From 9300558f999c422ca59d96689fe2a72a16174d67 Mon Sep 17 00:00:00 2001 From: sukesh raja Date: Mon, 23 Mar 2026 01:50:21 -0500 Subject: [PATCH 01/14] adding sysdig yaml file --- .github/workflows/sysdig-build.yaml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .github/workflows/sysdig-build.yaml diff --git a/.github/workflows/sysdig-build.yaml b/.github/workflows/sysdig-build.yaml new file mode 100644 index 0000000000..c75626325c --- /dev/null +++ b/.github/workflows/sysdig-build.yaml @@ -0,0 +1,28 @@ +name: Voting App + +on: + push: + branches: main + pull_request: + +jobs: + build-images: + runs-on: ubuntu-latest + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Build Vote Image + run: docker build -t vote:${{ github.sha }} ./vote + + - name: Build Worker Image + run: docker build -t vote:${{ github.sha }} ./worker + + - name: Build Result Image + run: docker build -t vote:${{ github.sha }} ./result + + - name: Show Built Images + run: docker images + + From f3675d0ad2d5e542decc343b02870373848b2b13 Mon Sep 17 00:00:00 2001 From: sukesh raja Date: Mon, 23 Mar 2026 16:08:07 -0500 Subject: [PATCH 02/14] Adding sysdig scan images --- .github/workflows/sysdig-build.yaml | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sysdig-build.yaml b/.github/workflows/sysdig-build.yaml index c75626325c..b49684bdd7 100644 --- a/.github/workflows/sysdig-build.yaml +++ b/.github/workflows/sysdig-build.yaml @@ -16,11 +16,32 @@ jobs: - name: Build Vote Image run: docker build -t vote:${{ github.sha }} ./vote + - name: Scan Vote image + id: scan + uses: sysdiglabs/scan-action@v6 + with: + image-tag: vote:${{ github.sha }} + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + - name: Build Worker Image - run: docker build -t vote:${{ github.sha }} ./worker + run: docker build -t worker:${{ github.sha }} ./worker + + - name: Scan Worker image + id: scan + uses: sysdiglabs/scan-action@v6 + with: + image-tag: worker:${{ github.sha }} + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} - name: Build Result Image - run: docker build -t vote:${{ github.sha }} ./result + run: docker build -t result:${{ github.sha }} ./result + + - name: Scan Result image + id: scan + uses: sysdiglabs/scan-action@v6 + with: + image-tag: result:${{ github.sha }} + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} - name: Show Built Images run: docker images From f0e6e2e175d369969e9cbed5b367968f08241e28 Mon Sep 17 00:00:00 2001 From: sukeshraja <40174880+sukeshraja@users.noreply.github.com> Date: Mon, 23 Mar 2026 16:11:46 -0500 Subject: [PATCH 03/14] Update sysdig-build.yaml --- .github/workflows/sysdig-build.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/sysdig-build.yaml b/.github/workflows/sysdig-build.yaml index b49684bdd7..6790312d42 100644 --- a/.github/workflows/sysdig-build.yaml +++ b/.github/workflows/sysdig-build.yaml @@ -27,7 +27,6 @@ jobs: run: docker build -t worker:${{ github.sha }} ./worker - name: Scan Worker image - id: scan uses: sysdiglabs/scan-action@v6 with: image-tag: worker:${{ github.sha }} @@ -37,7 +36,6 @@ jobs: run: docker build -t result:${{ github.sha }} ./result - name: Scan Result image - id: scan uses: sysdiglabs/scan-action@v6 with: image-tag: result:${{ github.sha }} From 3a803de9aa075eb87e8fbd56f04adf70eb6e29a7 Mon Sep 17 00:00:00 2001 From: sukeshraja <40174880+sukeshraja@users.noreply.github.com> Date: Mon, 23 Mar 2026 16:25:06 -0500 Subject: [PATCH 04/14] Update sysdig-build.yaml --- .github/workflows/sysdig-build.