Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add pipeline for build goss docker image #909

Merged
merged 4 commits into from
Jun 24, 2024
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
98 changes: 98 additions & 0 deletions .github/workflows/docker-goss.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
name: Docker image for Goss

on:
push:
branches:
- master
tags:
- "v*"
workflow_dispatch:

env:
PLATFORMS: "linux/amd64,linux/arm64"

jobs:
goss:
name: Build and push Docker image
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
security-events: write # To upload Trivy sarif files

steps:
- name: Checkout
uses: actions/checkout@v4

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: |
ghcr.io/${{ github.repository_owner }}/goss

- name: Get latest git tag
uses: actions-ecosystem/action-get-latest-tag@v1
id: get-latest-tag

- name: Set short git commit SHA
run: |
calculatedSha=$(git rev-parse --short ${{ github.sha }})
echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV

- name: Get the current version of Go from project.
run: echo "GO_VERSION_FROM_PROJECT=$(go mod edit -json | jq -r .Go)" >> $GITHUB_ENV

- name: Build master goss image
if: github.ref_name == 'master'
uses: docker/build-push-action@v5
with:
build-args: |
GO_VERSION=${{ env.GO_VERSION_FROM_PROJECT }}
GOSS_VERSION=${{ steps.get-latest-tag.outputs.tag }}-${{ github.ref_name }}+${{ env.COMMIT_SHORT_SHA }}
context: .
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/goss:master
labels: ${{ steps.meta.outputs.labels }}
platforms: ${{ env.PLATFORMS }}

- name: Build release goss image
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
uses: docker/build-push-action@v5
with:
build-args: |
GO_VERSION=${{ env.GO_VERSION_FROM_PROJECT }}
GOSS_VERSION=${{ github.ref_name }}
context: .
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/goss:latest
ghcr.io/${{ github.repository_owner }}/goss:${{ github.ref_name }}
labels: ${{ steps.meta.outputs.labels }}
platforms: ${{ env.PLATFORMS }}

- name: Run Trivy vulnerability scanner
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this some thing that typically runs before or after the container is pushed to the repository?

Also, when doing a goss release, this will run against the master branch, but not the released version?

Copy link
Contributor Author

@dklimpel dklimpel Jun 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a small add on and runs whenever (after) an image (goss:master) is pushed into the repo. It scans the image goss:master and not the repository. This is the same image as the tagged image at the time of creating a tag. The step should not trigger a failing, but serves to keep an overview of the image. It scans not only the goss binary, but the whole image including the operating system (base image).
This gives you an overview of the status of the CVEs at the time the image was published. In my opinion, this cannot replace a regular scan of your own code.

uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/${{ github.repository_owner }}/goss:master
format: "sarif"
output: "trivy-results.sarif"

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"
19 changes: 19 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
ARG GO_VERSION=1.21

FROM docker.io/golang:${GO_VERSION}-alpine AS base

ARG GOSS_VERSION=v0.0.0
WORKDIR /build

RUN --mount=target=. \
CGO_ENABLED=0 go build \
-ldflags "-X github.com/goss-org/goss/util.Version=${GOSS_VERSION} -s -w" \
-o "/release/goss" \
./cmd/goss

FROM alpine:3.19

COPY --from=base /release/* /usr/bin/

RUN mkdir /goss
VOLUME /goss