-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathci-spring-boot-container-scan.yml
More file actions
218 lines (206 loc) · 7.91 KB
/
Copy pathci-spring-boot-container-scan.yml
File metadata and controls
218 lines (206 loc) · 7.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
# Workflow Name: Spring Boot container scan
#
# Owner: Digdir Platform team
#
# Purpose:
# This is part of the golden path for PRs towards main branch. The workflow
# should not normally be used directly, but called from the ci-pr-checks-image
# workflow, which checks certain things before calling this workflow with the
# correct parameters. This workflow will build a temporary Spring Boot image
# based on the 'application-path' and 'module-name' input parameters. The
# workflow will use Paketo buildpacks for building the image, and the
# specific builder image can be configured through inputs. After building the
# image, the workflow will run Trivy vulnerability scans.
#
# Flow:
# 1. Set image metadata (name and tag)
# 2. Checkout repository
# 3. Set up JDK
# 4. Build Spring Boot image using Paketo buildpacks. The image will be
# built based on the application path or module name (if provided)
# 5. Run Trivy vulnerability scan on the built image
#
# Trigger:
# Triggered by workflow calls (workflow_call)
#
# Inputs:
# See input section
#
# Outputs:
# None
#
name: Spring Boot container scan
permissions: {}
on:
workflow_call:
inputs:
application-path:
description: Path to the application directory to scan with Trivy, relative to the repository root
default: "./"
required: false
type: string
cache-path:
description: Path to cache dependencies, relative to the repository root
default: "**/pom.xml"
required: false
type: string
image-name:
description: Name of Docker image
required: false
type: string
image-pack:
description: Paketo builder image to use. See https://paketo.io/docs/reference/builders-reference/ for choices
default: builder-noble-java-tiny
required: false
type: string
image-pack-tag:
description: Docker image pack version tag
default: "latest"
required: false
type: string
java-distribution:
description: Java distribution to use
default: "liberica"
required: false
type: string
java-version:
description: Main version of java
default: "25"
required: false
type: string
maven-lifecycle:
description: Maven lifecycle phase (test, package, verify, install)
type: string
required: false
default: "test"
maven-skip-tests:
description: Skip running tests during the image build (-DskipTests)
type: boolean
required: false
default: false
module-name:
description: Name of the module to build, if using a multi-module Maven project. If not provided, the workflow will attempt to build the application based on the application-path input
default: ""
required: false
type: string
trivy-library-disable-scan:
description: Disable Trivy library scan
type: boolean
required: false
default: false
trivy-library-ignore-unfixed:
description: Ignore unfixed vulnerabilities in Trivy library scan
type: boolean
required: false
default: true
trivy-library-severity:
description: When to fail the scan with Trivy library vulnerabilities
type: string
required: false
default: 'HIGH,CRITICAL'
trivy-os-disable-scan:
description: Disable Trivy OS scan
type: boolean
required: false
default: false
trivy-os-ignore-unfixed:
description: Ignore unfixed vulnerabilities in Trivy OS scan
type: boolean
required: false
default: true
trivy-os-severity:
description: When to fail the scan with Trivy OS vulnerabilities
type: string
required: false
default: 'CRITICAL'
trivy-version:
description: Version of Trivy to use for scanning
type: string
required: false
default: ''
jobs:
build-and-scan-image:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Set image metadata
id: image-metadata
uses: felleslosninger/github-workflows/.github/actions/image-metadata@main
with:
image-name: ${{ inputs.image-name }}
container-registry: "my-local-registry"
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # pin@v6.0.2
- name: Set up JDK ${{ inputs.java-version }}
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # pin@v5.2.0
with:
distribution: "${{ inputs.java-distribution }}"
java-version: ${{ inputs.java-version }}
cache: maven
cache-dependency-path: ${{ inputs.cache-path }}
server-id: github
server-username: GH_PACKAGES_READ_USER
server-password: GH_PACKAGES_READ_PAT
- name: Build image with Maven (module-name)
if: inputs.module-name != ''
env:
GH_PACKAGES_READ_USER: ${{ secrets.GH_PACKAGES_READ_USER }}
GH_PACKAGES_READ_PAT: ${{ secrets.GH_PACKAGES_READ_PAT }}
LIFECYCLE: ${{ inputs.maven-lifecycle }}
SKIP_TESTS: ${{ inputs.maven-skip-tests }}
MODULE_NAME: ${{ inputs.module-name }}
IMAGE_NAME: ${{ steps.image-metadata.outputs.image-name }}
IMAGE_TAG: ${{ steps.image-metadata.outputs.image-tag }}
IMAGE_PACK: ${{ inputs.image-pack }}
IMAGE_PACK_TAG: ${{ inputs.image-pack-tag }}
run: |
case "$LIFECYCLE" in
test|package|verify|install)
;;
*)
echo "Invalid Maven lifecycle: $LIFECYCLE"
exit 1
;;
esac
mvn "$LIFECYCLE" -DskipTests="$SKIP_TESTS" -B spring-boot:build-image \
-pl "$MODULE_NAME" -am \
-Dspring-boot.build-image.imageName="$IMAGE_NAME:$IMAGE_TAG" \
-Dspring-boot.build-image.builder="paketobuildpacks/$IMAGE_PACK:$IMAGE_PACK_TAG"
- name: Build image with Maven (application-path)
if: inputs.module-name == ''
env:
GH_PACKAGES_READ_USER: ${{ secrets.GH_PACKAGES_READ_USER }}
GH_PACKAGES_READ_PAT: ${{ secrets.GH_PACKAGES_READ_PAT }}
LIFECYCLE: ${{ inputs.maven-lifecycle }}
SKIP_TESTS: ${{ inputs.maven-skip-tests }}
APP_PATH: ${{ inputs.application-path }}
IMAGE_NAME: ${{ steps.image-metadata.outputs.image-name }}
IMAGE_TAG: ${{ steps.image-metadata.outputs.image-tag }}
IMAGE_PACK: ${{ inputs.image-pack }}
IMAGE_PACK_TAG: ${{ inputs.image-pack-tag }}
run: |
case "$LIFECYCLE" in
test|package|verify|install)
;;
*)
echo "Invalid Maven lifecycle: $LIFECYCLE"
exit 1
;;
esac
mvn "$LIFECYCLE" -DskipTests="$SKIP_TESTS" -B spring-boot:build-image \
--file "${APP_PATH}pom.xml" \
-Dspring-boot.build-image.imageName="$IMAGE_NAME:$IMAGE_TAG" \
-Dspring-boot.build-image.builder="paketobuildpacks/$IMAGE_PACK:$IMAGE_PACK_TAG"
- name: Run Trivy vulnerability scanner (image)
uses: felleslosninger/github-workflows/.github/actions/trivy-scan@main
with:
image-ref: ${{ steps.image-metadata.outputs.image-name }}:${{ steps.image-metadata.outputs.image-tag }}
application-path: ${{ inputs.application-path }}
library-disable-scan: ${{ inputs.trivy-library-disable-scan }}
library-ignore-unfixed: ${{ inputs.trivy-library-ignore-unfixed }}
library-severity: ${{ inputs.trivy-library-severity }}
os-disable-scan: ${{ inputs.trivy-os-disable-scan }}
os-ignore-unfixed: ${{ inputs.trivy-os-ignore-unfixed }}
os-severity: ${{ inputs.trivy-os-severity }}
trivy-version: ${{ inputs.trivy-version }}