Dev (#27)v0.2.3

* fix(README): Updated all TODO anchors (#25) * feat(ci/cd): Move Trivy testing into ci, from cd * fix(ci): Typo in needs value * fix(ci): docker build bad arguments * fix(ci): Download dev build artifacts in trivy dev test * fix(ci): Fixed trivy dev test build artifacts path
author: Kamen Mladenov <kamen@syndamia.com> 2024-08-25 21:00:53 +0300
committer: GitHub <noreply@github.com> 2024-08-25 21:00:53 +0300
commit: ba6698dae0934c56160d224bd498f94c781eb9b6 (patch)
tree: f495c0f11297caab7ceaf0fa146b722b0284156a
parent: 4d0ac908168730e3d52758746ab532ec000b44bc (diff)
download: pico-web-ba6698dae0934c56160d224bd498f94c781eb9b6.tar
pico-web-ba6698dae0934c56160d224bd498f94c781eb9b6.tar.gz
pico-web-ba6698dae0934c56160d224bd498f94c781eb9b6.zip
3 files changed, 64 insertions, 48 deletions
diff --git a/.github/workflows/cd-dev.yml b/.github/workflows/cd-dev.yml
index 2e23351..3935d34 100644
--- a/.github/workflows/cd-dev.yml
+++ b/.github/workflows/cd-dev.yml
@@ -28,26 +28,3 @@ jobs:
           context: .
           file: ./docker/dev/Dockerfile
           tags: ${{ secrets.DOCKERHUB_USERNAME }}/pico-web-dev:latest
-
-  Test-Trivy:
-    name: Scan development docker container with trivy
-    runs-on: ubuntu-latest
-    needs: Create-and-release-dev-container
-    permissions:
-      security-events: write
-    steps:
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: ${{ secrets.DOCKERHUB_USERNAME }}/pico-web-dev:latest
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          exit-code: 0
-          ignore-unfixed: true
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: 'trivy-results.sarif'
-          sha: ${{ github.sha }}
-          ref: ${{ github.ref }}
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 103717d..2419fe2 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -22,33 +22,10 @@ jobs:
           file: ./docker/prod/Dockerfile
           tags: ${{ secrets.DOCKERHUB_USERNAME }}/pico-web-server:latest
 
-  Test-Trivy:
-    name: Scan production docker container with trivy
-    runs-on: ubuntu-latest
-    needs: Build-docker-and-push
-    permissions:
-      security-events: write
-    steps:
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: ${{ secrets.DOCKERHUB_USERNAME }}/pico-web-server:latest
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          exit-code: 0
-          ignore-unfixed: true
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: 'trivy-results.sarif'
-          sha: ${{ github.sha }}
-          ref: ${{ github.ref }}
-
   Release:
     name: Make github release
     runs-on: ubuntu-latest
-    needs: Test-Trivy
+    needs: Build-docker-and-push
     steps:
       - uses: actions/checkout@v4
       - uses: rymndhng/release-on-push-action@master
@@ -61,7 +38,7 @@ jobs:
   Deploy-kubernetes:
     name: Deploy kubernetes cluster locally to an action
     runs-on: ubuntu-latest
-    needs: Test-Trivy
+    needs: Build-docker-and-push
     steps:
       # Setup dependencies
       - name: Install socat
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5cf4541..9c6d707 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -60,3 +60,65 @@ jobs:
         with:
           name: dev-build-files
           path: ./build
+
+  Trivy-dev-test:
+    runs-on: ubuntu-latest
+    needs: Build
+    permissions:
+      security-events: write
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: source-code
+          path: .
+      - uses: actions/download-artifact@v3
+        with:
+          name: dev-build-files
+          path: ./build
+      - uses: docker/setup-buildx-action@v1
+      - run: docker build -t pico-web-dev -f ./docker/dev/Dockerfile .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: pico-web-dev
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: 0
+          ignore-unfixed: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+          sha: ${{ github.sha }}
+          ref: ${{ github.ref }}
+
+  Trivy-prod-test:
+    runs-on: ubuntu-latest
+    needs: Build
+    permissions:
+      security-events: write
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: source-code
+          path: .
+      - uses: docker/setup-buildx-action@v1
+      - run: docker build -t pico-web -f ./docker/prod/Dockerfile .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: pico-web
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: 0
+          ignore-unfixed: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+          sha: ${{ github.sha }}
+          ref: ${{ github.ref }}
author	Kamen Mladenov <kamen@syndamia.com>	2024-08-25 21:00:53 +0300
committer	GitHub <noreply@github.com>	2024-08-25 21:00:53 +0300
commit	ba6698dae0934c56160d224bd498f94c781eb9b6 (patch)
tree	f495c0f11297caab7ceaf0fa146b722b0284156a
parent	4d0ac908168730e3d52758746ab532ec000b44bc (diff)
download	pico-web-ba6698dae0934c56160d224bd498f94c781eb9b6.tar pico-web-ba6698dae0934c56160d224bd498f94c781eb9b6.tar.gz pico-web-ba6698dae0934c56160d224bd498f94c781eb9b6.zip