From d4bcb719f07d4675e3d1af16c3623cc863163bca Mon Sep 17 00:00:00 2001 From: Kiril-Poposki1998 Date: Wed, 20 Dec 2023 12:36:53 +0100 Subject: [PATCH 01/10] update focal image tag --- images/ckan/2.10/Dockerfile.focal | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/images/ckan/2.10/Dockerfile.focal b/images/ckan/2.10/Dockerfile.focal index 7c2e867..5fc764f 100644 --- a/images/ckan/2.10/Dockerfile.focal +++ b/images/ckan/2.10/Dockerfile.focal @@ -4,7 +4,7 @@ FROM ubuntu:focal-20210827 as ckanbuild # Used by Github Actions to tag the image with -ENV IMAGE_TAG=2.9.7-focal +ENV IMAGE_TAG=2.10.2-focal # Set CKAN version to build ENV GIT_URL=https://github.com/ckan/ckan.git From 12c7519e7ed28459607708c9070efb1891813afd Mon Sep 17 00:00:00 2001 From: Kiril-Poposki1998 Date: Thu, 21 Dec 2023 10:57:06 +0100 Subject: [PATCH 02/10] new release 2.10.3 --- images/ckan/2.10/Dockerfile | 4 ++-- images/ckan/2.10/Dockerfile.focal | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/images/ckan/2.10/Dockerfile b/images/ckan/2.10/Dockerfile index b5e00cc..e7140ef 100644 --- a/images/ckan/2.10/Dockerfile +++ b/images/ckan/2.10/Dockerfile @@ -4,11 +4,11 @@ FROM alpine:3.17.2 as ckanbuild # Used by Github Actions to tag the image with -ENV IMAGE_TAG=2.10.2 +ENV IMAGE_TAG=2.10.3 # Set CKAN version to build ENV GIT_URL=https://github.com/ckan/ckan.git -ENV GIT_BRANCH=ckan-2.10.2 +ENV GIT_BRANCH=ckan-2.10.3 # Set src dirs ENV SRC_DIR=/srv/app/src diff --git a/images/ckan/2.10/Dockerfile.focal b/images/ckan/2.10/Dockerfile.focal index 5fc764f..6aa802c 100644 --- a/images/ckan/2.10/Dockerfile.focal +++ b/images/ckan/2.10/Dockerfile.focal @@ -4,11 +4,11 @@ FROM ubuntu:focal-20210827 as ckanbuild # Used by Github Actions to tag the image with -ENV IMAGE_TAG=2.10.2-focal +ENV IMAGE_TAG=2.10.3-focal # Set CKAN version to build ENV GIT_URL=https://github.com/ckan/ckan.git -ENV GIT_BRANCH=ckan-2.10.2 +ENV GIT_BRANCH=ckan-2.10.3 # Set timezone ENV TZ=UTC From 916824d98768cabafcfad04015a6691c4bee553b Mon Sep 17 00:00:00 2001 From: Kiril-Poposki1998 Date: Thu, 21 Dec 2023 11:11:39 +0100 Subject: [PATCH 03/10] new release 2.9.10 --- images/ckan/2.9/Dockerfile | 4 ++-- images/ckan/2.9/Dockerfile.focal | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/images/ckan/2.9/Dockerfile b/images/ckan/2.9/Dockerfile index 5d5d5ba..c1423d3 100644 --- a/images/ckan/2.9/Dockerfile +++ b/images/ckan/2.9/Dockerfile @@ -4,11 +4,11 @@ FROM alpine:3.13.7 as ckanbuild # Used by Github Actions to tag the image with -ENV IMAGE_TAG=2.9.9 +ENV IMAGE_TAG=2.9.10 # Set CKAN version to build ENV GIT_URL=https://github.com/ckan/ckan.git -ENV GIT_BRANCH=ckan-2.9.9 +ENV GIT_BRANCH=ckan-2.9.10 # Set src dirs ENV SRC_DIR=/srv/app/src diff --git a/images/ckan/2.9/Dockerfile.focal b/images/ckan/2.9/Dockerfile.focal index 53adcc0..336d7bc 100644 --- a/images/ckan/2.9/Dockerfile.focal +++ b/images/ckan/2.9/Dockerfile.focal @@ -4,11 +4,11 @@ FROM ubuntu:focal-20210827 as ckanbuild # Used by Github Actions to tag the image with -ENV IMAGE_TAG=2.9.9-focal +ENV IMAGE_TAG=2.9.10-focal # Set CKAN version to build ENV GIT_URL=https://github.com/ckan/ckan.git -ENV GIT_BRANCH=ckan-2.9.9 +ENV GIT_BRANCH=ckan-2.9.10 # Set timezone ENV TZ=UTC From 96094e02a9590d635428ebe6fc0b09ea41feb571 Mon Sep 17 00:00:00 2001 From: "filip.mihajlovski" Date: Mon, 15 Jan 2024 13:12:53 +0100 Subject: [PATCH 04/10] added trivy in repo scan mode --- .github/workflows/trivy_scan.