Adds sign command to devguard #774

Workflow file for this run

.github/workflows/devsecops.yaml at 921a9f5

	# DevSecOps Workflow Definition
	# This workflow is triggered on every push to the repository
	name: DevSecOps Workflow


	on:
	pull_request:
	push:
	branches:
	- '*'
	tags:
	- '*'

	# Environment variables used across multiple jobs
	env:
	IMAGE_TAG: ghcr.io/${{ github.repository }}:unstable
	IMAGE_NAME: ghcr.io/${{ github.repository }}

	jobs:
	# Secret scanning job to detect secrets in codebase
	secret-scanning:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	with:
	fetch-depth: 0
	uses: actions/checkout@v4 # Check out the repository content to the runner
	- name: Run Gitleaks Scan
	# Running Gitleaks to scan the code for secrets
	run: \|
	docker run --rm -v $(pwd):/code -u $(id -u):$(id -g) zricethezav/gitleaks:v8.18.3 -s /code detect --baseline-path /code/leaks-baseline.json -v -f sarif -r /code/gitleaks.sarif.json
	- name: Upload sarif file
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: gitleaks.sarif.json
	category: secret-scanning

	sca:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	with:
	fetch-depth: 0
	uses: actions/checkout@v4 # Check out the repository content to the runner
	- name: Set up Git
	run: \|
	git config --global --add safe.directory /github/workspace
	- name: DevGuard SCA
	uses: docker://ghcr.io/l3montree-dev/devguard-scanner@sha256:55736b9dc029762131ea31b7d5ec7a108f07df114520fefa82df28132f554ab8
	with:
	args: devguard-scanner sca --assetName="l3montree-cybersecurity/projects/devguard/assets/devguard" --apiUrl="https://api.main.devguard.org" --token="${{ secrets.DEVGUARD_TOKEN }}" --path="/github/workspace"

	# Static Application Security Testing (SAST) to identify security vulnerabilities in source code
	sast:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	- name: Run Semgrep
	# Running Semgrep for static code analysis to identify security issues
	uses: docker://returntocorp/semgrep
	with:
	args: semgrep scan /github/workspace --sarif -o /github/workspace/semgrep.sarif.json
	- name: Upload sarif file
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: semgrep.sarif.json
	category: sast
	golangci:
	name: lint
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v3
	- uses: actions/setup-go@v5
	with:
	go-version: '1.23'
	cache: false
	- name: golangci-lint
	uses: golangci/golangci-lint-action@v6
	with:
	args: --timeout=30m
	# Require: The version of golangci-lint to use.
	# When `install-mode` is `binary` (default) the value can be v1.2 or v1.2.3 or `latest` to use the latest version.
	# When `install-mode` is `goinstall` the value can be v1.2.3, `latest`, or the hash of a commit.
	version: v1.60

	# Optional: working directory, useful for monorepos
	# working-directory: somedir

	# Optional: golangci-lint command line arguments.
	#
	# Note: By default, the `.golangci.yml` file should be at the root of the repository.
	# The location of the configuration file can be changed by using `--config=`
	# args: --timeout=30m --config=/my/path/.golangci.yml --issues-exit-code=0

	# Optional: show only new issues if it's a pull request. The default value is `false`.
	# only-new-issues: true

	# Optional: if set to true, then all caching functionality will be completely disabled,
	# takes precedence over all other caching options.
	# skip-cache: true

	# Optional: if set to true, then the action won't cache or restore ~/go/pkg.
	# skip-pkg-cache: true

	# Optional: if set to true, then the action won't cache or restore ~/.cache/go-build.
	# skip-build-cache: true

	# Optional: The mode to install golangci-lint. It can be 'binary' or 'goinstall'.
	# install-mode: "goinstall"
	tests:
	name: tests
	runs-on: ubuntu-latest

	steps:
	- name: Check out code
	uses: actions/checkout@v4

	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version: '1.23'

