diff --git a/.github/workflows/kscan.yml b/.github/workflows/kscan.yml new file mode 100644 index 0000000000..3a5b5a73aa --- /dev/null +++ b/.github/workflows/kscan.yml @@ -0,0 +1,67 @@ +name: Build and Scan Images + +on: + push: + branches: [ main ] + +jobs: + build-and-scan: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: us-east-1 + + - name: Login to ECR + uses: aws-actions/amazon-ecr-login@v1 + + - name: Build images + run: | + docker build -t 545009838166.dkr.ecr.us-east-1.amazonaws.com/examplevotingapp_vote:latest ./vote + docker build -t 545009838166.dkr.ecr.us-east-1.amazonaws.com/examplevotingapp_result:latest ./result + docker build -t 545009838166.dkr.ecr.us-east-1.amazonaws.com/examplevotingapp_worker:latest ./worker + + - name: Install Sysdig CLI Scanner + run: | + curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner" + chmod +x sysdig-cli-scanner + + - name: Scan vote image + continue-on-error: true + env: + SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} + run: | + ./sysdig-cli-scanner \ + --apiurl https://app.us4.sysdig.com \ + 545009838166.dkr.ecr.us-east-1.amazonaws.com/examplevotingapp_vote:latest + + - name: Scan result image + continue-on-error: true + env: + SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} + run: | + ./sysdig-cli-scanner \ + --apiurl https://app.us4.sysdig.com \ + 545009838166.dkr.ecr.us-east-1.amazonaws.com/examplevotingapp_result:latest + + - name: Scan worker image + continue-on-error: true + env: + SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} + run: | + ./sysdig-cli-scanner \ + --apiurl https://app.us4.sysdig.com \ + 545009838166.dkr.ecr.us-east-1.amazonaws.com/examplevotingapp_worker:latest + + - name: Push images to ECR + run: | + docker push 545009838166.dkr.ecr.us-east-1.amazonaws.com/examplevotingapp_vote:latest + docker push 545009838166.dkr.ecr.us-east-1.amazonaws.com/examplevotingapp_result:latest + docker push 545009838166.dkr.ecr.us-east-1.amazonaws.com/examplevotingapp_worker:latest diff --git a/.github/workflows/scan_iac.yml b/.github/workflows/scan_iac.yml new file mode 100644 index 0000000000..6ec99e0ede --- /dev/null +++ b/.github/workflows/scan_iac.yml @@ -0,0 +1,28 @@ +name: Scan IAC + +on: + push: + branches: [ main ] + paths: + - 'k8s-specifications/**' + pull_request: + branches: [ main ] + paths: + - 'k8s-specifications/**' + +jobs: + iac-scan: + runs-on: ubuntu-latest + + steps: + - name: checkout code + uses: actions/checkout@v3 + + - name: Scan IAC files + uses: sysdiglabs/scan-action@v6 + with: + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + sysdig-secure-url: https://app.us4.sysdig.com + cli-scanner-version: 1.9.0 + mode: iac + iac-scan-path: ./k8s-specifications diff --git a/k8s-specifications/db-deployment.yaml b/k8s-specifications/db-deployment.yaml index bc94ca7368..7c3948212e 100644 --- a/k8s-specifications/db-deployment.yaml +++ b/k8s-specifications/db-deployment.yaml @@ -31,3 +31,4 @@ spec: volumes: - name: db-data emptyDir: {} +# commenting for test diff --git a/k8s-specifications/db-service.yaml b/k8s-specifications/db-service.yaml index 104f1e8268..9e143b26d5 100644 --- a/k8s-specifications/db-service.yaml +++ b/k8s-specifications/db-service.yaml @@ -13,3 +13,4 @@ spec: selector: app: db +# commenting for test diff --git a/k8s-specifications/vote-deployment.yaml b/k8s-specifications/vote-deployment.yaml index 165a9478f8..effb40fd89 100644 --- a/k8s-specifications/vote-deployment.yaml +++ b/k8s-specifications/vote-deployment.yaml @@ -20,3 +20,4 @@ spec: ports: - containerPort: 80 name: vote +# my test