forked from OHDSI/WebAPI
-
Notifications
You must be signed in to change notification settings - Fork 2
131 lines (106 loc) · 5.1 KB
/
ci.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: Docker Maven Build and Push Docker Image to MDACA ECR
on:
schedule:
- cron: '0 23 * * 0'
push:
branches:
- mdaca-3.0.1
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and Push Docker Image
env:
IMAGE_TAG: 3.0.1.1
ECR_REPOSITORY: mdaca/ohdsi/webapi
AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_REGION: ${{ secrets.AWS_REGION }}
CODEARTIFACT_DOMAIN: ${{ secrets.CODEARTIFACT_DOMAIN }}
run: |
# Set AWS credentials for ECR and CodeArtifact
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
aws configure set default.region $AWS_REGION
echo "Running Maven Build"
CODEARTIFACT_TOKEN_FILE=${{ github.workspace }}/codeartifact-auth
# Fetch CodeArtifact authorization token
aws codeartifact get-authorization-token \
--domain $CODEARTIFACT_DOMAIN \
--domain-owner $AWS_ACCOUNT_ID \
--region $AWS_REGION \
--query authorizationToken \
--output text > $CODEARTIFACT_TOKEN_FILE
export CODEARTIFACT_AUTH_TOKEN=$(cat $CODEARTIFACT_TOKEN_FILE)
echo "$CODEARTIFACT_AUTH_TOKEN"
# Login to ECR
aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com
REGISTRY=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com
# Build the Docker image
docker build --build-arg CODEARTIFACT_AUTH_TOKEN=$CODEARTIFACT_AUTH_TOKEN -f Dockerfile-mvn-no-local -t $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
# Push the Docker image to ECR
docker push $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
# Tag the image as 'latest'
docker tag $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG $REGISTRY/$ECR_REPOSITORY:latest
# Push the 'latest' tag to ECR
docker push $REGISTRY/$ECR_REPOSITORY:latest
security:
runs-on: ubuntu-latest
needs: build
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Download Docker Image from ECR
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_REGION: ${{ secrets.AWS_REGION }}
IMAGE_TAG: 3.0.1.1
ECR_REPOSITORY: mdaca/ohdsi/webapi
run: |
# Set ENV for AW Cred
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
aws configure set default.region $AWS_REGION
# Get token from ECR and Docker login
aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com
IMAGE_TAG=3.0.1
docker pull ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG
docker images
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
- name: Scan Docker Image with Trivy
env:
AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
AWS_REGION: ${{ secrets.AWS_REGION }}
IMAGE_TAG: 3.0.1.1
ECR_REPOSITORY: mdaca/ohdsi/webapi
run: |
trivy image --severity HIGH,CRITICAL $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG
trivy image --format json $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG > OHDSI-Webapi.json
jq -r '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | [.SeveritySource, .VulnerabilityID, .PkgName, .PkgPath, .InstalledVersion, .FixedVersion, .Status, .Severity] | @csv' OHDSI-Webapi.json > OHDSI-Webapi-Trivy.csv
- name: Install Syft
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin
- name: Generate SBOM with Syft
env:
AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
AWS_REGION: ${{ secrets.AWS_REGION }}
IMAGE_TAG: 3.0.1.1
ECR_REPOSITORY: mdaca/ohdsi/webapi
run: |
syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG
syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG > OHDSI-Webapi-sbom.tf
- name: Upload Reports
uses: actions/upload-artifact@v4
with:
name: trivy-and-sbom-reports
path: |
OHDSI-Webapi-Trivy.csv
OHDSI-Webapi-sbom.tf