	- name: Run unittests
	run: go test ./... -cover
	# Docker image build job
	build-image:
	runs-on: ubuntu-latest
	if: github.ref == 'refs/heads/main' \|\| startsWith(github.ref, 'refs/tags/')
	steps:
	- uses: actions/checkout@v4
	- name: Set IMAGE_TAG if tagged
	# Setting the image tag if the push is a tag push
	run: \|
	echo "ghcr.io/${{ github.repository }}:${GITHUB_REF#refs/tags/}" > image-tag.txt
	export IMAGE_TAG=$(cat image-tag.txt)
	echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
	if: startsWith(github.ref, 'refs/tags/')
	- name: Set IMAGE_TAG if not tagged
	run: \|
	branch=${GITHUB_REF##*/}
	sha=${GITHUB_SHA::8}
	ts=$(date +%s)
	echo "ghcr.io/${{ github.repository }}:${branch}-${sha}-${ts}" > image-tag.txt
	export IMAGE_TAG=$(cat image-tag.txt)
	echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
	if: github.ref == 'refs/heads/main'
	- name: Build Docker image with Kaniko
	# Building the Docker image using Kaniko
	id: build_image
	uses: docker://gcr.io/kaniko-project/executor:v1.23.0
	with:
	args: --destination=${{ env.IMAGE_TAG }} --context=/github/workspace --dockerfile=/github/workspace/Dockerfile --no-push --tarPath /github/workspace/image.tar
	- name: Setup crane
	uses: imjasonh/[email protected]
	- name: Use crane to get the digest
	run: crane digest --tarball=image.tar > digest.txt
	- name: Upload artifact
	# Uploading the built Docker image as an artifact
	uses: actions/upload-artifact@v4
	with:
	name: docker-image
	path: image.tar
	- name: Upload digest
	# Uploading the built Docker image digest as an artifact
	uses: actions/upload-artifact@v4
	with:
	name: digest
	path: digest.txt
	- name: Upload image tag
	uses: actions/upload-artifact@v4
	with:
	name: image-tag
	path: image-tag.txt
	# Docker image build job
	build-scanner-image:
	runs-on: ubuntu-latest
	if: github.ref == 'refs/heads/main' \|\| startsWith(github.ref, 'refs/tags/')
	steps:
	- uses: actions/checkout@v4
	- name: Set IMAGE_TAG if tagged
	# Setting the image tag if the push is a tag push
	run: \|
	echo "ghcr.io/${{ github.repository }}-scanner:${GITHUB_REF#refs/tags/}" > scanner-image-tag.txt
	export IMAGE_TAG=$(cat scanner-image-tag.txt)
	echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
	if: startsWith(github.ref, 'refs/tags/')
	- name: Set IMAGE_TAG if not tagged
	run: \|
	branch=${GITHUB_REF##*/}
	sha=${GITHUB_SHA::8}
	ts=$(date +%s)
	echo "ghcr.io/${{ github.repository }}-scanner:${branch}-${sha}-${ts}" > scanner-image-tag.txt
	export IMAGE_TAG=$(cat scanner-image-tag.txt)
	echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
	if: github.ref == 'refs/heads/main'
	- name: Build Docker image with Kaniko
	# Building the Docker image using Kaniko
	id: build_image
	uses: docker://gcr.io/kaniko-project/executor:v1.23.0
	with:
	args: --destination=${{ env.IMAGE_TAG }} --context=/github/workspace --dockerfile=/github/workspace/Dockerfile.scanner --no-push --tarPath /github/workspace/scanner-image.tar
	- name: Setup crane
	uses: imjasonh/[email protected]
	- name: Use crane to get the digest
	run: crane digest --tarball=scanner-image.tar > scanner-digest.txt
	- name: Upload artifact
	# Uploading the built Docker image as an artifact
	uses: actions/upload-artifact@v4
	with:
	name: scanner-docker-image
	path: scanner-image.tar
	- name: Upload digest
	# Uploading the built Docker image digest as an artifact
	uses: actions/upload-artifact@v4
	with:
	name: scanner-digest
	path: scanner-digest.txt
	- name: Upload image tag
	uses: actions/upload-artifact@v4
	with:
	name: scanner-image-tag
	path: scanner-image-tag.txt

	# Image scanning job to detect vulnerabilities in the built Docker image
	image-scanning:
	needs: build-image
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- uses: actions/download-artifact@v4
	with:
	name: docker-image
	path: .
	# Running Trivy to scan the Docker image for vulnerabilities
	- name: Set up Git
	run: \|
	git config --global --add safe.directory /github/workspace
	- name: DevGuard Container-Scanning
	uses: docker://ghcr.io/l3montree-dev/devguard-scanner@sha256:55736b9dc029762131ea31b7d5ec7a108f07df114520fefa82df28132f554ab8
	with:
	args: devguard-scanner container-scanning --assetName="l3montree-cybersecurity/projects/devguard/assets/devguard" --apiUrl="https://api.main.devguard.org" --token="${{ secrets.DEVGUARD_TOKEN }}" --path="/github/workspace/image.tar"