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/sysdig-build.yaml b/.github/workflows/sysdig-build.yaml index 6790312d42..df213a4e69 100644 --- a/.github/workflows/sysdig-build.yaml +++ b/.github/workflows/sysdig-build.yaml @@ -22,6 +22,7 @@ jobs: with: image-tag: vote:${{ github.sha }} sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + secure-api-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} - name: Build Worker Image run: docker build -t worker:${{ github.sha }} ./worker @@ -31,6 +32,7 @@ jobs: with: image-tag: worker:${{ github.sha }} sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + secure-api-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} - name: Build Result Image run: docker build -t result:${{ github.sha }} ./result @@ -40,6 +42,7 @@ jobs: with: image-tag: result:${{ github.sha }} sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + secure-api-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} - name: Show Built Images run: docker images From bb83ccb5966386774245d75c9e23cab3952252c2 Mon Sep 17 00:00:00 2001 From: sukeshraja <40174880+sukeshraja@users.noreply.github.com> Date: Mon, 23 Mar 2026 16:29:14 -0500 Subject: [PATCH 05/14] Update sysdig-build.yaml --- .github/workflows/sysdig-build.yaml | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/.github/workflows/sysdig-build.yaml b/.github/workflows/sysdig-build.yaml index df213a4e69..1bc28ba345 100644 --- a/.github/workflows/sysdig-build.yaml +++ b/.github/workflows/sysdig-build.yaml @@ -20,9 +20,9 @@ jobs: id: scan uses: sysdiglabs/scan-action@v6 with: - image-tag: vote:${{ github.sha }} - sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} - secure-api-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + image-tag: vote:${{ github.sha }} + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + secure-api-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} - name: Build Worker Image run: docker build -t worker:${{ github.sha }} ./worker @@ -30,9 +30,9 @@ jobs: - name: Scan Worker image uses: sysdiglabs/scan-action@v6 with: - image-tag: worker:${{ github.sha }} - sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} - secure-api-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + image-tag: worker:${{ github.sha }} + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + secure-api-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} - name: Build Result Image run: docker build -t result:${{ github.sha }} ./result @@ -40,11 +40,9 @@ jobs: - name: Scan Result image uses: sysdiglabs/scan-action@v6 with: - image-tag: result:${{ github.sha }} - sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} - secure-api-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + image-tag: result:${{ github.sha }} + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + secure-api-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} - name: Show Built Images run: docker images - - From eb34d79e1b886ce1bf3dc2eb3484e95ad4f6e633 Mon Sep 17 00:00:00 2001 From: sukeshraja <40174880+sukeshraja@users.noreply.github.com> Date: Mon, 23 Mar 2026 16:41:18 -0500 Subject: [PATCH 06/14] Update sysdig-build.yaml --- .github/workflows/sysdig-build.yaml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/.github/workflows/sysdig-build.yaml b/.github/workflows/sysdig-build.yaml index 1bc28ba345..943595d086 100644 --- a/.github/workflows/sysdig-build.yaml +++ b/.github/workflows/sysdig-build.yaml @@ -13,16 +13,21 @@ jobs: - name: Checkout Repository uses: actions/checkout@v4 + - name: Download Sysdig CLI Scanner + run: | + curl -LO https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/latest/linux/amd64/sysdig-cli-scanner + chmod +x ./sysdig-cli-scanner + - name: Build Vote Image run: docker build -t vote:${{ github.sha }} ./vote - - name: Scan Vote image - id: scan - uses: sysdiglabs/scan-action@v6 - with: - image-tag: vote:${{ github.sha }} - sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} - secure-api-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + - name: Scan vote image + env: + SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} + run: | + ./sysdig-cli-scanner \ + --apiurl "${{ secrets.SYSDIG_SECURE_ENDPOINT }}" \ + docker://vote:${{ github.sha }} - name: Build Worker Image run: docker build -t worker:${{ github.sha }} ./worker From c1009d1724bb41c5eeb4f54a81b0455bff929d7f Mon Sep 17 00:00:00 2001 From: sukeshraja <40174880+sukeshraja@users.noreply.github.com> Date: Mon, 23 Mar 2026 16:50:11 -0500 Subject: [PATCH 07/14] Update sysdig-build.yaml --- .github/workflows/sysdig-build.