrets.OC_USERNAME_SA}} | |
OPENSHIFT_NAMESPACE: 3cd915-tools | |
SERVER_URL: ${{secrets.OPENSHIFT_SERVER}} | |
OPENSHIFT_REGISTRY: ${{secrets.OPENSHIFT_REGISTRY}} | |
with: | |
openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }} | |
openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} | |
- name: Login to OpenShift Container Registry | |
uses: docker/login-action@v1 | |
with: | |
registry: ${{secrets.OPENSHIFT_REGISTRY}} | |
username: ${{ secrets.OC_USERNAME_SA }} | |
password: ${{ secrets.OPENSHIFT_TOKEN }} | |
- name: Pull aspnet dotnet5 runtime Base Image | |
run: | | |
docker pull ${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}} | |
working-directory: ${{env.working-directory}} | |
- name: Scan dotnet5 SDK and runtime Image with Aqua Trivy | |
id: scan | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}" | |
format: "table" | |
exit-code: "1" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
severity: "CRITICAL,HIGH" | |
output: ${{env.output-filename}} | |
- if: failure() && steps.scan.outcome == 'failure' | |
name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{env.image-name}}_scan_report | |
path: ./${{env.output-filename}} | |
retention-days: 3 | |
comment_dotnetsdk_pr: | |
# this action will leave a comment in response to credential scans performed on pull requests | |
if: always() && needs.dotnet-sdk.result == 'failure' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository | |
needs: dotnet-sdk | |
runs-on: ubuntu-latest | |
env: | |
working-directory: ./openshift/4.0/templates/base-images/dotnet50 | |
image-name: dotnet-sdk | |
tag: "5.0" | |
output-filename: dotnet-sdk.txt | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download artifact | |
id: artifact | |
uses: actions/download-artifact@master | |
with: | |
name: ${{env.image-name}}_scan_report | |
path: ./${{env.image-name}} | |
- name: Get comment body | |
id: get-comment-body | |
if: steps.artifact.outcome == 'success' | |
run: | | |
cd ${{env.image-name}}/ | |
if [ -s ${{env.output-filename}} ]; then | |
body="$(cat ${{env.output-filename}})" | |
body="${body//'%'/'%25'}" | |
body="${body//$'\n'/'%0A'}" | |
body="${body//$'\r'/'%0D'}" | |
echo "::set-output name=body::$body" | |
fi | |
- name: Find Comment | |
if: github.event_name == 'pull_request' | |
uses: peter-evans/find-comment@v1 | |
id: fc | |
with: | |
issue-number: ${{ github.event.pull_request.number }} | |
comment-author: "github-actions[bot]" | |
body-includes: ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
- name: Comment on PR | |
if: steps.fc.outputs.comment-id == '' && steps.get-comment-body.outcome != 'failure' | |
env: | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
run: | | |
cd ${{env.image-name}}/ | |
if [ -s ${{env.output-filename}} ]; then | |
commentPR () { | |
gh pr comment $PRNUM -b "${1}" | |
} | |
PRNUM=${{ github.event.pull_request.number }} | |
PRBODY=$(cat ${{env.output-filename}}) | |
INDENTED='## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
```'${PRBODY}'```'; | |
commentPR "$INDENTED" | |
else | |
echo "No vulnerability detected in this image" | |
fi | |
- name: Update PR Comment | |
if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != '' | |
uses: peter-evans/create-or-update-comment@v1 | |
with: | |
comment-id: ${{ steps.fc.outputs.comment-id }} | |
issue-number: ${{ github.event.pull_request.number }} | |
body: | | |
## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
``` echo "${{ steps.get-comment-body.outputs.body }}"``` | |
edit-mode: replace | |
reactions: confused | |
build_backend: | |
if: always() && github.event.pull_request.head.repo.full_name == github.repository | |
needs: [aspnet-runtime, dotnet-sdk] | |
name: pims-backend | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
env: | |
working-directory: ./source/backend | |
image-name: pims-api | |
tag: latest | |
OPENSHIFT_NAMESPACE: 3cd915-tools | |
output-filename: pims-api.txt | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Authenticate and set context | |
