From 535ef95b9bc659349a380583f8eb2fe154fe1db8 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Sun, 24 Nov 2024 00:26:39 +0200 Subject: [PATCH 01/42] Organizing the git repo --- .github/workflows/README.md | 5 ++++ README.md | 26 +------------------ ansible/README.md | 11 ++++++++ playbook.yml => ansible/playbook.yml | 0 .../playbook_docker.yml | 0 5 files changed, 17 insertions(+), 25 deletions(-) create mode 100644 .github/workflows/README.md create mode 100644 ansible/README.md rename playbook.yml => ansible/playbook.yml (100%) rename playbook_docker.yml => ansible/playbook_docker.yml (100%) diff --git a/.github/workflows/README.md b/.github/workflows/README.md new file mode 100644 index 000000000..9bbfcf427 --- /dev/null +++ b/.github/workflows/README.md @@ -0,0 +1,5 @@ +***GitHub Actions README*** + +To run ***github_actions_hw.yml*** workflow, any change should be done in the README.md file and should be +commited and pushed to GitHub. Then a PR should be made to the main branch and merged. It will trigger the +Actions tab in GitHub. \ No newline at end of file diff --git a/README.md b/README.md index 5bbf3d85b..13bac0846 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,5 @@ # devops-programme -To run the playbook_docker.yml, execute the bellow command: -``` -ansible-playbook playbook_docker.yml -``` - -To run the ansible playbook with encrypted docker credentials and push the image to Docker Hub, execute: -``` -ansible-playbook --ask-vault-pass playbook_docker.yml -``` - To build the docker image, execute: ``` docker build -t bobby84/getting-started-index-html . @@ -23,18 +13,4 @@ docker image ls To push the docker image to Docker Hub, execute: ``` docker push bobby84/getting-started-index-html -``` - -To run the playbook_docker.yml, execute the bellow command: -``` -ansible-playbook playbook_docker.yml -``` - -To run the ansible playbook with encrypted docker credentials and push the image to Docker Hub, execute: -``` -ansible-playbook --ask-vault-pass playbook_docker.yml -``` - -To run ***github_actions_hw.yml*** workflow, any change should be done in the README.md file and should be -commited and pushed to GitHub. Then a PR should be made to the main branch and merged. It will trigger the -Actions tab in GitHub. \ No newline at end of file +``` \ No newline at end of file diff --git a/ansible/README.md b/ansible/README.md new file mode 100644 index 000000000..0a0ad2034 --- /dev/null +++ b/ansible/README.md @@ -0,0 +1,11 @@ +***ANSIBLE README*** + +To run the playbook_docker.yml, execute the bellow command: +``` +ansible-playbook playbook_docker.yml +``` + +To run the ansible playbook with encrypted docker credentials and push the image to Docker Hub, execute: +``` +ansible-playbook --ask-vault-pass playbook_docker.yml +``` \ No newline at end of file diff --git a/playbook.yml b/ansible/playbook.yml similarity index 100% rename from playbook.yml rename to ansible/playbook.yml diff --git a/playbook_docker.yml b/ansible/playbook_docker.yml similarity index 100% rename from playbook_docker.yml rename to ansible/playbook_docker.yml From 47fecfeb75720878d7a53d7c0f58305b1938ac1a Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Sun, 24 Nov 2024 01:20:07 +0200 Subject: [PATCH 02/42] Added GitLeaks scan for secrets and EditorConfig Checker --- .github/workflows/M1-4-2-CI-Practice.yml | 30 ++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/M1-4-2-CI-Practice.yml diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml new file mode 100644 index 000000000..ea5705de8 --- /dev/null +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -0,0 +1,30 @@ +name: Flask App GitHub Actions Pipeline +run-name: ${{ github.actor }} workflow that triggers on push to a feature branch and perform check on a Flask app repo + +on: + push: + branches: + - feature/M1-4-2-CI-Practice + pull_request: + branches: + - main + +jobs: + scan: + name: GitLeaks scan for secrets + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + editorconfig: + name: EditorConfig Checker + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: editorconfig-checker/action-editorconfig-checker@main + - run: editorconfig-checker From 7e411e16feeccfb37835019dfcdc689eefd9e26e Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Sun, 24 Nov 2024 01:38:24 +0200 Subject: [PATCH 03/42] Added pylint --- .github/workflows/M1-4-2-CI-Practice.