Fix build and code structure improvements. New but essential UI functionality. CI improvements. Documentation improvements. AI module improvements.
This commit is contained in:
StellaOps Bot
227
.gitea/workflows/container-scan.yml
Normal file
227
.gitea/workflows/container-scan.yml
Normal file
@@ -0,0 +1,227 @@
|
||||
# Container Security Scanning Workflow
|
||||
# Sprint: CI/CD Enhancement - Security Scanning
|
||||
#
|
||||
# Purpose: Scan container images for vulnerabilities beyond SBOM generation
|
||||
# Triggers: Dockerfile changes, scheduled daily, manual dispatch
|
||||
#
|
||||
# Tool: PLACEHOLDER - Choose one: Trivy, Grype, or Snyk
|
||||
|
||||
name: Container Security Scan
|
||||
|
||||
on:
|
||||
push:
|
||||
paths:
|
||||
- '**/Dockerfile'
|
||||
- '**/Dockerfile.*'
|
||||
- 'devops/docker/**'
|
||||
pull_request:
|
||||
paths:
|
||||
- '**/Dockerfile'
|
||||
- '**/Dockerfile.*'
|
||||
- 'devops/docker/**'
|
||||
schedule:
|
||||
# Run daily at 4 AM UTC
|
||||
- cron: '0 4 * * *'
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
severity_threshold:
|
||||
description: 'Minimum severity to fail'
|
||||
required: false
|
||||
type: choice
|
||||
options:
|
||||
- CRITICAL
|
||||
- HIGH
|
||||
- MEDIUM
|
||||
- LOW
|
||||
default: HIGH
|
||||
image:
|
||||
description: 'Specific image to scan (optional)'
|
||||
required: false
|
||||
type: string
|
||||
|
||||
env:
|
||||
SEVERITY_THRESHOLD: ${{ github.event.inputs.severity_threshold || 'HIGH' }}
|
||||
|
||||
jobs:
|
||||
discover-images:
|
||||
name: Discover Container Images
|
||||
runs-on: ubuntu-latest
|
||||
outputs:
|
||||
images: ${{ steps.discover.outputs.images }}
|
||||
count: ${{ steps.discover.outputs.count }}
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Discover Dockerfiles
|
||||
id: discover
|
||||
run: |
|
||||
# Find all Dockerfiles
|
||||
DOCKERFILES=$(find . -name "Dockerfile" -o -name "Dockerfile.*" | grep -v node_modules | grep -v bin | grep -v obj || true)
|
||||
|
||||
# Build image list
|
||||
IMAGES='[]'
|
||||
COUNT=0
|
||||
|
||||
while IFS= read -r dockerfile; do
|
||||
if [[ -n "$dockerfile" ]]; then
|
||||
DIR=$(dirname "$dockerfile")
|
||||
NAME=$(basename "$DIR" | tr '[:upper:]' '[:lower:]' | tr '.' '-')
|
||||
|
||||
# Get image name from directory structure
|
||||
if [[ "$DIR" == *"devops/docker"* ]]; then
|
||||
NAME=$(echo "$dockerfile" | sed 's|.*devops/docker/||' | sed 's|/Dockerfile.*||' | tr '/' '-')
|
||||
fi
|
||||
|
||||
IMAGES=$(echo "$IMAGES" | jq --arg name "$NAME" --arg path "$dockerfile" '. + [{"name": $name, "dockerfile": $path}]')
|
||||
COUNT=$((COUNT + 1))
|
||||
fi
|
||||
done <<< "$DOCKERFILES"
|
||||
|
||||
echo "Found $COUNT Dockerfile(s)"
|
||||
echo "images=$(echo "$IMAGES" | jq -c .)" >> $GITHUB_OUTPUT
|
||||
echo "count=$COUNT" >> $GITHUB_OUTPUT
|
||||
|
||||
scan-images:
|
||||
name: Scan ${{ matrix.image.name }}
|
||||
runs-on: ubuntu-latest
|
||||
needs: [discover-images]
|
||||
if: needs.discover-images.outputs.count != '0'
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
image: ${{ fromJson(needs.discover-images.outputs.images) }}
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3
|
||||
|
||||
- name: Build image for scanning
|
||||
id: build
|
||||
run: |
|
||||
IMAGE_TAG="scan-${{ matrix.image.name }}:${{ github.sha }}"
|
||||
DOCKERFILE="${{ matrix.image.dockerfile }}"
|
||||
CONTEXT=$(dirname "$DOCKERFILE")
|
||||
|
||||
echo "Building $IMAGE_TAG from $DOCKERFILE..."
