fix val #105
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Patch vulnerable images | |
| on: | |
| # change these to your preferred event triggers | |
| # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - '**.md' | |
| workflow_dispatch: | |
| jobs: | |
| patch: | |
| runs-on: ubuntu-latest | |
| # used for pushing patched image to GHCR | |
| permissions: | |
| contents: read | |
| packages: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| # provide relevant list of images to scan on each run | |
| images: | |
| - "docker.io/library/alpine:3.18.4" | |
| - "docker.io/openpolicyagent/opa:0.46.0" | |
| - "docker.io/library/hello-world:latest" | |
| steps: | |
| # generate trivy report for fixable OS package vulnerabilities | |
| - name: Generate Trivy Report | |
| uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1 | |
| with: | |
| scan-type: "image" | |
| format: "json" | |
| output: "report.json" | |
| ignore-unfixed: true | |
| vuln-type: "os" | |
| image-ref: ${{ matrix.images }} | |
| # check whether there are any OS package vulnerabilities | |
| - name: Check vulnerability count | |
| id: vuln_count | |
| run: | | |
| report_file="report.json" | |
| vuln_count=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' "$report_file") | |
| echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT | |
| # copa action will only run if there are vulnerabilities | |
| - name: Run Copa action | |
| if: steps.vuln_count.outputs.vuln_count != '0' | |
| id: copa | |
| # using main for testing purposes | |
| # use a tag (such as v1 or v1.0.1) at a bare minimum | |
| # recommendation is to pin to a digest for security and stability | |
| # and rely on dependabot for digest/version updates | |
| uses: project-copacetic/copa-action@main | |
| with: | |
| image: ${{ matrix.images }} | |
| image-report: "report.json" | |
| patched-tag: "patched" | |
| timeout: "5m" # optional, default is 5m | |
| output: vex.json # optional | |
| format: "openvex" # optional, default is openvex | |
| # copa-version: "0.6.0" # optional, default is latest | |
| # buildkit-version: "v0.12.4" # optional, default is latest | |
| # custom-socket: "/var/run/buildkit/buildkitd.sock" # optional, used for custom socket address | |
| # see https://github.com/docker/login-action#usage for other registries | |
| - name: Login to GHCR | |
| if: steps.copa.conclusion == 'success' | |
| id: login | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Push patched image | |
| if: steps.login.conclusion == 'success' | |
| run: | | |
| # retag if needed | |
| docker tag ${{ steps.copa.outputs.patched-image }} ghcr.io/project-copacetic/copa-action/test/${{ steps.copa.outputs.patched-image }} | |
| docker push ghcr.io/project-copacetic/copa-action/test/${{ steps.copa.outputs.patched-image }} |