setup(deps): update aquasec/trivy from 0.57.0 to 0.57.1 #12
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "New changes validation" | |
| on: | |
| pull_request: # yamllint disable-line rule:empty-values | |
| permissions: | |
| contents: "read" | |
| packages: "read" | |
| env: | |
| REGISTRY: "ghcr.io" | |
| IMAGE_NAME: "articola-tools/dockerfile-security-scanner" | |
| jobs: | |
| find-changed-files: | |
| runs-on: "ubuntu-latest" | |
| outputs: | |
| is_yaml_changed: "${{ steps.filter.outputs.yaml }}" | |
| is_dockerfile_changed: "${{ steps.filter.outputs.dockerfile }}" | |
| is_dockerfile_scanner_image_changed: "${{ steps.filter.outputs.dockerfile-scanner-image }}" | |
| is_markdown_changed: "${{ steps.filter.outputs.markdown }}" | |
| permissions: | |
| pull-requests: "read" | |
| steps: | |
| - name: "Checkout ${{ github.event.repository.name }}" | |
| uses: "actions/checkout@v4" | |
| with: | |
| fetch-depth: 1 | |
| - name: "Find changed files" | |
| uses: "dorny/paths-filter@v3" | |
| id: "filter" | |
| with: | |
| filters: | | |
| yaml: | |
| - "**/*.yaml" | |
| - "**/*.yml" | |
| dockerfile: | |
| - "**/Dockerfile" | |
| dockerfile-scanner-image: | |
| - "**/Dockerfile" | |
| - "**/.dockerignore" | |
| markdown: | |
| - "**/*.md" | |
| validate-dockerfile-security-scanner-image: | |
| runs-on: "ubuntu-latest" | |
| needs: "find-changed-files" | |
| if: "${{ needs.find-changed-files.outputs.is_dockerfile_scanner_image_changed == 'true' }}" | |
| # NOTE: building and running Docker image of Dockerfile security scanner take around 1 minute. | |
| # If this job takes more than 5 minutes, it means that something is wrong. | |
| timeout-minutes: 5 | |
| steps: | |
| - name: "Checkout ${{ github.event.repository.name }}" | |
| uses: "actions/checkout@v4" | |
| - name: "Set up Docker Buildx" | |
| uses: "docker/setup-buildx-action@v3" | |
| - name: "Login to Docker registry" | |
| uses: "docker/login-action@v3" | |
| with: | |
| registry: "${{ env.REGISTRY }}" | |
| username: "${{ github.actor }}" | |
| password: "${{ secrets.GITHUB_TOKEN }}" | |
| - name: "Build Dockerfile security scanner Docker image" | |
| uses: "docker/build-push-action@v6" | |
| with: | |
| # NOTE: setup of `context` is needed to force builder to use the `.dockerignore` file. | |
| context: "." | |
| push: false | |
| load: true | |
| # NOTE: using another name to don't allow docker to download image from the internet in the next step. | |
| tags: "local/dockerfile-security-scanner-pr:latest" | |
| cache-from: "type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest" | |
| cache-to: "type=inline" | |
| - name: "Build secure test Dockerfile Docker image" | |
| uses: "docker/build-push-action@v6" | |
| with: | |
| context: "./tests/secure_dockerfile" | |
| push: false | |
| load: true | |
| tags: "local/secure-docker-image-test:latest" | |
| - name: "Test secure Docker container" | |
| run: "docker run --rm --group-add $(getent group docker | cut -d: -f3) | |
| -v /var/run/docker.sock:/var/run/docker.sock | |
| local/dockerfile-security-scanner-pr:latest local/secure-docker-image-test:latest" | |
| - name: "Build insecure test Dockerfile Docker image" | |
| uses: "docker/build-push-action@v6" | |
| with: | |
| context: "./tests/insecure_dockerfile" | |
| push: false | |
| load: true | |
| tags: "local/insecure-docker-image-test:latest" | |
| - name: "Test insecure Docker container" | |
| run: "docker run --rm --group-add $(getent group docker | cut -d: -f3) | |
