Added github action (#22)

e-minguez · web-flow · commit 38b029739a5c · 2022-06-30T17:18:13.000+02:00
diff --git a/docs/index.md b/docs/index.md
@@ -137,6 +137,7 @@ In this [repository](https://github.com/sysdiglabs/secure-inline-scan-examples/)
   * [Build, push and scan from repository](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-build-push-scan-from-repo)
   * [Build, push and scan using Openshift internal registry](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-openshift-internal-registry)
 * [Gitlab](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/gitlab)
+* [GitHub](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/github)
 * [Tekton](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton)
   * [Tekton alpha API](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton/alpha)
   * [Tekton beta API](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton/beta)
diff --git a/github/Dockerfile b/github/Dockerfile
@@ -0,0 +1 @@
+FROM alpine
diff --git a/github/README.md b/github/README.md
@@ -0,0 +1,33 @@
+# GitHub CI Demo
+
+In this demo we will use GitHub actions to build, scan and push a container image.
+The workflow is as follows:
+
+1. Setup Docker Buildx to be able to build the image
+2. Build the container image and store it locally
+3. Download the sysdig-cli-scanner cli if needed
+4. Perform the scan
+5. Login to the registry
+6. Push the container image to a remote registry
+
+The workflow leverages GitHub actions cache to avoid downloading the binary or
+the databases if they are available.
+
+## Setup
+
+It is required to create a few repository secrets in order to be able to push the
+container image:
+
+* `REGISTRY_USER`: Docker username
+* `REGISTRY_PASSWORD`: Docker user password
+* `SECURE_API_TOKEN`: Sysdig Token
+
+Modify the environment variables on the [build-scan-and-push.yaml](build-scan-and-push.yaml) file to fit your needs:
+
+```
+SYSDIG_SECURE_ENDPOINT: "https://secure.sysdig.com"
+REGISTRY_HOST: "quay.io"
+IMAGE_NAME: "mytestimage"
+IMAGE_TAG: "my-tag"
+DOCKERFILE_CONTEXT: "github/"
+```
diff --git a/github/build-scan-and-push.yaml b/github/build-scan-and-push.yaml
@@ -0,0 +1,71 @@
+env:
+    SYSDIG_SECURE_ENDPOINT: "https://eu1.app.sysdig.com"
+    REGISTRY_HOST: "quay.io"
+    IMAGE_NAME: "mytestimage"
+    IMAGE_TAG: "my-tag"
+    DOCKERFILE_CONTEXT: "github/"
+  
+name: Container build, scan and push
+
+on: [push, pull_request]
+
+jobs:
+  build-scan-and-push:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2
+    
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v2
+    
+    - name: Build and save
+      uses: docker/build-push-action@v3
+      with:
+        context: ${{ env.DOCKERFILE_CONTEXT }}
+        tags: ${{ env.REGISTRY_HOST }}/${{ secrets.REGISTRY_USER }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
+        load: true
+    
+    - name: Setup cache
+      uses: actions/cache@v3
+      with:
+        path: cache
+        key: ${{ runner.os }}-cache-${{ hashFiles('**/sysdig-cli-scanner', '**/latest_version.txt', '**/db/main.db.meta.json', '**/scanner-cache/inlineScannerCache.db') }}
+        restore-keys: ${{ runner.os }}-cache-
+
+    - name: Download sysdig-cli-scanner if needed
+      run:  |
+        curl -sLO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt
+        mkdir -p ${GITHUB_WORKSPACE}/cache/db/
+        if [ ! -f ${GITHUB_WORKSPACE}/cache/latest_version.txt ] || [ $(cat ./latest_version.txt) != $(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt) ]; then
+          cp ./latest_version.txt ${GITHUB_WORKSPACE}/cache/latest_version.txt
+          curl -sL -o ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)/linux/amd64/sysdig-cli-scanner"
+          chmod +x ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner
+        else
+          echo "sysdig-cli-scanner latest version already downloaded"
+        fi
+
+    - name: Scan the image using sysdig-cli-scanner
+      env:
+        SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
+      run: |
+        ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \
+          --apiurl ${SYSDIG_SECURE_ENDPOINT} \
+          docker://${REGISTRY_HOST}/${{ secrets.REGISTRY_USER }}/${IMAGE_NAME}:${IMAGE_TAG} \
+          --console-log \
+          --dbpath=${GITHUB_WORKSPACE}/cache/db/ \
+          --cachepath=${GITHUB_WORKSPACE}/cache/scanner-cache/
+
+    -  name: Login to the registry
+       uses: docker/login-action@v2
+       with:
+        registry: ${{ env.REGISTRY_HOST }}
+        username: ${{ secrets.REGISTRY_USER }}
+        password: ${{ secrets.REGISTRY_PASSWORD }}
+
+    - name: Push
+      uses: docker/build-push-action@v3
+      with:
+        context: ${{ env.DOCKERFILE_CONTEXT }}
+        push: true
+        tags: ${{ env.REGISTRY_HOST }}/${{ secrets.REGISTRY_USER }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