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index ea5705de8..67205b0cb 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -1,5 +1,5 @@ name: Flask App GitHub Actions Pipeline -run-name: ${{ github.actor }} workflow that triggers on push to a feature branch and perform check on a Flask app repo +run-name: Flask App GitHub Actions Pipeline on: push: @@ -28,3 +28,18 @@ jobs: - uses: actions/checkout@v4 - uses: editorconfig-checker/action-editorconfig-checker@main - run: editorconfig-checker + + python-pylint: + name: Executes pylint + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v1 + + - name: Lint + uses: gabriel-milan/action-pylint@v1 + with: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} # GitHub token + path: "./*.py" # Glob pattern for files to lint + fail: true # Fail the action if pylint errors are found + pr-message: true # Send a PR message if pylint errors are found From 5d1101bbb73a4b483a091740596522b8263e00f5 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Sun, 24 Nov 2024 01:49:53 +0200 Subject: [PATCH 04/42] Added Python Black --- .github/workflows/M1-4-2-CI-Practice.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 67205b0cb..772dce1f4 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -43,3 +43,13 @@ jobs: path: "./*.py" # Glob pattern for files to lint fail: true # Fail the action if pylint errors are found pr-message: true # Send a PR message if pylint errors are found + + python-black: + name: Python Black + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Python Black + uses: cytopia/docker-black@0.8 + with: + path: 'src/' \ No newline at end of file From 57fa6449f4a438560ec8076d66bb97707d9d8465 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Sun, 24 Nov 2024 01:52:01 +0200 Subject: [PATCH 05/42] remove a line path --- .github/workflows/M1-4-2-CI-Practice.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 772dce1f4..81c8f0b3a 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -51,5 +51,3 @@ jobs: - uses: actions/checkout@v3 - name: Python Black uses: cytopia/docker-black@0.8 - with: - path: 'src/' \ No newline at end of file From a826ccae524f1191c0db95f426d696873387c472 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Sun, 24 Nov 2024 02:23:16 +0200 Subject: [PATCH 06/42] added Markdownlint CLI --- .github/workflows/M1-4-2-CI-Practice.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 81c8f0b3a..b8214aee4 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -10,7 +10,7 @@ on: - main jobs: - scan: + gitleaks-scan: name: GitLeaks scan for secrets runs-on: ubuntu-latest steps: @@ -24,6 +24,7 @@ jobs: editorconfig: name: EditorConfig Checker runs-on: ubuntu-latest + needs: gitleaks-scan steps: - uses: actions/checkout@v4 - uses: editorconfig-checker/action-editorconfig-checker@main @@ -32,6 +33,7 @@ jobs: python-pylint: name: Executes pylint runs-on: ubuntu-latest + needs: gitleaks-scan steps: - name: Checkout uses: actions/checkout@v1 @@ -47,7 +49,20 @@ jobs: python-black: name: Python Black runs-on: ubuntu-latest + needs: gitleaks-scan steps: - uses: actions/checkout@v3 - name: Python Black uses: cytopia/docker-black@0.8 + + markdownlint-cli: + name: Markdownlint CLI + runs-on: ubuntu-latest + needs: gitleaks-scan + steps: + - name: Install Markdownlint CLI + run: npm install -g markdownlint-cli + + - name: Run Markdownlint + run: markdownlint **/*.md + From be56bb5d3321e3bbea86ef584ebb176404242566 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Sun, 24 Nov 2024 02:30:58 +0200 Subject: [PATCH 07/42] added unittests --- .github/workflows/M1-4-2-CI-Practice.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index b8214aee4..1b577508c 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -66,3 +66,23 @@ jobs: - name: Run Markdownlint run: markdownlint **/*.md + unittests: + name: Unit Tests + runs-on: ubuntu-latest + needs: gitleaks-scan + steps: + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.x' + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt + + - name: Run unit tests + run: python -m unittest discover \ No newline at end of file From cb8c44ec79fb8ce78f0eca451c3a1620912b891f Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Sun, 24 Nov 2024 02:35:10 +0200 Subject: [PATCH 08/42] updated unittests --- .github/workflows/M1-4-2-CI-Practice.