Update Dockerfile-mvn-no-local #51
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Docker Maven Build and Push Docker Image to MDACA ECR | |
on: | |
schedule: | |
- cron: '0 23 * * 0' | |
push: | |
branches: | |
- mdaca-3.0.1 | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Build and Push Docker Image | |
env: | |
IMAGE_TAG: 3.0.1.1 | |
ECR_REPOSITORY: mdaca/ohdsi/webapi | |
AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
AWS_REGION: ${{ secrets.AWS_REGION }} | |
CODEARTIFACT_DOMAIN: ${{ secrets.CODEARTIFACT_DOMAIN }} | |
run: | | |
# Set AWS credentials for ECR and CodeArtifact | |
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID | |
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY | |
aws configure set default.region $AWS_REGION | |
echo "Running Maven Build" | |
CODEARTIFACT_TOKEN_FILE=${{ github.workspace }}/codeartifact-auth | |
# Fetch CodeArtifact authorization token | |
aws codeartifact get-authorization-token \ | |
--domain $CODEARTIFACT_DOMAIN \ | |
--domain-owner $AWS_ACCOUNT_ID \ | |
--region $AWS_REGION \ | |
--query authorizationToken \ | |
--output text > $CODEARTIFACT_TOKEN_FILE | |
export CODEARTIFACT_AUTH_TOKEN=$(cat $CODEARTIFACT_TOKEN_FILE) | |
echo "$CODEARTIFACT_AUTH_TOKEN" | |
# Login to ECR | |
aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com | |
REGISTRY=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com | |
# Build the Docker image | |
docker build --build-arg CODEARTIFACT_AUTH_TOKEN=$CODEARTIFACT_AUTH_TOKEN -f Dockerfile-mvn-no-local -t $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . | |
# Push the Docker image to ECR | |
docker push $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG | |
# Tag the image as 'latest' | |
docker tag $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG $REGISTRY/$ECR_REPOSITORY:latest | |
# Push the 'latest' tag to ECR | |
docker push $REGISTRY/$ECR_REPOSITORY:latest | |
security: | |
runs-on: ubuntu-latest | |
needs: build | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
- name: Download Docker Image from ECR | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
AWS_REGION: ${{ secrets.AWS_REGION }} | |
IMAGE_TAG: 3.0.1.1 | |
ECR_REPOSITORY: mdaca/ohdsi/webapi | |
run: | | |
# Set ENV for AW Cred | |
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID | |
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY | |
aws configure set default.region $AWS_REGION | |
# Get token from ECR and Docker login | |
aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com | |
IMAGE_TAG=3.0.1 | |
docker pull ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG | |
docker images | |
- name: Install Trivy | |
run: | | |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin | |
- name: Scan Docker Image with Trivy | |
env: | |
AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} | |
AWS_REGION: ${{ secrets.AWS_REGION }} | |
IMAGE_TAG: 3.0.1.1 | |
ECR_REPOSITORY: mdaca/ohdsi/webapi | |
run: | | |
trivy image --severity HIGH,CRITICAL $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG | |
trivy image --format json $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG > OHDSI-Webapi.json | |
jq -r '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | [.SeveritySource, .VulnerabilityID, .PkgName, .PkgPath, .InstalledVersion, .FixedVersion, .Status, .Severity] | @csv' OHDSI-Webapi.json > OHDSI-Webapi-Trivy.csv | |
- name: Install Syft | |
run: | | |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin | |
- name: Generate SBOM with Syft | |
env: | |
AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} | |
AWS_REGION: ${{ secrets.AWS_REGION }} | |
IMAGE_TAG: 3.0.1.1 | |
ECR_REPOSITORY: mdaca/ohdsi/webapi | |
run: | | |
syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG | |
syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG > OHDSI-Webapi-sbom.tf | |
- name: Upload Reports | |
uses: actions/upload-artifact@v4 | |
with: | |
name: trivy-and-sbom-reports | |
path: | | |
OHDSI-Webapi-Trivy.csv | |
OHDSI-Webapi-sbom.tf |