Skip to content

Security Audit

Security Audit #157

Workflow file for this run

name: "Security Audit"
on:
push:
schedule:
- cron: '0 5 * * *'
jobs:
grype:
name: Grype
runs-on: ubuntu-latest
services:
registry:
image: registry:2
ports:
- 5000:5000
strategy:
fail-fast: false
matrix:
tag:
- 3.11-basic
- 3.11-docworker
env:
IMAGE_BASE_NAME: 'localhost:5000/test/python-base'
DOCKER_META_CONTEXT: '.'
DOCKER_META_FILE: './${{ matrix.tag }}/Dockerfile'
DOCKER_META_PLATFORMS: 'linux/amd64,linux/arm64'
steps:
- name: Check out repository
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Install Grype
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin
- name: Check Grype
run: |
grype version
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2
with:
driver-opts: network=host
# TEST DOCKER IMAGE BUILD
- name: Docker meta [test]
id: meta-test
uses: docker/metadata-action@v4
with:
images: |
${{ env.IMAGE_BASE_NAME }}
tags: |
type=raw,value=${{ matrix.tag }}
- name: Docker build+push [test]
uses: docker/build-push-action@v3
with:
context: ${{ env.DOCKER_META_CONTEXT }}
file: ${{ env.DOCKER_META_FILE }}
platforms: ${{ env.DOCKER_META_PLATFORMS }}
push: true
tags: ${{ steps.meta-test.outputs.tags }}
labels: ${{ steps.meta-test.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Run Grype
run: |
grype ${{ env.IMAGE_BASE_NAME }}:${{ matrix.tag }} | tee result.txt
- name: Check critical vulnerabilities
run: |
CRITICALS=$(cat result.txt | grep "Critical" | wc -l | tr -s " ")
if [ "$CRITICALS" -gt "0" ]; then
echo "There are critical vulnerabilities: $CRITICALS (image: $IMAGE)"
echo "--------------------------------------------------------------------------------"
cat result.txt | grep "Critical"
exit 1
else
echo "There are no citical vulnerabilities for image: $IMAGE"
echo "Sending notification..."
echo "Well done!"
fi
env:
IMAGE: ${{ env.IMAGE_BASE_NAME }}:${{ matrix.tag }}