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/sysdig-build.yaml b/.github/workflows/sysdig-build.yaml index 943595d086..42f8bd54ce 100644 --- a/.github/workflows/sysdig-build.yaml +++ b/.github/workflows/sysdig-build.yaml @@ -25,9 +25,7 @@ jobs: env: SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} run: | - ./sysdig-cli-scanner \ - --apiurl "${{ secrets.SYSDIG_SECURE_ENDPOINT }}" \ - docker://vote:${{ github.sha }} + ./sysdig-cli-scanner --apiurl ${{ secrets.SYSDIG_SECURE_ENDPOINT }} docker://vote:${{ github.sha }} - name: Build Worker Image run: docker build -t worker:${{ github.sha }} ./worker From a90c50aa7406a80dcee6c36981f4b1cf541ada51 Mon Sep 17 00:00:00 2001 From: sukeshraja <40174880+sukeshraja@users.noreply.github.com> Date: Mon, 23 Mar 2026 16:59:25 -0500 Subject: [PATCH 08/14] Update sysdig-build.yaml --- .github/workflows/sysdig-build.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sysdig-build.yaml b/.github/workflows/sysdig-build.yaml index 42f8bd54ce..f290f6c6a6 100644 --- a/.github/workflows/sysdig-build.yaml +++ b/.github/workflows/sysdig-build.yaml @@ -15,7 +15,8 @@ jobs: - name: Download Sysdig CLI Scanner run: | - curl -LO https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/latest/linux/amd64/sysdig-cli-scanner + #curl -LO https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/latest/linux/amd64/sysdig-cli-scanner + curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner" chmod +x ./sysdig-cli-scanner - name: Build Vote Image From fe1908797d9ac0d97624426f4bcefab569aa9f0d Mon Sep 17 00:00:00 2001 From: sukeshraja <40174880+sukeshraja@users.noreply.github.com> Date: Mon, 23 Mar 2026 17:07:43 -0500 Subject: [PATCH 09/14] Update sysdig-build.yaml --- .github/workflows/sysdig-build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sysdig-build.yaml b/.github/workflows/sysdig-build.yaml index f290f6c6a6..0c31c5d656 100644 --- a/.github/workflows/sysdig-build.yaml +++ b/.github/workflows/sysdig-build.yaml @@ -26,7 +26,7 @@ jobs: env: SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} run: | - ./sysdig-cli-scanner --apiurl ${{ secrets.SYSDIG_SECURE_ENDPOINT }} docker://vote:${{ github.sha }} + ./sysdig-cli-scanner --apiurl "${{ secrets.SYSDIG_SECURE_ENDPOINT }}" "docker://vote:${{ github.sha }}" - name: Build Worker Image run: docker build -t worker:${{ github.sha }} ./worker From 658b2d1521e98958231e77147557899b768de5d0 Mon Sep 17 00:00:00 2001 From: sukeshraja <40174880+sukeshraja@users.noreply.github.com> Date: Mon, 23 Mar 2026 17:19:27 -0500 Subject: [PATCH 10/14] Update sysdig-build.yaml --- .github/workflows/sysdig-build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sysdig-build.yaml b/.github/workflows/sysdig-build.yaml index 0c31c5d656..86778f92bc 100644 --- a/.github/workflows/sysdig-build.yaml +++ b/.github/workflows/sysdig-build.yaml @@ -26,7 +26,7 @@ jobs: env: SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} run: | - ./sysdig-cli-scanner --apiurl "${{ secrets.SYSDIG_SECURE_ENDPOINT }}" "docker://vote:${{ github.sha }}" + ./sysdig-cli-scanner --apiurl "${{ secrets.SYSDIG_SECURE_ENDPOINT }}" "docker://vote:${{ github.sha }}" || true - name: Build Worker Image run: docker build -t worker:${{ github.sha }} ./worker From 6f4b38bf0d88274e2b9804aafe909aedf22c71b2 Mon Sep 17 00:00:00 2001 From: sukeshraja <40174880+sukeshraja@users.noreply.github.com> Date: Mon, 23 Mar 2026 17:42:22 -0500 Subject: [PATCH 11/14] Update sysdig-build.yaml --- .github/workflows/sysdig-build.yaml | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/.github/workflows/sysdig-build.yaml b/.github/workflows/sysdig-build.yaml index 86778f92bc..cab3e1e187 100644 --- a/.github/workflows/sysdig-build.yaml +++ b/.github/workflows/sysdig-build.yaml @@ -15,7 +15,6 @@ jobs: - name: Download Sysdig CLI Scanner run: | - #curl -LO https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/latest/linux/amd64/sysdig-cli-scanner curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner" chmod +x ./sysdig-cli-scanner @@ -31,22 +30,27 @@ jobs: - name: Build Worker Image run: docker build -t worker:${{ github.sha }} ./worker - - name: Scan Worker image - uses: sysdiglabs/scan-action@v6 - with: - image-tag: worker:${{ github.sha }} - sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} - secure-api-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + - name: Scan Worker Image + env: + SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} + run: | + ./sysdig-cli-scanner --apiurl "${{ secrets.SYSDIG_SECURE_ENDPOINT }}" "docker://worker:${{ github.sha }}" || true + + # - name: Scan Worker image + # uses: sysdiglabs/scan-action@v6 + # with: + # image-tag: worker:${{ github.sha }} + # sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + # secure-api-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} - name: Build Result Image run: docker build -t result:${{ github.sha }} ./result - name: Scan Result image - uses: sysdiglabs/scan-action@v6 - with: - image-tag: result:${{ github.sha }} - sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} - secure-api-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + env: + SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} + run: | + ./sysdig-cli-scanner --apiurl "${{ secrets.SYSDIG_SECURE_ENDPOINT }}" "docker://result:${{ github.sha }}" || true - name: Show Built Images run: docker images From 10cf7ae6e810d41651fb1e0a9c206217fd704ccf Mon Sep 17 00:00:00 2001 From: sukeshraja <40174880+sukeshraja@users.noreply.github.com> Date: Mon, 23 Mar 2026 17:54:40 -0500 Subject: [PATCH 12/14] adding Iac scanner --- .github/workflows/sysdig-build.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/sysdig-build.yaml b/.github/workflows/sysdig-build.yaml index cab3e1e187..43b3c07c27 100644 --- a/.github/workflows/sysdig-build.yaml +++ b/.github/workflows/sysdig-build.yaml @@ -54,3 +54,9 @@ jobs: - name: Show Built Images run: docker images + + - name: Scan Kubernetes manifests with Sysdig IaC + env: + SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} + run: | + ./sysdig-cli-scanner --iac --apiurl "${{ secrets.SYSDIG_SECURE_ENDPOINT }}" ./k8s-specifications || true From 83cdbc5589c469397bfb3f1607bde140ff0d5c34 Mon Sep 17 00:00:00 2001 From: sukesh raja Date: Mon, 23 Mar 2026 20:23:17 -0500 Subject: [PATCH 13/14] updated vote deployment file --- k8s-specifications/vote-deployment.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/k8s-specifications/vote-deployment.yaml b/k8s-specifications/vote-deployment.yaml index 165a9478f8..1428f5c5d5 100644 --- a/k8s-specifications/vote-deployment.yaml +++ b/k8s-specifications/vote-deployment.yaml @@ -20,3 +20,5 @@ spec: ports: - containerPort: 80 name: vote + securityContext: + privileged: true From ebe925c3cd342ff8ac5064b8f9451057871cc664 Mon Sep 17 00:00:00 2001 From: sukesh raja Date: Tue, 24 Mar 2026 12:59:23 -0500 Subject: [PATCH 14/14] removed security context --- k8s-specifications/vote-deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/k8s-specifications/vote-deployment.yaml b/k8s-specifications/vote-deployment.yaml index 1428f5c5d5..0383b1c70e 100644 --- a/k8s-specifications/vote-deployment.yaml +++ b/k8s-specifications/vote-deployment.yaml @@ -20,5 +20,5 @@ spec: ports: - containerPort: 80 name: vote - securityContext: - privileged: true + # securityContext: + # privileged: true