Skip to content

Latest commit

 

History

History

2024-08-28-rhacs-actions-pipeline

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Containerfile
Containerfile
 
 
README.org
README.org
 
 

README.org

Securing supply chain

Red Hat Advanced Cluster Security can be easily integrated into an existing GitHub actions pipeline through the existing Stackrox suite of open source actions. The roxctl cli can be used to scan images for vulnerabilities or common misconfigurations.

Configure rhacs github oidc auth

Red Hat Advanced Cluster Security for Kubernetes (RHACS) provides the ability to configure short-lived access to the user interface and API calls.

You can configure this by exchanging OpenID Connect (OIDC) identity tokens for a RHACS-issued token.

We recommend this especially for Continuous Integration (CI) usage, where short-lived access is preferable over long-lived API tokens.

Refer: https://docs.openshift.com/acs/4.5/operating/manage-user-access/configure-short-lived-access.html

Create github actions pipeline

An example pipeline is included below and in this repository.

---
name: Secure image build
on: workflow_dispatch
permissions:
  contents: read

jobs:

  build-and-push-image:
    name: Build and push image
    runs-on: ubuntu-latest
    steps:

      - name: Checkout code
        uses: actions/checkout@v4

      - name: Build image
        uses: redhat-actions/buildah-build@v2
        with:
          image: quay.io/rh_ee_jablair/ubi9
          tags: v0.0.1-${{ github.sha }}
          containerfiles: |
            ./2024-08-28-rhacs-actions-pipeline/Containerfile

      - name: Push to quay.io
        uses: redhat-actions/push-to-registry@v2
        with:
          image: ubi9
          tags: v0.0.1-${{ github.sha }}
          registry: quay.io/rh_ee_jablair
          username: ${{ secrets.QUAY_USERNAME }}
          password: ${{ secrets.QUAY_PASSWORD }}


  scan-image:
    runs-on: ubuntu-latest
    needs: build-and-push-image
    permissions:
      id-token: write
    steps:

      - name: Rhacs login
        uses: stackrox/central-login@v1
        with:
          endpoint: ${{ secrets.CENTRAL_ENDPOINT }}
          skip-tls-verify: true

      - name: Install roxctl
        uses: stackrox/roxctl-installer-action@v1
        with:
          central-endpoint: ${{ secrets.CENTRAL_ENDPOINT }}
          central-token: ${{ secrets.ROX_API_TOKEN }}
          skip-tls-verify: true

      - name: Scan image with roxctl
        shell: bash
        run: |
          roxctl image scan --output=table --image="quay.io/rh_ee_jablair/ubi9:v0.0.1-${{ github.sha }}" --insecure-skip-tls-verify
          roxctl image check --output=table --image="quay.io/rh_ee_jablair/ubi9:v0.0.1-${{ github.sha }}" --insecure-skip-tls-verify