Skip to content

Commit

Permalink
taking help from chatgpt...
Browse files Browse the repository at this point in the history
  • Loading branch information
@AtulGoel
AtulGoel committed Oct 30, 2024
1 parent 5a614a0 commit 0591061
Showing 1 changed file with 107 additions and 16 deletions.
123 changes: 107 additions & 16 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
# Name of the workflow
name: CI/CD Pipeline

# Define when the workflow should run
on:
push:
branches:
Expand All @@ -9,69 +11,132 @@ on:
branches:
- main

# Define required permissions
permissions:
contents: read
packages: write
security-events: write
id-token: write

# Define environment variables
env:
DOCKER_IMAGE_NAME: devsecops-ts-cdk-security
DOCKER_IMAGE_TAG: ${{ github.sha }}

# Configure concurrency to handle multiple workflow runs
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}

# Define the jobs
jobs:
# Build job - handles Node.js build and tests
build:
runs-on: ubuntu-latest
environment: dev
timeout-minutes: 15
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Set up Node.js
uses: actions/setup-node@v2
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'

- name: Install dependencies
run: npm install
run: npm ci

- name: Build project
run: npm run build

- name: Run tests
run: npm test

- name: CDK Synth
run: npm run cdk-synth
env:
CDK_DEFAULT_ACCOUNT: ${{ vars.AWS_ACCOUNT_ID }}
CDK_DEFAULT_REGION: ${{ vars.AWS_DEFAULT_REGION }}

- name: Cache build artifacts
uses: actions/cache@v3
with:
path: |
dist
cdk.out
key: ${{ runner.os }}-build-${{ github.sha }}
restore-keys: |
${{ runner.os }}-build-
# Checkov security scanning job
checkov:
runs-on: ubuntu-latest
needs: build
timeout-minutes: 10
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v4

- name: Set up Python
uses: actions/setup-python@v2
uses: actions/setup-python@v5
with:
python-version: '3.8'
cache: 'pip'

- name: Install Checkov
run: pip install checkov

- name: Run Checkov
run: checkov -d .
id: checkov
run: |
checkov -d . --output-file-path results.sarif -o sarif
continue-on-error: true

- name: Upload Checkov scan results
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: results.sarif
category: Checkov

# Docker build and security scanning job
docker:
runs-on: ubuntu-latest
needs: checkov
timeout-minutes: 20
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v4

- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3
timeout-minutes: 5

- name: Cache Docker layers
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
timeout-minutes: 2

- name: Build Docker image
id: docker_build
uses: docker/build-push-action@v5
continue-on-error: true
with:
context: .
load: true
Expand All @@ -80,31 +145,57 @@ jobs:
${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}
ghcr.io/${{ github.repository }}/${{ env.DOCKER_IMAGE_NAME }}:latest
ghcr.io/${{ github.repository }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}
cache-from: type=gha
cache-to: type=gha,mode=max
cache-from: |
type=gha
type=local,src=/tmp/.buildx-cache
cache-to: |
type=gha,mode=max
type=local,dest=/tmp/.buildx-cache-new,mode=max
- name: Check Docker build status
if: steps.docker_build.outcome == 'failure'
run: |
echo "Docker build failed"
exit 1
- name: Run Trivy vulnerability scanner
if: steps.docker_build.outcome == 'success'
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
timeout: '10m'

- name: Upload Trivy scan results
if: steps.docker_build.outcome == 'success'
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
category: Trivy

- name: Push Docker image
if: github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/main-week2-day5-6')
if: |
steps.docker_build.outcome == 'success' &&
github.event_name != 'pull_request' &&
(github.ref == 'refs/heads/main' || github.ref == 'refs/heads/main-week2-day5-6')
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: |
ghcr.io/${{ github.repository }}/${{ env.DOCKER_IMAGE_NAME }}:latest
ghcr.io/${{ github.repository }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}
cache-from: type=gha
cache-to: type=gha,mode=max
cache-from: |
type=gha
type=local,src=/tmp/.buildx-cache
cache-to: |
type=gha,mode=max
type=local,dest=/tmp/.buildx-cache-new,mode=max
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
- name: Move cache
if: always()
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache

0 comments on commit 0591061

Please sign in to comment.