uses: redhat-actions/oc-login@v1 | |
env: | |
# These can be stored in secrets, if desired. | |
OPENSHIFT_USER: ${{secrets.OC_USERNAME_SA}} | |
OPENSHIFT_NAMESPACE: 3cd915-tools | |
SERVER_URL: ${{secrets.OPENSHIFT_SERVER}} | |
OPENSHIFT_REGISTRY: ${{secrets.OPENSHIFT_REGISTRY}} | |
with: | |
openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }} | |
openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} | |
- name: Login to OpenShift Container Registry | |
uses: docker/login-action@v1 | |
with: | |
registry: ${{secrets.OPENSHIFT_REGISTRY}} | |
username: ${{ secrets.OC_USERNAME_SA }} | |
password: ${{ secrets.OPENSHIFT_TOKEN }} | |
- name: Pull PIMS Backend API Image | |
run: | | |
docker pull ${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}} | |
working-directory: ${{env.working-directory}} | |
- name: Scan PIMS Backend API Image with Aqua Trivy | |
id: scan | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}" | |
format: "table" | |
exit-code: "1" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
severity: "CRITICAL,HIGH" | |
output: ${{env.output-filename}} | |
- if: failure() && steps.scan.outcome == 'failure' | |
name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{env.image-name}}_scan_report | |
path: ./${{env.output-filename}} | |
retention-days: 3 | |
comment_api_pr: | |
# this action will leave a comment in response to credential scans performed on pull requests | |
if: always() && needs.build_backend.result == 'failure' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository | |
needs: build_backend | |
runs-on: ubuntu-latest | |
env: | |
working-directory: ./source/backend | |
image-name: pims-api | |
tag: latest | |
output-filename: pims-api.txt | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download artifact | |
id: artifact | |
uses: actions/download-artifact@master | |
with: | |
name: ${{env.image-name}}_scan_report | |
path: ./${{env.image-name}} | |
- name: Get comment body | |
id: get-comment-body | |
if: steps.artifact.outcome == 'success' | |
run: | | |
cd ${{env.image-name}}/ | |
if [ -s ${{env.output-filename}} ]; then | |
body="$(cat ${{env.output-filename}})" | |
body="${body//'%'/'%25'}" | |
body="${body//$'\n'/'%0A'}" | |
body="${body//$'\r'/'%0D'}" | |
echo "::set-output name=body::$body" | |
fi | |
- name: Find Comment | |
if: github.event_name == 'pull_request' | |
uses: peter-evans/find-comment@v1 | |
id: fc | |
with: | |
issue-number: ${{ github.event.pull_request.number }} | |
comment-author: "github-actions[bot]" | |
body-includes: ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
- name: Comment on PR | |
if: steps.fc.outputs.comment-id == '' && steps.get-comment-body.outcome != 'failure' | |
env: | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
run: | | |
cd ${{env.image-name}}/ | |
if [ -s ${{env.output-filename}} ]; then | |
commentPR () { | |
gh pr comment $PRNUM -b "${1}" | |
} | |
PRNUM=${{ github.event.pull_request.number }} | |
PRBODY=$(cat ${{env.output-filename}}) | |
INDENTED='## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
```'${PRBODY}'```'; | |
commentPR "$INDENTED" | |
else | |
echo "No vulnerability detected in this image" | |
fi | |
- name: Update PR Comment | |
if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != '' | |
uses: peter-evans/create-or-update-comment@v1 | |
with: | |
comment-id: ${{ steps.fc.outputs.comment-id }} | |
issue-number: ${{ github.event.pull_request.number }} | |
body: | | |
## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
``` echo "${{ steps.get-comment-body.outputs.body }}"``` | |
edit-mode: replace | |
reactions: confused | |
pims_logging: | |
if: always() && github.event.pull_request.head.repo.full_name == github.repository | |
needs: [build_frontend, build_backend] | |
name: logging | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
env: | |
working-directory: ./openshift/4.0/templates/Logging | |
image-name: pims-logging | |
tag: latest | |
OPENSHIFT_NAMESPACE: 3cd915-tools | |
output-filename: pims-logging.txt | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Authenticate and set context | |
uses: redhat-actions/oc-login@v1 | |
env: | |
# These can be stored in secrets, if desired. | |
OPENSHIFT_USER: ${{secrets.OC_USERNAME_SA}} | |
OPENSHIFT_NAMESPACE: 3cd915-tools | |
SERVER_URL: ${{secrets.OPENSHIFT_SERVER}} | |
OPENSHIFT_REGISTRY: ${{secrets.OPENSHIFT_REGISTRY}} | |
with: | |
openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }} | |
openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} | |
- name: Login to OpenShift Container Registry | |
uses: docker/login-action@v1 | |
with: | |
registry: ${{secrets.OPENSHIFT_REGISTRY}} | |
username: ${{ secrets.OC_USERNAME_SA }} | |
password: ${{ secrets.OPENSHIFT_TOKEN }} | |
- name: Build PIMS Logging | |
run: | | |
docker pull ${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}} | |
working-directory: ${{env.working-directory}} | |
- name: Scan PIMS Logging Image with Aqua Trivy | |
id: scan | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}" | |
format: "table" | |
exit-code: "1" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
severity: "CRITICAL,HIGH" | |
output: ${{env.output-filename}} | |
- if: failure() && steps.scan.outcome == 'failure' | |
name: Upload OWASP ZAP scan artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{env.image-name}}_scan_report | |
path: ./${{env.output-filename}} | |
retention-days: 3 | |
if-no-files-found: error | |
comment_logging_pr: | |
# this action will leave a comment in response to Image scans performed on pull requests | |
if: always() && needs.pims_logging.result == 'failure' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository | |
needs: pims_logging | |
runs-on: ubuntu-latest | |
env: | |
working-directory: ./openshift/4.0/templates/jenkins-slaves/jenkins-slave-zap | |
image-name: pims-logging | |
tag: latest | |
output-filename: pims-logging.txt | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download artifact | |
id: artifact | |
uses: actions/download-artifact@master | |
with: | |
name: ${{env.image-name}}_scan_report | |
path: ./${{env.image-name}} | |
- name: Get comment body | |
id: get-comment-body | |
if: steps.artifact.outcome == 'success' | |
run: | | |
cd ${{env.image-name}}/ | |
if [ -s ${{env.output-filename}} ]; then | |
body="$(cat ${{env.output-filename}})" | |
body="${body//'%'/'%25'}" | |
body="${body//$'\n'/'%0A'}" | |
body="${body//$'\r'/'%0D'}" | |
echo "::set-output name=body::$body" | |
fi | |
- name: Find Comment | |
if: github.event_name == 'pull_request' | |
uses: peter-evans/find-comment@v1 | |
id: fc | |
with: | |
issue-number: ${{ github.event.pull_request.number }} | |
comment-author: "github-actions[bot]" | |
body-includes: ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
- name: Comment on PR | |
if: steps.fc.outputs.comment-id == '' && steps.get-comment-body.outcome != 'failure' | |
env: | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
run: | | |
cd ${{env.image-name}}/ | |
if [ -s ${{env.output-filename}} ]; then | |
commentPR () { | |
gh pr comment $PRNUM -b "${1}" | |
} | |
PRNUM=${{ github.event.pull_request.number }} | |
PRBODY=$(cat ${{env.output-filename}}) | |
INDENTED='## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
```'${PRBODY}'```'; | |
commentPR "$INDENTED" | |
else | |
echo "No vulnerability detected in this image" | |
fi | |
- name: Update PR Comment | |
if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != '' | |
uses: peter-evans/create-or-update-comment@v1 | |
with: | |
comment-id: ${{ steps.fc.outputs.comment-id }} | |
issue-number: ${{ github.event.pull_request.number }} | |
body: | | |
## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
``` echo "${{ steps.get-comment-body.outputs.body }}"``` | |
edit-mode: replace | |
reactions: confused | |
jenkins-agent-dotnet: | |
if: github.event.pull_request.head.repo.full_name == github.repository | |
name: jenkins-agent-dotnet | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
pull-requests: write | |
env: | |
working-directory: ./openshift/4.0/templates/jenkins-slaves/jenkins-slave-zap | |
