Spring4Shell/.github/workflows/main.yml at main · stanezil/Spring4Shell · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
name: Docker Image CI

on:
  push:
    branches: [ "main" ]

env:
  AQUA_USER: ${{ secrets.AQUA_USER }} # Aqua Registry
  AQUA_PASSWORD: ${{ secrets.AQUA_PASSWORD }} # Aqua Registry
  AQUA_TOKEN: ${{ secrets.AQUA_TOKEN }} # Aqua Scanner authentication
  AQUA_HOST: ${{ secrets.AQUA_HOST }} # Aqua Scanner authentication
  DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} # Docker Registry
  DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} # Docker Registry
  BUILD_NUMBER: ${{ github.run_id }}
  BUILD_NAME: ${{ github.repository }}
  GITHUB_WORKSPACE: ${{ github.workspace }}
  GH_TOKEN: ${{ secrets.GH_TOKEN }}
  IMAGE_NAME: stanhoe/spring4shell:demo

jobs:
  aqua:
    name: Aqua Supply-chain Security
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Run Aqua scanner
        uses: docker://aquasec/aqua-scanner
        with:
          args: trivy fs --security-checks config,vuln,secret --sast .
          # To customize which severities to scan for, add the following flag: --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
          # To enable SAST scanning, add: --sast
          # To enable npm/dotnet non-lock file scanning, add: --package-json / --dotnet-proj
        env:
          AQUA_KEY: ${{ secrets.AQUA_KEY }}
          AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
          AQUA_URL: https://api.asia-1.supply-chain.cloud.aquasec.com
          CSPM_URL: https://asia-1.api.cloudsploit.com
          TRIVY_RUN_AS_PLUGIN: 'aqua'

      - name: Aqua Release Artifact
        run: |
          export BILLY_SERVER=https://billy.asia-1.codesec.aquasec.com
          curl -sLo install.sh download.codesec.aquasec.com/billy/install.sh
          curl -sLo install.sh.checksum https://github.com/argonsecurity/releases/releases/latest/download/install.sh.checksum
          if ! cat install.sh.checksum | sha256sum --check; then
          echo "install.sh checksum failed"
          exit 1
          fi
          BINDIR="." sh install.sh
          rm install.sh install.sh.checksum
          ./billy generate \
            --access-token "${{ secrets.GITHUB_TOKEN }}" \
            --aqua-key "${{ secrets.AQUA_KEY }}" \
            --aqua-secret "${{ secrets.AQUA_SECRET }}" \
            --cspm-url https://asia-1.api.cloudsploit.com \
            --artifact-path "$GITHUB_WORKSPACE"

  build:
    name: Build, Scan, and Push Docker image
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: Build the Docker image
      run: docker build . --file Dockerfile --tag $IMAGE_NAME

    - name: Aqua Image Scanner
      run: |
        docker image ls
        docker login registry.aquasec.com -u $AQUA_USER -p $AQUA_PASSWORD
        docker pull registry.aquasec.com/scanner:2022.4
        docker run --rm -v $GITHUB_WORKSPACE:/tmp -v /var/run/docker.sock:/var/run/docker.sock -e BUILD_NUMBER=$BUILD_NUMBER -e BUILD_JOB_NAME=$BUILD_NAME registry.aquasec.com/scanner:2022.4 scan -w /tmp --host $AQUA_HOST --token $AQUA_TOKEN --show-negligible --local stanhoe/spring4shell:demo --htmlfile /tmp/out.html --jsonfile /tmp/out.json > /dev/null
    - name: Push Docker image to repository
      run: |
        docker login --username $DOCKER_USERNAME --password $DOCKER_PASSWORD
        docker push $IMAGE_NAME
    - name: Aqua Release Artifact
      run: |
        export BILLY_SERVER=https://billy.asia-1.codesec.aquasec.com
        curl -sLo install.sh download.codesec.aquasec.com/billy/install.sh
        curl -sLo install.sh.checksum https://github.com/argonsecurity/releases/releases/latest/download/install.sh.checksum
        if ! cat install.sh.checksum | sha256sum ; then
        echo "install.sh checksum failed"
        exit 1
        fi
        BINDIR="." sh install.sh
        rm install.sh install.sh.checksum
        ./billy generate \
          --access-token "${{ secrets.GH_TOKEN }}" \
          --aqua-key "${{ secrets.AQUA_KEY }}" \
          --aqua-secret "${{ secrets.AQUA_SECRET }}" \
          --cspm-url https://asia-1.api.cloudsploit.com \
          --artifact-path "$IMAGE_NAME"

          # The docker image name:tag of the newly built image
          # --artifact-path "my-image-name:${{ env.tag-version }}"
          # OR the path to the root folder of your project. I.e my-repo/my-app
          # --artifact-path "${{env.MY_APP_ROOT}}"

    - uses: actions/upload-artifact@v3
      with:
        name: aqua-artifact
        path: out.*