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 1b577508c..c125e9c80 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -85,4 +85,4 @@ jobs: pip install -r requirements.txt - name: Run unit tests - run: python -m unittest discover \ No newline at end of file + run: python -m unittest discover -s app -p "*.py" \ No newline at end of file From 169537ce48a1db1391897bbfc169add94867d917 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Sun, 24 Nov 2024 02:35:22 +0200 Subject: [PATCH 09/42] updated unittests --- .github/workflows/M1-4-2-CI-Practice.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index c125e9c80..414d01e8a 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -85,4 +85,4 @@ jobs: pip install -r requirements.txt - name: Run unit tests - run: python -m unittest discover -s app -p "*.py" \ No newline at end of file + run: python -m unittest discover -s app -p "*.py" From 4457217f896ef4393227380ebe073ed0d1581bd7 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Sun, 24 Nov 2024 02:48:41 +0200 Subject: [PATCH 10/42] added sonarcloud --- .github/workflows/M1-4-2-CI-Practice.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 414d01e8a..7a1ae6bb1 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -86,3 +86,16 @@ jobs: - name: Run unit tests run: python -m unittest discover -s app -p "*.py" + + sonarcloud: + runs-on: ubuntu-latest + needs: [gitleaks-scan, editorconfig, python-pylint, python-black, markdownlint-cli, unittests] + steps: + - uses: actions/checkout@v4 + with: + # Disabling shallow clone is recommended for improving relevancy of reporting + fetch-depth: 0 + - name: SonarCloud Scan + uses: sonarsource/sonarcloud-github-action@v3.1.0 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} From 371928bbda01c3d69a7f4e624ecdb6f716467d4b Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Sun, 24 Nov 2024 03:02:13 +0200 Subject: [PATCH 11/42] updated sonarcloud --- .github/workflows/M1-4-2-CI-Practice.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 7a1ae6bb1..4668a53ad 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -99,3 +99,4 @@ jobs: uses: sonarsource/sonarcloud-github-action@v3.1.0 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + From c2bdcc7aa11c0bd44a12084cde8ed2ff0e2f13ff Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Sun, 24 Nov 2024 03:15:55 +0200 Subject: [PATCH 12/42] updated sonarcloud --- .github/workflows/M1-4-2-CI-Practice.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 4668a53ad..fe88e1179 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -97,6 +97,10 @@ jobs: fetch-depth: 0 - name: SonarCloud Scan uses: sonarsource/sonarcloud-github-action@v3.1.0 + with: + args: + -Dsonar.organization=boyanaboneva + -Dsonar.projectKey=boyanaboneva/devops-programme env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} From b54f0f322332de3ad7b013a55389a68eaebd0513 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 00:43:44 +0200 Subject: [PATCH 13/42] updated sonarcloud projectkey --- .github/workflows/M1-4-2-CI-Practice.yml | 4 ++-- vault.yml => ansible/vault.yml | 0 2 files changed, 2 insertions(+), 2 deletions(-) rename vault.yml => ansible/vault.yml (100%) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index fe88e1179..75e8d407d 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -98,9 +98,9 @@ jobs: - name: SonarCloud Scan uses: sonarsource/sonarcloud-github-action@v3.1.0 with: - args: + args: > -Dsonar.organization=boyanaboneva - -Dsonar.projectKey=boyanaboneva/devops-programme + -Dsonar.projectKey=boyanaboneva_devops-programme env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/vault.yml b/ansible/vault.yml similarity index 100% rename from vault.yml rename to ansible/vault.yml From 875dfd4d5863e42f0f4af4bb011081944143e745 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 01:03:44 +0200 Subject: [PATCH 14/42] added Snyk --- .github/workflows/M1-4-2-CI-Practice.