diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index af1751f..8c4b678 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -16,7 +16,9 @@ "customizations": { "vscode": { "extensions": [ - "redhat.vscode-yaml" + "redhat.vscode-yaml", + "ms-azuretools.vscode-containers", + "docker.docker" ], "settings": { "yaml.schemas": { diff --git a/.devcontainer/installMoreTools.sh b/.devcontainer/installMoreTools.sh index 8ce4b35..b388723 100644 --- a/.devcontainer/installMoreTools.sh +++ b/.devcontainer/installMoreTools.sh @@ -23,5 +23,8 @@ sudo mv ./kind /usr/local/bin/kind sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq sudo chmod +x /usr/bin/yq +sudo curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh +sh install-scout.sh + cd .. rm -rf install-more-tools diff --git a/.github/workflows/open-pr.yml b/.github/workflows/open-pr.yml index 664bcd3..5351339 100644 --- a/.github/workflows/open-pr.yml +++ b/.github/workflows/open-pr.yml @@ -8,6 +8,55 @@ env: SCORE_K8S_VERSION: 'latest' WORKLOAD_NAME: my-sample-workload jobs: + scan-and-compare: + runs-on: ubuntu-24.04 + steps: + - name: checkout code + uses: actions/checkout@v5 + - name: Set up Docker + uses: docker/setup-docker-action@v4 + with: + daemon-config: | + { + "debug": true, + "features": { + "containerd-snapshotter": true + } + } + - name: docker login + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USER }} + password: ${{ secrets.DOCKER_PAT }} + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Build container image + uses: docker/build-push-action@v6 + with: + context: app/ + push: false + load: true + cache-from: type=gha + cache-to: type=gha,mode=max + provenance: mode=max + sbom: true + tags: ${{ env.WORKLOAD_NAME }}:test + - name: docker images + run: | + docker images + - name: Docker Scout + id: docker-scout + if: ${{ github.event_name == 'pull_request' }} + uses: docker/scout-action@v1 + with: + command: quickview + image: local://${{ env.WORKLOAD_NAME }}:test + to: ghcr.io/mathieu-benoit/my-sample-workload:latest + write-comment: true + github-token: ${{ secrets.GITHUB_TOKEN }} + - name: docker scout version + run: | + docker scout version multi-arch-build: runs-on: ubuntu-latest steps: @@ -24,6 +73,8 @@ jobs: platforms: linux/amd64,linux/arm64 file: app/Dockerfile push: false + provenance: mode=max + sbom: true tags: "${{ env.WORKLOAD_NAME }}:test" make-compose-test: runs-on: ubuntu-24.04 @@ -47,7 +98,7 @@ jobs: steps: - name: checkout code uses: actions/checkout@v5 - - name: make kind-create-cluster + - name: docker build run: | docker build -t ${{ env.WORKLOAD_NAME }}:test app/ - name: make kind-create-cluster diff --git a/Makefile b/Makefile index 308ea7a..89b9b80 100644 --- a/Makefile +++ b/Makefile @@ -15,6 +15,16 @@ WORKLOAD_NAME = my-sample-workload CONTAINER_NAME = my-sample-container CONTAINER_IMAGE = ${WORKLOAD_NAME}:test +## Manually build the container image. +.PHONY: build-container +build-container: + docker build -t ${CONTAINER_IMAGE} --sbom=true --provenance=true app/ + +## Manually buildx the container image. +.PHONY: buildx-container +buildx-container: + docker buildx build -t ${CONTAINER_IMAGE} --load --attest type=provenance,mode=max app/ + .score-compose/state.yaml: score-compose init \ --no-sample \