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/trivy_scan.yml diff --git a/.github/workflows/trivy_scan.yml b/.github/workflows/trivy_scan.yml new file mode 100644 index 0000000..a69b0f4 --- /dev/null +++ b/.github/workflows/trivy_scan.yml @@ -0,0 +1,31 @@ +name: build +on: + push: + branches: [ "master" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "master" ] + schedule: + - cron: '28 3 * * 5' + +jobs: + build: + name: Build + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' \ No newline at end of file From 009028b4d9518797162354b38e1e9a742c4407a3 Mon Sep 17 00:00:00 2001 From: "filip.mihajlovski" Date: Mon, 15 Jan 2024 13:14:24 +0100 Subject: [PATCH 05/10] changed ci name --- .github/workflows/trivy_scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy_scan.yml b/.github/workflows/trivy_scan.yml index a69b0f4..af3a83c 100644 --- a/.github/workflows/trivy_scan.yml +++ b/.github/workflows/trivy_scan.yml @@ -1,4 +1,4 @@ -name: build +name: Repo Scan on: push: branches: [ "master" ] @@ -10,7 +10,7 @@ on: jobs: build: - name: Build + name: repo_scan runs-on: ubuntu-20.04 steps: - name: Checkout code From e76e34bd92593ddb2ed17f6a4cfbeb5c950d5f08 Mon Sep 17 00:00:00 2001 From: "filip.mihajlovski" Date: Mon, 15 Jan 2024 13:24:05 +0100 Subject: [PATCH 06/10] added docker scan mode --- .github/workflows/trivy_scan.yml | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/.github/workflows/trivy_scan.yml b/.github/workflows/trivy_scan.yml index af3a83c..137f92e 100644 --- a/.github/workflows/trivy_scan.yml +++ b/.github/workflows/trivy_scan.yml @@ -9,7 +9,7 @@ on: - cron: '28 3 * * 5' jobs: - build: + repo_scan: name: repo_scan runs-on: ubuntu-20.04 steps: @@ -25,6 +25,31 @@ jobs: output: 'trivy-results.sarif' severity: 'CRITICAL' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + + + docker_scan: + name: docker_scan + runs-on: ubuntu-20.04 + steps: + + - name: Checkout code + uses: actions/checkout@v3 + + - name: Build an image from Dockerfile + run: | + docker build -t keitaro/ckan/2.10:${{ github.sha }} -f ./images/ckan/2.10/Dockerfile . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'keitaro/ckan/2.10:${{ github.sha }}' + format: 'sarif' + output: 'trivy-results.sarif' + - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: From 50eeb66a5bd9281c20ff0887528b525b3215c64c Mon Sep 17 00:00:00 2001 From: "filip.mihajlovski" Date: Mon, 15 Jan 2024 13:45:40 +0100 Subject: [PATCH 07/10] changed docker build tar --- .github/workflows/trivy_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy_scan.yml b/.github/workflows/trivy_scan.yml index 137f92e..1020856 100644 --- a/.github/workflows/trivy_scan.yml +++ b/.github/workflows/trivy_scan.yml @@ -41,7 +41,7 @@ jobs: - name: Build an image from Dockerfile run: | - docker build -t keitaro/ckan/2.10:${{ github.sha }} -f ./images/ckan/2.10/Dockerfile . + docker build -t keitaro/ckan/2.10:${{ github.sha }} -f ./images/ckan/2.10/Dockerfile ./images/ckan/2.10/ - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master From 232f7de6aca39f23a6c99f45893cf23cc05165c0 Mon Sep 17 00:00:00 2001 From: "filip.mihajlovski" Date: Mon, 15 Jan 2024 13:54:34 +0100 Subject: [PATCH 08/10] added ckan versions to be scanned --- .github/workflows/trivy_scan.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/trivy_scan.yml b/.github/workflows/trivy_scan.yml index 1020856..5d51dfb 100644 --- a/.github/workflows/trivy_scan.yml +++ b/.github/workflows/trivy_scan.yml @@ -42,11 +42,14 @@ jobs: - name: Build an image from Dockerfile run: | docker build -t keitaro/ckan/2.10:${{ github.sha }} -f ./images/ckan/2.10/Dockerfile ./images/ckan/2.10/ + docker build -t keitaro/ckan/2.10-focal:${{ github.sha }} -f ./images/ckan/2.10/Dockerfile.focal ./images/ckan/2.10/ + docker build -t keitaro/ckan/2.9:${{ github.sha }} -f ./images/ckan/2.9/Dockerfile ./images/ckan/2.9/ + docker build -t keitaro/ckan/2.9-focal:${{ github.sha }} -f ./images/ckan/2.9/Dockerfile.focal ./images/ckan/2.9/ - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: 'keitaro/ckan/2.10:${{ github.sha }}' + image-ref: 'keitaro/ckan/2.10:${{ github.sha }},keitaro/ckan/2.10-focal:${{ github.sha }}' format: 'sarif' output: 'trivy-results.sarif' From efdf8f19f986c3ebf04619839a23d4e6b97d703f Mon Sep 17 00:00:00 