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 75e8d407d..124373ff6 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -88,6 +88,7 @@ jobs: run: python -m unittest discover -s app -p "*.py" sonarcloud: + name: Sonarcloud scan runs-on: ubuntu-latest needs: [gitleaks-scan, editorconfig, python-pylint, python-black, markdownlint-cli, unittests] steps: @@ -104,3 +105,14 @@ jobs: env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + snyk: + name: Snyk scan + runs-on: ubuntu-latest + needs: [gitleaks-scan, editorconfig, python-pylint, python-black, markdownlint-cli, unittests] + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/node@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + From 6f56e8b380b50e2bd502a68969063675a5bed0a9 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 01:12:00 +0200 Subject: [PATCH 15/42] updated Snyk --- .github/workflows/M1-4-2-CI-Practice.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 124373ff6..e9eee9975 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -111,6 +111,9 @@ jobs: needs: [gitleaks-scan, editorconfig, python-pylint, python-black, markdownlint-cli, unittests] steps: - uses: actions/checkout@master + - name: Install dependencies + run: | + pip install -r requirements.txt - name: Run Snyk to check for vulnerabilities uses: snyk/actions/node@master env: From 5e042e9c6bd3d8d8024a9ba14ade67947109422b Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 01:16:32 +0200 Subject: [PATCH 16/42] updated Snyk --- .github/workflows/M1-4-2-CI-Practice.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index e9eee9975..1c69c1fd5 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -113,6 +113,7 @@ jobs: - uses: actions/checkout@master - name: Install dependencies run: | + python -m pip install --upgrade pip pip install -r requirements.txt - name: Run Snyk to check for vulnerabilities uses: snyk/actions/node@master From 8caafd81269710bee7c92e8dbefe55828ccc68dc Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 01:23:19 +0200 Subject: [PATCH 17/42] updated Snyk --- .github/workflows/M1-4-2-CI-Practice.yml | 27 ++++++++++++++++-------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 1c69c1fd5..c1c1cc138 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -110,13 +110,22 @@ jobs: runs-on: ubuntu-latest needs: [gitleaks-scan, editorconfig, python-pylint, python-black, markdownlint-cli, unittests] steps: - - uses: actions/checkout@master - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements.txt - - name: Run Snyk to check for vulnerabilities - uses: snyk/actions/node@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + - name: Checkout repository + uses: actions/checkout@v2 + - name: Specify Python version + uses: actions/setup-python@v2 + with: + python-version: '3.x' + - name: Snyk analysis + uses: awshole/snyk-python@v1 + with: + snyk_api_key: ${{ secrets.SNYK_TOKEN }} + path_to_dependency_file: requirements.txt + upload_sarif: true + snyk_github_integration_token: ${{ github.token }} + repository: ${{ github.repository }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ github.workspace }}/snyk.sarif From 7821736735f3e78e2c0079ad1486f6aca4d7630a Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 01:34:45 +0200 Subject: [PATCH 18/42] updated Snyk --- .github/workflows/M1-4-2-CI-Practice.yml | 22 +++++----------------- 1 file changed, 5 insertions(+), 17 deletions(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index c1c1cc138..0b8c1e7f9 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -110,22 +110,10 @@ jobs: runs-on: ubuntu-latest needs: [gitleaks-scan, editorconfig, python-pylint, python-black, markdownlint-cli, unittests] steps: - - name: Checkout repository - uses: actions/checkout@v2 - - name: Specify Python version - uses: actions/setup-python@v2 + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/python-3.10@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - python-version: '3.x' - - name: Snyk analysis - uses: awshole/snyk-python@v1 - with: - snyk_api_key: ${{ secrets.SNYK_TOKEN }} - path_to_dependency_file: requirements.txt - upload_sarif: true - snyk_github_integration_token: ${{ github.token }} - repository: ${{ github.repository }} - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ${{ github.workspace }}/snyk.sarif + args: --severity-threshold=high From 5aabb97a56931a100ba21b70ca2e3b3bdf4150b1 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 01:49:20 +0200 Subject: [PATCH 19/42] updated Snyk --- .github/workflows/M1-4-2-CI-Practice.