Skip to content

Dockerfile: upgrade base image to move past new snyk vulnerability #126

Dockerfile: upgrade base image to move past new snyk vulnerability

Dockerfile: upgrade base image to move past new snyk vulnerability #126

Workflow file for this run

name: Main - Attests to https://app.kosli.com
on:
push:
env:
KOSLI_DRY_RUN: ${{ vars.KOSLI_DRY_RUN }} # false
KOSLI_HOST: ${{ vars.KOSLI_HOST }} # https://app.kosli.com
KOSLI_ORG: ${{ vars.KOSLI_ORG }} # cyber-dojo
KOSLI_FLOW: ${{ vars.KOSLI_FLOW }} # web-ci
KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
KOSLI_TRAIL: ${{ github.sha }}
SERVICE_NAME: ${{ github.event.repository.name }} # web
jobs:
setup:
runs-on: ubuntu-latest
outputs:
image_tag: ${{ steps.variables.outputs.image_tag }}
image_name: ${{ steps.variables.outputs.image_name }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Set outputs
id: variables
run: |
IMAGE_TAG=${GITHUB_SHA:0:7}
echo "image_tag=${IMAGE_TAG}" >> ${GITHUB_OUTPUT}
echo "image_name=cyberdojo/${{ env.SERVICE_NAME }}:${IMAGE_TAG}" >> ${GITHUB_OUTPUT}
pull-request:
if: ${{ github.ref == 'refs/heads/main' }}
needs: []
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
pull-requests: read
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}
- name: Attest pull-request evidence to Kosli
run:
kosli attest pullrequest github
--github-token=${{ secrets.GITHUB_TOKEN }}
--name=pull-request
snyk-code-scan:
needs: []
runs-on: ubuntu-latest
env:
SARIF_FILENAME: snyk.code.scan.json
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Setup Snyk
uses: snyk/actions/setup@master
- name: Run Snyk code scan
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run:
snyk code test
--sarif
--sarif-file-output="${SARIF_FILENAME}"
--policy-path=.snyk
.
- name: Setup Kosli CLI
if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}
- name: Attest evidence to Kosli
if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
run:
kosli attest snyk
--name=web.snyk-code-scan
--scan-results="${SARIF_FILENAME}"
build-image:
needs: [setup]
runs-on: ubuntu-latest
env:
IMAGE_NAME: ${{ needs.setup.outputs.image_name }}
outputs:
kosli_fingerprint: ${{ steps.variables.outputs.kosli_fingerprint }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 1
- uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_PASS }}
- name: Build and push image to Registry
id: docker_build
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: ${{ needs.setup.outputs.image_name }}
build-args:
COMMIT_SHA=${{ github.sha }}
- name: Make Artifact fingerprint available to following jobs
id: variables
run: |
FINGERPRINT=$(echo ${{ steps.docker_build.outputs.digest }} | sed 's/.*://')
echo "kosli_fingerprint=${FINGERPRINT}" >> ${GITHUB_OUTPUT}
- name: Setup Kosli CLI
if: ${{ github.ref == 'refs/heads/main' }}
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}
- name: Attest image provenance to Kosli
if: ${{ github.ref == 'refs/heads/main' }}
run:
kosli attest artifact "${IMAGE_NAME}"
--artifact-type=docker
--name=web
--trail="${GITHUB_SHA}"
snyk-container-scan:
needs: [setup, build-image]
runs-on: ubuntu-latest
env:
SARIF_FILENAME: snyk.container.scan.json
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Setup Snyk
uses: snyk/actions/setup@master
- name: Run Snyk container scan
env:
IMAGE_NAME: ${{ needs.setup.outputs.image_name }}
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run:
snyk container test ${IMAGE_NAME}
--file=Dockerfile
--sarif
--sarif-file-output="${SARIF_FILENAME}"
--policy-path=.snyk
- name: Setup Kosli CLI
if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}
- name: Attest evidence to Kosli
if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
env:
KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }}
run:
kosli attest snyk
--name=web.snyk-container-scan
--scan-results="${SARIF_FILENAME}"
sdlc-control-gate:
if: ${{ github.ref == 'refs/heads/main' }}
needs: [setup, build-image, pull-request, snyk-container-scan, snyk-code-scan]
runs-on: ubuntu-latest
steps:
- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}
- name: Kosli SDLC gate to short-circuit the workflow
env:
IMAGE_NAME: ${{ needs.setup.outputs.image_name }}
KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }}
run:
kosli assert artifact ${IMAGE_NAME}
approve-deployment-to-beta:
needs: [setup, build-image, sdlc-control-gate]
runs-on: ubuntu-latest
environment:
name: staging
url: https://beta.cyber-dojo.org
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}
- name: Attest approval of deployment to Kosli
env:
IMAGE_NAME: ${{ needs.setup.outputs.image_name }}
KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }}
KOSLI_ENVIRONMENT: aws-beta
run:
kosli report approval ${IMAGE_NAME}
--approver="${{ github.actor }}"
deploy-to-beta:
needs: [setup, approve-deployment-to-beta]
uses: ./.github/workflows/sub_deploy_to_beta.yml
with:
IMAGE_TAG: ${{ needs.setup.outputs.image_tag }}
secrets:
KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
approve-deployment-to-prod:
needs: [setup, build-image, deploy-to-beta]
runs-on: ubuntu-latest
environment:
name: production
url: https://cyber-dojo.org
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}
- name: Attest approval of deployment to Kosli
env:
IMAGE_NAME: ${{ needs.setup.outputs.image_name }}
KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }}
KOSLI_ENVIRONMENT: aws-prod
run:
kosli report approval ${IMAGE_NAME}
--approver="${{ github.actor }}"
deploy-to-prod:
needs: [setup, approve-deployment-to-prod]
uses: ./.github/workflows/sub_deploy_to_prod.yml
with:
IMAGE_TAG: ${{ needs.setup.outputs.image_tag }}
secrets:
KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
# The cyberdojo/versioner refresh-env.sh script
# https://github.com/cyber-dojo/versioner/blob/master/sh/refresh-env.sh
# relies on being able to:
# - get the :latest image
# - extract the SHA env-var embedded inside it
# - use the 1st 7 chars of the SHA as a latest-equivalent tag
push-latest:
needs: [setup, deploy-to-prod]
runs-on: ubuntu-latest
env:
IMAGE_NAME: ${{ needs.setup.outputs.image_name }}
steps:
- uses: actions/checkout@v4
- uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_PASS }}
- name: Tag image to :latest and push to Dockerhub Registry
run: |
docker pull "${IMAGE_NAME}"
docker tag "${IMAGE_NAME}" cyberdojo/${{ env.SERVICE_NAME }}:latest
docker push cyberdojo/${{ env.SERVICE_NAME }}:latest