	# Image scanning job to detect vulnerabilities in the built Docker image
	scanner-image-scanning:
	needs: build-image
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- uses: actions/download-artifact@v4
	with:
	name: docker-image
	path: .
	# Running Trivy to scan the Docker image for vulnerabilities
	- name: Set up Git
	run: \|
	git config --global --add safe.directory /github/workspace
	- name: DevGuard Container-Scanning
	uses: docker://ghcr.io/l3montree-dev/devguard-scanner@sha256:55736b9dc029762131ea31b7d5ec7a108f07df114520fefa82df28132f554ab8
	with:
	args: devguard-scanner container-scanning --assetName="l3montree-cybersecurity/projects/devguard/assets/devguard" --apiUrl="https://api.main.devguard.org" --token="${{ secrets.DEVGUARD_TOKEN }}" --path="/github/workspace/image.tar"

	# Publish job to push the Docker image to a registry
	publish:
	needs: [build-image, image-scanning, secret-scanning, sca, sast, golangci, tests]
	runs-on: ubuntu-latest
	if: github.ref == 'refs/heads/main' \|\| startsWith(github.ref, 'refs/tags/')
	steps:
	- uses: actions/download-artifact@v4
	with:
	name: docker-image
	path: .
	- uses: actions/download-artifact@v4
	with:
	name: image-tag
	path: .
	- name: set IMAGE_TAG env
	run: \|
	export IMAGE_TAG=$(cat image-tag.txt)
	echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
	- uses: imjasonh/[email protected]
	- name: Push Docker image to GitHub image Registry
	# Pushing the Docker image to GitHub Container Registry
	run: crane push image.tar ${{ env.IMAGE_TAG }}

	publish-scanner:
	needs: [build-scanner-image, scanner-image-scanning, secret-scanning, sca, sast, golangci, tests]
	runs-on: ubuntu-latest
	if: github.ref == 'refs/heads/main' \|\| startsWith(github.ref, 'refs/tags/')
	steps:
	- uses: actions/download-artifact@v4
	with:
	name: scanner-docker-image
	path: .
	- uses: actions/download-artifact@v4
	with:
	name: scanner-image-tag
	path: .
	- name: set IMAGE_TAG env
	run: \|
	export IMAGE_TAG=$(cat scanner-image-tag.txt)
	echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
	- uses: imjasonh/[email protected]
	- name: Push Docker image to GitHub image Registry
	# Pushing the Docker image to GitHub Container Registry
	run: crane push scanner-image.tar ${{ env.IMAGE_TAG }}

	sign-scanner-image:
	runs-on: ubuntu-latest
	needs: [publish-scanner]
	if: github.ref == 'refs/heads/main' \|\| startsWith(github.ref, 'refs/tags/')
	steps:
	- name: cosign-installer
	uses: sigstore/[email protected]
	with:
	cosign-release: 'v2.2.3' # optional
	- name: Download digest
	uses: actions/download-artifact@v4
	with:
	name: scanner-digest
	path: .
	- name: Download image tag
	uses: actions/download-artifact@v4
	with:
	name: scanner-image-tag
	path: .
	- name: Read digest and image tag from file
	run: \|
	export IMAGE_DIGEST=$(cat scanner-digest.txt)
	echo "IMAGE_DIGEST=$IMAGE_DIGEST" >> $GITHUB_ENV
	export IMAGE_TAG=$(cat scanner-image-tag.txt)
	echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
	- name: Login to GitHub Container Registry
	uses: docker/[email protected]
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Write signing key to disk (only needed for `cosign sign --key`)
	run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
	- name: Sign the published Docker image
	env:
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	run: cosign sign --yes --key cosign.key "$(cat scanner-image-tag.txt)@${{ env.IMAGE_DIGEST }}"


	sign-image:
	runs-on: ubuntu-latest
	needs: publish
	if: github.ref == 'refs/heads/main' \|\| startsWith(github.ref, 'refs/tags/')
	steps:
	- name: cosign-installer
	uses: sigstore/[email protected]
	with:
	cosign-release: 'v2.2.3' # optional
	- name: Download digest
	uses: actions/download-artifact@v4
	with:
	name: digest
	path: .
	- name: Download image tag
	uses: actions/download-artifact@v4
	with:
	name: image-tag
	path: .
	- name: Read digest and image tag from file
	run: \|
	export IMAGE_DIGEST=$(cat digest.txt)
	echo "IMAGE_DIGEST=$IMAGE_DIGEST" >> $GITHUB_ENV
	export IMAGE_TAG=$(cat image-tag.txt)
	echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
	- name: Login to GitHub Container Registry
	uses: docker/[email protected]
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Write signing key to disk (only needed for `cosign sign --key`)
	run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
	- name: Sign the published Docker image
	env:
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	run: cosign sign --yes --key cosign.key "$(cat image-tag.txt)@${{ env.IMAGE_DIGEST }}"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Adds sign command to devguard #774

Workflow file

Adds sign command to devguard #774

Jobs

Run details

Workflow file for this run