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 0b8c1e7f9..781f2a9ce 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -110,10 +110,11 @@ jobs: runs-on: ubuntu-latest needs: [gitleaks-scan, editorconfig, python-pylint, python-black, markdownlint-cli, unittests] steps: - - name: Run Snyk to check for vulnerabilities - uses: snyk/actions/python-3.10@master + - uses: actions/checkout@v2 + - name: Run Snyk to check IAC files for issues + uses: snyk/actions/iac@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - args: --severity-threshold=high - + file: . (This should be the paths in which to scan files with issues.) + sarif: true \ No newline at end of file From 9d5ee1b2832f04c44ff5dbe7b3246a6c0340a5ca Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 01:56:08 +0200 Subject: [PATCH 20/42] updated Snyk --- .github/workflows/M1-4-2-CI-Practice.yml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 781f2a9ce..0ec59c6c3 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -110,11 +110,8 @@ jobs: runs-on: ubuntu-latest needs: [gitleaks-scan, editorconfig, python-pylint, python-black, markdownlint-cli, unittests] steps: - - uses: actions/checkout@v2 - - name: Run Snyk to check IAC files for issues - uses: snyk/actions/iac@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - file: . (This should be the paths in which to scan files with issues.) - sarif: true \ No newline at end of file + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/python@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} \ No newline at end of file From f1a69fa56af13937cf2c3472af27a26798e24330 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 02:09:47 +0200 Subject: [PATCH 21/42] updated Snyk --- .github/workflows/M1-4-2-CI-Practice.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 0ec59c6c3..f63e6a5c1 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -114,4 +114,6 @@ jobs: - name: Run Snyk to check for vulnerabilities uses: snyk/actions/python@master env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} \ No newline at end of file + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --severity-threshold=high From 7708855fa9b46ba5ad8cdce4d07d25dfc3c51d91 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 02:13:47 +0200 Subject: [PATCH 22/42] updated Snyk --- .github/workflows/M1-4-2-CI-Practice.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index f63e6a5c1..b577fd7ae 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -113,7 +113,9 @@ jobs: - uses: actions/checkout@master - name: Run Snyk to check for vulnerabilities uses: snyk/actions/python@master + continue-on-error: true # To make sure that SARIF upload gets called env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: args: --severity-threshold=high + From 0d090cbd13034052be231125ca5c1c685c402462 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 15:38:46 +0200 Subject: [PATCH 23/42] added docker image --- .github/workflows/M1-4-2-CI-Practice.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index b577fd7ae..e31b93f65 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -119,3 +119,19 @@ jobs: with: args: --severity-threshold=high + docker-image: + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + steps: + - name: Checkout repo + uses: actions/checkout@v3 + + - name: Login to DockerHub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + From 265f0f9414b1c2f31f930acbd97507d376b82167 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 15:47:16 +0200 Subject: [PATCH 24/42] added dependency in the docker image --- .github/workflows/M1-4-2-CI-Practice.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index e31b93f65..9851f93c6 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -121,6 +121,7 @@ jobs: docker-image: runs-on: ubuntu-latest + needs: [unittests, snyk, sonarcloud] permissions: contents: read id-token: write From a501f9be4d3b121d6fb501ee016b8aba0295fdbf Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 15:56:23 +0200 Subject: [PATCH 25/42] added build docker image --- .github/workflows/M1-4-2-CI-Practice.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 9851f93c6..819747300 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -135,4 +135,21 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} + - id: docker-publish + name: Build image + uses: bitovi/github-actions-docker-publish@v1.0.3 + with: + docker_username: ${{ secrets.DOCKERHUB_USERNAME }} + docker_password: ${{ secrets.DOCKERHUB_PASSWORD }} + checkout: 'false' + image_tag: it + sha: 'true' # won't do anything since image_tag is set + org_name: bitovi + repo_name: deploy-eks-helm + build_args: --build-arg git_personal_token=PAT_token + working-directory: ./app/inner-folder + - run: | + echo "Image Created: ${{ env.image }}" + echo "Tag Created: ${{ env.tag }}" + From c246f338937cdbfa2403a9aa25888e89fa752803 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 16:01:27 +0200 Subject: [PATCH 26/42] updated build docker image --- .github/workflows/M1-4-2-CI-Practice.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 819747300..8df42a6dc 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -140,7 +140,7 @@ jobs: uses: bitovi/github-actions-docker-publish@v1.0.3 with: docker_username: ${{ secrets.DOCKERHUB_USERNAME }} - docker_password: ${{ secrets.DOCKERHUB_PASSWORD }} + docker_password: ${{ secrets.DOCKERHUB_TOKEN }} checkout: 'false' image_tag: it sha: 'true' # won't do anything since image_tag is set From b6cb4c9f693b337d1b763c0de2beeb22f18e2f01 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 16:54:02 +0200 Subject: [PATCH 27/42] updated build docker image with tag --- .github/workflows/M1-4-2-CI-Practice.yml | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 8df42a6dc..5d1961fad 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -135,19 +135,12 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - id: docker-publish - name: Build image - uses: bitovi/github-actions-docker-publish@v1.0.3 + - name: Build image + uses: docker/build-push-action@v6 with: - docker_username: ${{ secrets.DOCKERHUB_USERNAME }} - docker_password: ${{ secrets.DOCKERHUB_TOKEN }} - checkout: 'false' - image_tag: it - sha: 'true' # won't do anything since image_tag is set - org_name: bitovi - repo_name: deploy-eks-helm - build_args: --build-arg git_personal_token=PAT_token - working-directory: ./app/inner-folder + context: . + push: true + tags: ${{ github.sha }} - run: | echo "Image Created: ${{ env.image }}" echo "Tag Created: ${{ env.tag }}" From 502864aeecc6cdae541f4a8894f76d4ef4e4505e Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 17:04:29 +0200 Subject: [PATCH 28/42] updated build docker image --- .github/workflows/M1-4-2-CI-Practice.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 5d1961fad..7bbabca0f 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -136,13 +136,11 @@ jobs: password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v2 with: context: . push: true tags: ${{ github.sha }} - - run: | - echo "Image Created: ${{ env.image }}" - echo "Tag Created: ${{ env.tag }}" + From 7a0baf6664461ac9c4f21ae2e9428056530a13e9 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 17:13:14 +0200 Subject: [PATCH 29/42] updated docker tags --- .github/workflows/M1-4-2-CI-Practice.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 7bbabca0f..6828927a2 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -140,7 +140,7 @@ jobs: with: context: . push: true - tags: ${{ github.sha }} + tags: ${{ env.REGISTRY }}/${{ github.sha }} From b51f0641f659dfbc6a80e6ecb29e3b7d7cf4dbd2 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 17:17:58 +0200 Subject: [PATCH 30/42] updated docker tags --- .github/workflows/M1-4-2-CI-Practice.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 6828927a2..08b5eadab 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -130,7 +130,7 @@ jobs: uses: actions/checkout@v3 - name: Login to DockerHub - uses: docker/login-action@v2 + uses: docker/login-action@v6 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -140,7 +140,7 @@ jobs: with: context: . push: true - tags: ${{ env.REGISTRY }}/${{ github.sha }} + tags: ${{ secrets.DOCKER_USERNAME }}/${{ github.sha }} From 8e91f193f326f6cd7f37fb7cc109667b720af1ec Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 17:21:56 +0200 Subject: [PATCH 31/42] updated uses --- .github/workflows/M1-4-2-CI-Practice.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 08b5eadab..73760695e 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -130,13 +130,13 @@ jobs: uses: actions/checkout@v3 - name: Login to DockerHub - uses: docker/login-action@v6 + uses: docker/login-action@v2 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build image - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v6 with: context: . push: true From 8e2666b2d92844f2937f8af2b0ee201acbd780bc Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 17:26:28 +0200 Subject: [PATCH 32/42] updated secrets --- .github/workflows/M1-4-2-CI-Practice.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 73760695e..98819e594 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -140,7 +140,7 @@ jobs: with: context: . push: true - tags: ${{ secrets.DOCKER_USERNAME }}/${{ github.sha }} + tags: ${{ secrets.DOCKERHUB_USERNAME }}/${{ github.sha }} From 4f58b40fd7597c33a371e874a646d71a5a21f2e6 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 17:43:48 +0200 Subject: [PATCH 33/42] added trivy --- .github/workflows/M1-4-2-CI-Practice.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 98819e594..966289db0 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -119,7 +119,7 @@ jobs: with: args: --severity-threshold=high - docker-image: + docker-image-build-push-trivy-scan: runs-on: ubuntu-latest needs: [unittests, snyk, sonarcloud] permissions: @@ -142,5 +142,10 @@ jobs: push: true tags: ${{ secrets.DOCKERHUB_USERNAME }}/${{ github.sha }} - + - uses: actions/checkout@v2 + - name: Run Trivy + uses: anvayacloud/trivy-action@main + with: + image_name: ${{ secrets.DOCKERHUB_USERNAME }}/${{ github.sha }} + format: "json" From 7cf33b2caa85a4afce9cd6ea66c71fa2edb35e61 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 17:50:49 +0200 Subject: [PATCH 34/42] updated trivy --- .github/workflows/M1-4-2-CI-Practice.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 966289db0..b1859f16f 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -119,7 +119,7 @@ jobs: with: args: --severity-threshold=high - docker-image-build-push-trivy-scan: + docker-trivy: runs-on: ubuntu-latest needs: [unittests, snyk, sonarcloud] permissions: @@ -135,7 +135,7 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Build image + - name: Build docker image uses: docker/build-push-action@v6 with: context: . @@ -143,9 +143,10 @@ jobs: tags: ${{ secrets.DOCKERHUB_USERNAME }}/${{ github.sha }} - uses: actions/checkout@v2 - - name: Run Trivy - uses: anvayacloud/trivy-action@main + - name: Trivy scan + uses: dataswift/gha-trivy@v3.0.0 with: - image_name: ${{ secrets.DOCKERHUB_USERNAME }}/${{ github.sha }} - format: "json" + token: ${{ secrets.GITHUB_TOKEN }} + image: ${{ secrets.DOCKERHUB_USERNAME }}/${{ github.sha }} + From 2533a89d4d29ad710c854e9203ff559f0e31cad3 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 17:59:38 +0200 Subject: [PATCH 35/42] updated trivy severity --- .github/workflows/M1-4-2-CI-Practice.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index b1859f16f..08347fe7d 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -148,5 +148,6 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} image: ${{ secrets.DOCKERHUB_USERNAME }}/${{ github.sha }} + severity: 'CRITICAL,HIGH' From d9c72429251fda4d211b58acd2135eaef2b9660b Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 18:07:21 +0200 Subject: [PATCH 36/42] removed trivy severity --- .github/workflows/M1-4-2-CI-Practice.