2001 From: "filip.mihajlovski" Date: Mon, 15 Jan 2024 16:21:57 +0100 Subject: [PATCH 09/10] added more actions for 2.9 and 2.10 ckan versions --- .github/workflows/trivy_scan.yml | 76 ++++++++++++++++++++++++++++++-- 1 file changed, 73 insertions(+), 3 deletions(-) diff --git a/.github/workflows/trivy_scan.yml b/.github/workflows/trivy_scan.yml index 5d51dfb..e7e182f 100644 --- a/.github/workflows/trivy_scan.yml +++ b/.github/workflows/trivy_scan.yml @@ -31,8 +31,8 @@ jobs: sarif_file: 'trivy-results.sarif' - docker_scan: - name: docker_scan + scan_2_10: + name: scan_2_10 runs-on: ubuntu-20.04 steps: @@ -42,14 +42,84 @@ jobs: - name: Build an image from Dockerfile run: | docker build -t keitaro/ckan/2.10:${{ github.sha }} -f ./images/ckan/2.10/Dockerfile ./images/ckan/2.10/ + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'keitaro/ckan/2.10:${{ github.sha }}' + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + + + scan_2_10_focal: + name: scan_2_10_focal + runs-on: ubuntu-20.04 + steps: + + - name: Checkout code + uses: actions/checkout@v3 + + - name: Build an image from Dockerfile + run: | docker build -t keitaro/ckan/2.10-focal:${{ github.sha }} -f ./images/ckan/2.10/Dockerfile.focal ./images/ckan/2.10/ + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'keitaro/ckan/2.10-focal:${{ github.sha }}' + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + + scan_2_9: + name: scan_2_9 + runs-on: ubuntu-20.04 + steps: + + - name: Checkout code + uses: actions/checkout@v3 + + - name: Build an image from Dockerfile + run: | docker build -t keitaro/ckan/2.9:${{ github.sha }} -f ./images/ckan/2.9/Dockerfile ./images/ckan/2.9/ + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'keitaro/ckan/2.9:${{ github.sha }}' + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + + scan_2_9_focal: + name: scan_2_9_focal + runs-on: ubuntu-20.04 + steps: + + - name: Checkout code + uses: actions/checkout@v3 + + - name: Build an image from Dockerfile + run: | docker build -t keitaro/ckan/2.9-focal:${{ github.sha }} -f ./images/ckan/2.9/Dockerfile.focal ./images/ckan/2.9/ - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: 'keitaro/ckan/2.10:${{ github.sha }},keitaro/ckan/2.10-focal:${{ github.sha }}' + image-ref: 'keitaro/ckan/2.9-focal:${{ github.sha }}' format: 'sarif' output: 'trivy-results.sarif' From 1be892cab9e7e5a8a5e511e7362c446eca6a8ff6 Mon Sep 17 00:00:00 2001 From: "filip.mihajlovski" Date: Mon, 15 Jan 2024 16:39:34 +0100 Subject: [PATCH 10/10] added scans for datapusher and psql-init --- .github/workflows/trivy_scan.yml | 49 ++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/.github/workflows/trivy_scan.yml b/.github/workflows/trivy_scan.yml index e7e182f..6f8c917 100644 --- a/.github/workflows/trivy_scan.yml +++ b/.github/workflows/trivy_scan.yml @@ -123,6 +123,55 @@ jobs: format: 'sarif' output: 'trivy-results.sarif' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + + scan_psql_init: + name: scan_psql_init + runs-on: ubuntu-20.04 + steps: + + - name: Checkout code + uses: actions/checkout@v3 + + - name: Build an image from Dockerfile + run: | + docker build -t keitaro/psql-init:${{ github.sha }} -f ./images/psql-init/Dockerfile ./images/psql-init/ + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'keitaro/psql-init:${{ github.sha }}' + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + + + scan_datapusher: + name: scan_datapusher + runs-on: ubuntu-20.04 + steps: + + - name: Checkout code + uses: actions/checkout@v3 + + - name: Build an image from Dockerfile + run: | + docker build -t keitaro/datapusher:${{ github.sha }} -f ./images/datapusher/Dockerfile ./images/datapusher/ + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'keitaro/datapusher:${{ github.sha }}' + format: 'sarif' + output: 'trivy-results.sarif' + - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: