Skip to content

Commit

Permalink
changed: SBOM action replaced by Docker Scout
Browse files Browse the repository at this point in the history
ammnt committed Apr 18, 2024
1 parent 1744a64 commit faf351b
Showing 1 changed file with 26 additions and 15 deletions.
41 changes: 26 additions & 15 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
@@ -21,39 +21,40 @@ jobs:
contents: read
packages: write
id-token: write
security-events: write

steps:
- name: Checkout repository
- name: Checkout repository🧱
uses: actions/checkout@v4.1.2

- name: Install cosign
- name: Install cosign🔒
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@v3.5.0

- name: Setup Docker buildx
- name: Setup Docker buildx🛠️
uses: docker/setup-buildx-action@v3.3.0

- name: Log into ${{ env.REGISTRY }}
- name: Log into ${{ env.REGISTRY }}🔑
if: github.event_name != 'pull_request'
uses: docker/login-action@v3.1.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Log into Docker Hub
- name: Log into Docker Hub🔑
uses: docker/login-action@v3.1.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Extract Docker metadata
- name: Extract Docker metadata🔬
id: meta
uses: docker/metadata-action@v5.5.1
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

- name: Build the Docker image
- name: Build the Docker image⛓️
id: build
uses: docker/build-push-action@v5.3.0
with:
@@ -66,7 +67,7 @@ jobs:
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Slim the Docker image
- name: Slim the Docker image🚀
uses: kitabisa/docker-slim-action@v1.1.1
env:
DSLIM_HTTP_PROBE: false
@@ -78,25 +79,35 @@ jobs:
env:
REPORT: ${{ steps.slim.outputs.report }}

- name: Test the Docker image
- name: Test the Docker image🧪
run: |
docker run -d --rm -p 127.0.0.1:8080:8080/tcp ghcr.io/ammnt/nginx:http3
curl -v http://127.0.0.1:8080 || exit 1
- name: Scan the Docker image
uses: anchore/sbom-action@v0.15.10
- name: Analyze for critical and high CVEs💊
id: docker-scout-cves
if: ${{ github.event_name != 'pull_request_target' }}
uses: docker/scout-action@v1.7.0
with:
command: cves,sbom
image: ghcr.io/ammnt/nginx:http3
sarif-file: sarif.output.json
summary: true

- name: Push the Docker images to ghcr.io
run: docker push ghcr.io/ammnt/nginx:http3
- name: Upload SARIF result📊
id: upload-sarif
if: ${{ github.event_name != 'pull_request_target' }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sarif.output.json

- name: Push the Docker images to docker.io
- name: Push the Docker images to registries💾
run: |
docker push ghcr.io/ammnt/nginx:http3
docker tag ghcr.io/ammnt/nginx:http3 ammnt/nginx:http3
docker push ammnt/nginx:http3
- name: Sign the published Docker image
- name: Sign the published Docker image🔐
if: ${{ github.event_name != 'pull_request' }}
env:
COSIGN_EXPERIMENTAL: "true"

0 comments on commit faf351b

Please sign in to comment.