-
Notifications
You must be signed in to change notification settings - Fork 8
81 lines (77 loc) · 3.15 KB
/
patch.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
name: Patch vulnerable images
on:
# change these to your preferred event triggers
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
push:
branches:
- main
paths-ignore:
- '**.md'
workflow_dispatch:
jobs:
patch:
runs-on: ubuntu-latest
# used for pushing patched image to GHCR
permissions:
contents: read
packages: write
strategy:
fail-fast: false
matrix:
# provide relevant list of images to scan on each run
images:
- "docker.io/library/alpine:3.18.4"
- "docker.io/openpolicyagent/opa:0.46.0"
- "docker.io/library/hello-world:latest"
steps:
# generate trivy report for fixable OS package vulnerabilities
- name: Generate Trivy Report
uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1
with:
scan-type: "image"
format: "json"
output: "report.json"
ignore-unfixed: true
vuln-type: "os"
image-ref: ${{ matrix.images }}
# check whether there are any OS package vulnerabilities
- name: Check vulnerability count
id: vuln_count
run: |
report_file="report.json"
vuln_count=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' "$report_file")
echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
# copa action will only run if there are vulnerabilities
- name: Run Copa action
if: steps.vuln_count.outputs.vuln_count != '0'
id: copa
# using main for testing purposes
# use a tag (such as v1 or v1.0.1) at a bare minimum
# recommendation is to pin to a digest for security and stability
# and rely on dependabot for digest/version updates
uses: project-copacetic/copa-action@main
with:
image: ${{ matrix.images }}
image-report: "report.json"
patched-tag: "patched"
timeout: "5m" # optional, default is 5m
output: vex.json # optional
format: "openvex" # optional, default is openvex
# copa-version: "0.6.0" # optional, default is latest
# buildkit-version: "v0.12.4" # optional, default is latest
# custom-socket: "/var/run/buildkit/buildkitd.sock" # optional, used for custom socket address
# see https://github.com/docker/login-action#usage for other registries
- name: Login to GHCR
if: steps.copa.conclusion == 'success'
id: login
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push patched image
if: steps.login.conclusion == 'success'
run: |
# retag if needed
docker tag ${{ steps.copa.outputs.patched-image }} ghcr.io/project-copacetic/copa-action/test/${{ steps.copa.outputs.patched-image }}
docker push ghcr.io/project-copacetic/copa-action/test/${{ steps.copa.outputs.patched-image }}