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 08347fe7d..3456841fb 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -142,12 +142,11 @@ jobs: push: true tags: ${{ secrets.DOCKERHUB_USERNAME }}/${{ github.sha }} - - uses: actions/checkout@v2 + # - uses: actions/checkout@v2 - name: Trivy scan - uses: dataswift/gha-trivy@v3.0.0 + uses: lazy-actions/gitrivy@v3 with: token: ${{ secrets.GITHUB_TOKEN }} image: ${{ secrets.DOCKERHUB_USERNAME }}/${{ github.sha }} - severity: 'CRITICAL,HIGH' From 2e9283d7a9fe672ab8acd1617b2c87c0a7cad226 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 18:16:22 +0200 Subject: [PATCH 37/42] updated trivy scan --- .github/workflows/M1-4-2-CI-Practice.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 3456841fb..a643e565c 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -140,13 +140,15 @@ jobs: with: context: . push: true - tags: ${{ secrets.DOCKERHUB_USERNAME }}/${{ github.sha }} + tags: ${{ secrets.DOCKERHUB_USERNAME }}/flaskapp:${{ github.sha }} - # - uses: actions/checkout@v2 - name: Trivy scan - uses: lazy-actions/gitrivy@v3 + uses: aquasecurity/trivy-action@0.28.0 with: - token: ${{ secrets.GITHUB_TOKEN }} - image: ${{ secrets.DOCKERHUB_USERNAME }}/${{ github.sha }} + image-ref: ${{ vars.DOCKERHUB_USERNAME }}/flaskapp:${{ github.sha }} + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" From 21218a582da05c5ef9c6d754dcf6566df13cc818 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 18:28:32 +0200 Subject: [PATCH 38/42] updated trivy scan --- .github/workflows/M1-4-2-CI-Practice.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index a643e565c..39a5bf88d 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -145,10 +145,11 @@ jobs: - name: Trivy scan uses: aquasecurity/trivy-action@0.28.0 with: - image-ref: ${{ vars.DOCKERHUB_USERNAME }}/flaskapp:${{ github.sha }} + image-ref: ${{ secrets.DOCKERHUB_USERNAME }}/flaskapp:${{ github.sha }} format: "table" exit-code: "1" ignore-unfixed: true vuln-type: "os,library" + severity: 'CRITICAL,HIGH' From 9a1945bbeb4973e4dcc8ac34305981fc9dbf566d Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 18:41:03 +0200 Subject: [PATCH 39/42] updated trivy scan --- .github/workflows/M1-4-2-CI-Practice.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 39a5bf88d..772dee42c 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -147,9 +147,11 @@ jobs: with: image-ref: ${{ secrets.DOCKERHUB_USERNAME }}/flaskapp:${{ github.sha }} format: "table" + cache: true exit-code: "1" ignore-unfixed: true vuln-type: "os,library" severity: 'CRITICAL,HIGH' + From 825a2b358958a31956647ed99658c962db88d9b5 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 18:48:26 +0200 Subject: [PATCH 40/42] added trivy cache --- .github/workflows/M1-4-2-CI-Practice.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 772dee42c..708dd205f 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -147,7 +147,7 @@ jobs: with: image-ref: ${{ secrets.DOCKERHUB_USERNAME }}/flaskapp:${{ github.sha }} format: "table" - cache: true + cache: false exit-code: "1" ignore-unfixed: true vuln-type: "os,library" From 78e75258483a237b2e6461ee0d376f5110378264 Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 18:55:01 +0200 Subject: [PATCH 41/42] removed trivy cache & exit-code --- .github/workflows/M1-4-2-CI-Practice.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 708dd205f..50fbeec87 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -147,8 +147,6 @@ jobs: with: image-ref: ${{ secrets.DOCKERHUB_USERNAME }}/flaskapp:${{ github.sha }} format: "table" - cache: false - exit-code: "1" ignore-unfixed: true vuln-type: "os,library" severity: 'CRITICAL,HIGH' From 437d87acb2da79c2ffbb1a1c52e70156f70782ce Mon Sep 17 00:00:00 2001 From: bobbyboneva Date: Mon, 25 Nov 2024 19:06:15 +0200 Subject: [PATCH 42/42] added docker push --- .github/workflows/M1-4-2-CI-Practice.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/M1-4-2-CI-Practice.yml b/.github/workflows/M1-4-2-CI-Practice.yml index 50fbeec87..2f2daf6c9 100644 --- a/.github/workflows/M1-4-2-CI-Practice.yml +++ b/.github/workflows/M1-4-2-CI-Practice.yml @@ -139,7 +139,7 @@ jobs: uses: docker/build-push-action@v6 with: context: . - push: true + push: false tags: ${{ secrets.DOCKERHUB_USERNAME }}/flaskapp:${{ github.sha }} - name: Trivy scan @@ -151,5 +151,9 @@ jobs: vuln-type: "os,library" severity: 'CRITICAL,HIGH' + - name: Push docker image + if: ${{ success() }} + run: docker push ${{ secrets.DOCKERHUB_USERNAME }}/flaskapp:${{ github.sha }} +