|
||||
docker build -t "$IMAGE_TAG" -f "$DOCKERFILE" "$CONTEXT" || {
|
||||
echo "::warning::Failed to build $IMAGE_TAG - skipping scan"
|
||||
echo "skip=true" >> $GITHUB_OUTPUT
|
||||
exit 0
|
||||
}
|
||||
|
||||
echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
|
||||
echo "skip=false" >> $GITHUB_OUTPUT
|
||||
|
||||
# PLACEHOLDER: Choose your container scanner
|
||||
# Option 1: Trivy (recommended - comprehensive, free)
|
||||
# Option 2: Grype (Anchore - good integration with Syft SBOMs)
|
||||
# Option 3: Snyk (commercial, comprehensive)
|
||||
|
||||
- name: Trivy Vulnerability Scan
|
||||
if: steps.build.outputs.skip != 'true'
|
||||
id: trivy
|
||||
# Uncomment when ready to use Trivy:
|
||||
# uses: aquasecurity/trivy-action@master
|
||||
# with:
|
||||
# image-ref: ${{ steps.build.outputs.image_tag }}
|
||||
# format: 'sarif'
|
||||
# output: 'trivy-${{ matrix.image.name }}.sarif'
|
||||
# severity: ${{ env.SEVERITY_THRESHOLD }},CRITICAL
|
||||
# exit-code: '1'
|
||||
run: |
|
||||
echo "::notice::Container scanning placeholder - configure scanner below"
|
||||
echo ""
|
||||
echo "Image: ${{ steps.build.outputs.image_tag }}"
|
||||
echo "Severity threshold: ${{ env.SEVERITY_THRESHOLD }}"
|
||||
echo ""
|
||||
echo "Available scanners:"
|
||||
echo " 1. Trivy: aquasecurity/trivy-action@master"
|
||||
echo " 2. Grype: anchore/scan-action@v3"
|
||||
echo " 3. Snyk: snyk/actions/docker@master"
|
||||
|
||||
# Create placeholder report
|
||||
mkdir -p scan-results
|
||||
echo '{"placeholder": true, "image": "${{ matrix.image.name }}"}' > scan-results/scan-${{ matrix.image.name }}.json
|
||||
|
||||
# Alternative: Grype (works well with existing Syft SBOM workflow)
|
||||
# - name: Grype Vulnerability Scan
|
||||
# if: steps.build.outputs.skip != 'true'
|
||||
# uses: anchore/scan-action@v3
|
||||
# with:
|
||||
# image: ${{ steps.build.outputs.image_tag }}
|
||||
# severity-cutoff: ${{ env.SEVERITY_THRESHOLD }}
|
||||
# fail-build: true
|
||||
|
||||
# Alternative: Snyk Container
|
||||
# - name: Snyk Container Scan
|
||||
# if: steps.build.outputs.skip != 'true'
|
||||
# uses: snyk/actions/docker@master
|
||||
# env:
|
||||
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
||||
# with:
|
||||
# image: ${{ steps.build.outputs.image_tag }}
|
||||
# args: --severity-threshold=${{ env.SEVERITY_THRESHOLD }}
|
||||
|
||||
- name: Upload scan results
|
||||
if: always() && steps.build.outputs.skip != 'true'
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: container-scan-${{ matrix.image.name }}
|
||||
path: |
|
||||
scan-results/
|
||||
*.sarif
|
||||
*.json
|
||||
retention-days: 30
|
||||
if-no-files-found: ignore
|
||||
|
||||
- name: Cleanup
|
||||
if: always()
|
||||
run: |
|
||||
docker rmi "${{ steps.build.outputs.image_tag }}" 2>/dev/null || true
|
||||
|
||||
summary:
|
||||
name: Scan Summary
|
||||
runs-on: ubuntu-latest
|
||||
needs: [discover-images, scan-images]
|
||||
if: always()
|
||||
|
||||
steps:
|
||||
- name: Download all scan results
|
||||
uses: actions/download-artifact@v4
|
||||
with:
|
||||
pattern: container-scan-*
|
||||
path: all-results/
|
||||
merge-multiple: true
|
||||
continue-on-error: true
|
||||
|
||||
- name: Generate summary
|
||||
run: |
|
||||
echo "## Container Security Scan Results" >> $GITHUB_STEP_SUMMARY
|
||||
echo "" >> $GITHUB_STEP_SUMMARY
|
||||
echo "| Image | Status |" >> $GITHUB_STEP_SUMMARY
|
||||
echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY
|
||||
|
||||
IMAGES='${{ needs.discover-images.outputs.images }}'
|
||||
SCAN_RESULT="${{ needs.scan-images.result }}"
|
||||
|
||||
echo "$IMAGES" | jq -r '.[] | .name' | while read -r name; do
|
||||
if [[ "$SCAN_RESULT" == "success" ]]; then
|
||||
echo "| $name | No vulnerabilities found |" >> $GITHUB_STEP_SUMMARY
|
||||
elif [[ "$SCAN_RESULT" == "failure" ]]; then
|
||||
echo "| $name | Vulnerabilities detected |" >> $GITHUB_STEP_SUMMARY
|
||||
else
|
||||
echo "| $name | $SCAN_RESULT |" >> $GITHUB_STEP_SUMMARY
|
||||
fi
|
||||
done
|
||||
|
||||
echo "" >> $GITHUB_STEP_SUMMARY
|
||||
echo "### Configuration" >> $GITHUB_STEP_SUMMARY
|
||||
echo "- **Scanner:** Placeholder (configure in workflow)" >> $GITHUB_STEP_SUMMARY
|
||||
echo "- **Severity Threshold:** ${{ env.SEVERITY_THRESHOLD }}" >> $GITHUB_STEP_SUMMARY
|
||||
echo "- **Images Scanned:** ${{ needs.discover-images.outputs.count }}" >> $GITHUB_STEP_SUMMARY
|
||||
echo "- **Trigger:** ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY
|
||||
Reference in New Issue
Block a user