image-name: jenkins-agent-dotnet | |
tag: latest | |
OPENSHIFT_NAMESPACE: 3cd915-tools | |
output-filename: jenkins-agent-dotnet.txt | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Authenticate and set context | |
uses: redhat-actions/oc-login@v1 | |
env: | |
# These can be stored in secrets, if desired. | |
OPENSHIFT_USER: ${{secrets.OC_USERNAME_SA}} | |
OPENSHIFT_NAMESPACE: 3cd915-tools | |
SERVER_URL: ${{secrets.OPENSHIFT_SERVER}} | |
OPENSHIFT_REGISTRY: ${{secrets.OPENSHIFT_REGISTRY}} | |
with: | |
openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }} | |
openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} | |
- name: Login to OpenShift Container Registry | |
uses: docker/login-action@v1 | |
with: | |
registry: ${{ secrets.OPENSHIFT_REGISTRY }} | |
username: ${{ secrets.OC_USERNAME_SA }} | |
password: ${{ secrets.OPENSHIFT_TOKEN }} | |
- name: Pull jenkins-agent-dotnet Image | |
run: | | |
docker pull ${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}} | |
working-directory: ${{env.working-directory}} | |
- name: Scan jenkins-agent-dotnet with Aqua Trivy | |
id: scan | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}" | |
format: "table" | |
exit-code: "1" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
severity: "CRITICAL,HIGH" | |
output: ${{env.output-filename}} | |
- if: failure() && steps.scan.outcome == 'failure' | |
name: Upload jenkins agent scan artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{env.image-name}}_scan_report | |
path: ./${{env.output-filename}} | |
retention-days: 3 | |
if-no-files-found: error | |
comment_agent_pr: | |
# this action will leave a comment in response to credential scans performed on pull requests | |
if: always() && needs.jenkins-agent-dotnet.result == 'failure' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository | |
needs: jenkins-agent-dotnet | |
runs-on: ubuntu-latest | |
env: | |
working-directory: ./openshift/4.0/templates/jenkins-slaves/jenkins-slave-zap | |
image-name: jenkins-agent-dotnet | |
tag: latest | |
output-filename: jenkins-agent-dotnet.txt | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download artifact | |
id: artifact | |
uses: actions/download-artifact@master | |
with: | |
name: ${{env.image-name}}_scan_report | |
path: ./${{env.image-name}} | |
- name: Get comment body | |
id: get-comment-body | |
if: steps.artifact.outcome == 'success' | |
run: | | |
cd ${{env.image-name}}/ | |
if [ -s ${{env.output-filename}} ]; then | |
body="$(cat ${{env.output-filename}})" | |
body="${body//'%'/'%25'}" | |
body="${body//$'\n'/'%0A'}" | |
body="${body//$'\r'/'%0D'}" | |
echo "::set-output name=body::$body" | |
fi | |
- name: Find Comment | |
if: github.event_name == 'pull_request' | |
uses: peter-evans/find-comment@v1 | |
id: fc | |
with: | |
issue-number: ${{ github.event.pull_request.number }} | |
comment-author: "github-actions[bot]" | |
body-includes: ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
- name: Comment on PR | |
if: steps.fc.outputs.comment-id == '' && steps.get-comment-body.outcome != 'failure' | |
env: | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
run: | | |
cd ${{env.image-name}}/ | |
if [ -s ${{env.output-filename}} ]; then | |
commentPR () { | |
gh pr comment $PRNUM -b "${1}" | |
} | |
PRNUM=${{ github.event.pull_request.number }} | |
PRBODY=$(cat ${{env.output-filename}}) | |
INDENTED='## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
```'${PRBODY}'```'; | |
commentPR "$INDENTED" | |
else | |
echo "No vulnerability detected in this image" | |
fi | |
- name: Update PR Comment | |
if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != '' | |
uses: peter-evans/create-or-update-comment@v1 | |
with: | |
comment-id: ${{ steps.fc.outputs.comment-id }} | |
issue-number: ${{ github.event.pull_request.number }} | |
body: | | |
## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report | |
``` echo "${{ steps.get-comment-body.outputs.body }}"``` | |
edit-mode: replace | |
reactions: confused |