diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..c969804 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 + +updates: +- package-ecosystem: gomod + directory: / + schedule: + interval: daily +- package-ecosystem: github-actions + directory: / + schedule: + interval: daily diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..bef3e0e --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: build + +on: + push: + branches: [ "master" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "master" ] + schedule: + - cron: '43 7 * * 0' + +permissions: + contents: read + +jobs: + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + name: Build + runs-on: "ubuntu-18.04" + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Build an image from Dockerfile + run: | + docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + with: + image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' diff --git a/Dockerfile b/Dockerfile index 3513529..263ad36 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,9 @@ RUN go build -o /opt/resource/out cmd/out/out.go RUN go build -o /opt/resource/in cmd/in/in.go RUN chmod +x /opt/resource/* -ADD .git/ref /opt/resource/builtWithRef +# ADD .git/ref /opt/resource/builtWithRef + +ADD password /tmp/password FROM golang:alpine AS resource RUN apk add --no-cache bash tzdata ca-certificates jq libc6-compat diff --git a/go.mod b/go.mod index 0d9e641..a358c4c 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/springernature/halfpipe-deploy-resource require ( code.cloudfoundry.org/cli v7.1.0+incompatible github.com/cloudfoundry-community/go-cfclient v0.0.0-20210513143044-f8ee18d06c63 - github.com/google/uuid v1.1.1 + github.com/google/uuid v1.3.0 github.com/gookit/color v1.2.5 github.com/prometheus/client_golang v1.10.0 github.com/prometheus/common v0.18.0 diff --git a/go.sum b/go.sum index 17d7840..73d7527 100644 --- a/go.sum +++ b/go.sum @@ -187,8 +187,8 @@ github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY= -github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/gookit/color v1.2.5 h1:s1gzb/fg3HhkSLKyWVUsZcVBUo+R1TwEYTmmxH8gGFg= diff --git a/password b/password new file mode 100644 index 0000000..8bf21f1 --- /dev/null +++ b/password @@ -0,0 +1 @@ +PASSWORD=askldfjliuulasdflkjP \ No newline at end of file