| -v /var/run/docker.sock:/var/run/docker.sock | |
| local/dockerfile-security-scanner-pr:latest local/insecure-docker-image-test:latest | |
| && { echo 'Insecure Dockerfile test must fail!' >&2; exit 1; } || exit 0" | |
| - name: "Scan scanner Docker image" | |
| run: "docker run --rm --group-add $(getent group docker | cut -d: -f3) | |
| -v /var/run/docker.sock:/var/run/docker.sock local/dockerfile-security-scanner-pr:latest | |
| local/dockerfile-security-scanner-pr:latest" | |
| validate-dockerfile-changes: | |
| runs-on: "ubuntu-latest" | |
| needs: "find-changed-files" | |
| if: "${{ needs.find-changed-files.outputs.is_dockerfile_changed == 'true' }}" | |
| # NOTE: validating Dockerfile changes takes around 1 minute. | |
| # If this job takes more than 5 minutes, it means that something is wrong. | |
| timeout-minutes: 5 | |
| steps: | |
| - name: "Checkout ${{ github.event.repository.name }}" | |
| uses: "actions/checkout@v4" | |
| - name: "Login to Docker registry" | |
| uses: "docker/login-action@v3" | |
| with: | |
| registry: "${{ env.REGISTRY }}" | |
| username: "${{ github.actor }}" | |
| password: "${{ secrets.GITHUB_TOKEN }}" | |
| # HACK: remove `tests` directory before scanning repo directory because this is easier than implementing a proper | |
| # way to ignore directories in ENTRYPOINT command. | |
| - name: "Remove `tests` directory" | |
| run: "rm -rf ${{ github.workspace }}/tests" | |
| - name: "Run Dockerfile linter" | |
| run: "docker run --rm -v ${{ github.workspace }}:/linter_workdir/repo | |
| ${{ env.REGISTRY }}/articola-tools/dockerfile-linter:latest" | |
| validate-yaml-changes: | |
| runs-on: "ubuntu-latest" | |
| needs: "find-changed-files" | |
| if: "${{ needs.find-changed-files.outputs.is_yaml_changed == 'true' }}" | |
| # NOTE: validating YAML changes takes around 1 minute. | |
| # If this job takes more than 5 minutes, it means that something is wrong. | |
| timeout-minutes: 5 | |
| steps: | |
| - name: "Checkout ${{ github.event.repository.name }}" | |
| uses: "actions/checkout@v4" | |
| - name: "Login to Docker registry" | |
| uses: "docker/login-action@v3" | |
| with: | |
| registry: "${{ env.REGISTRY }}" | |
| username: "${{ github.actor }}" | |
| password: "${{ secrets.GITHUB_TOKEN }}" | |
| # HACK: remove `tests` directory before linting repo directory because there is no way to easily ignore folder | |
| # from yamllinter CLI. | |
| - name: "Remove `tests` directory" | |
| run: "rm -rf ${{ github.workspace }}/tests" | |
| - name: "Run YAML linter" | |
| run: "docker run --rm -v ${{ github.workspace }}:/linter_workdir/repo | |
| ${{ env.REGISTRY }}/articola-tools/yaml-linter:latest" | |
| validate-markdown-changes: | |
| runs-on: "ubuntu-latest" | |
| needs: "find-changed-files" | |
| if: "${{ needs.find-changed-files.outputs.is_markdown_changed == 'true' }}" | |
| # NOTE: validating Markdown changes takes around 1 minute. | |
| # If this job takes more than 5 minutes, it means that something is wrong. | |
| timeout-minutes: 5 | |
| steps: | |
| - name: "Checkout ${{ github.event.repository.name }}" | |
| uses: "actions/checkout@v4" | |
| - name: "Login to Docker registry" | |
| uses: "docker/login-action@v3" | |
| with: | |
| registry: "${{ env.REGISTRY }}" | |
| username: "${{ github.actor }}" | |
| password: "${{ secrets.GITHUB_TOKEN }}" | |
| - name: "Run Dockerfile linter" | |
| run: "docker run --rm -v ${{ github.workspace }}:/linter_workdir/repo | |
| ${{ env.REGISTRY }}/articola-tools/markdown-linter:latest" |