ci: test

Signed-off-by: r3drun3 <simone.ragonesi@sighup.io>
R3DRUN3 · Jan 11, 2024 · be4c36c · be4c36c
1 parent 87deda2
commit be4c36c
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 39 deletions.
diff --git a/.github/workflows/patch.yaml b/.github/workflows/patch.yaml
@@ -13,9 +13,8 @@ jobs:
           fail-fast: false
           matrix:
             # provide relevant list of images to scan on each run
-            images: ['mcr.microsoft.com/dotnet/aspnet:7.0.15-alpine3.18', 'docker.io/library/node:18.17.1-slim']
-            # images: ['docker.io/library/nginx:1.21.6', 'docker.io/openpolicyagent/opa:0.46.0', 'mcr.microsoft.com/dotnet/aspnet:7.0.15-alpine3.18',
-            #         'docker.io/library/golang:1.18.10', 'docker.io/library/node:18.17.1-slim', 'docker.io/library/rust:1.69.0']
+            images: ['docker.io/library/nginx:1.21.6', 'docker.io/openpolicyagent/opa:0.46.0', 'mcr.microsoft.com/dotnet/aspnet:7.0.15-alpine3.18',
+                    'docker.io/library/golang:1.18.10', 'docker.io/library/node:18.17.1-slim', 'docker.io/library/rust:1.69.0']
 
         steps:
         - name: Set up Docker Buildx
@@ -38,20 +37,13 @@ jobs:
             vuln_count=$(jq '.Results | length' "$report_file")
             echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
 
-        # - name: Set Tag
-        #   id: set_tag
-        #   run: |
-        #     TAG=$(echo "${{ matrix.images }}" | cut -d':' -f2 | cut -d'/' -f2 | sed 's/[^0-9.]*//g')
-        #     echo "PATCHED_TAG=$TAG-immunized" >> $GITHUB_ENV
-
         - name: Set Tag
           id: set_tag
           run: |
             TAG=$(echo "${{ matrix.images }}" | grep -oP '(?<=:).*' | grep -oP '^[^/]+')
             IMMUNIZED_TAG="${TAG}-immunized"
             echo "PATCHED_TAG=${IMMUNIZED_TAG}" >> $GITHUB_ENV
 
-
         - name: Copa Action
           if: steps.vuln_count.outputs.vuln_count != '0'
           id: copa
@@ -78,7 +70,6 @@ jobs:
           run: |
             docker tag ${{ steps.copa.outputs.patched-image }} ghcr.io/r3drun3/immunize/${{ steps.copa.outputs.patched-image }}
 
-
         - name: Docker Push Patched Image
           id: push
           if: steps.login.conclusion == 'success'

diff --git a/README.md b/README.md
@@ -16,34 +16,49 @@ Specifically, the list of container images to patch is specified within the stra
 ```yaml
 images: ['docker.io/library/nginx:1.21.6', 'docker.io/openpolicyagent/opa:0.46.0']
 ```  
-Following are the steps in the pipeline:  
-1. **Set up Docker Buildx**
-   - Action: `docker/setup-buildx-action`
-   - Description: Sets up Docker Buildx for building multi-platform Docker images.
+Following is an high-level description of the pipeline jobs and steps:  
+## Immunize Job
+### Overview:
+
+This job is triggered on every push event (excluding changes to README.md) and focuses on scanning and immunizing Docker images for security vulnerabilities.
+### Steps: 
+1. **Set up Docker Buildx:**  
+   - Uses the `docker/setup-buildx-action` to set up Docker Buildx for multi-platform builds. 
+2. **Generate Trivy Report:**  
+   - Utilizes the `aquasecurity/trivy-action` to scan specified Docker images for OS vulnerabilities and generates a JSON report. 
+3. **Check Vuln Count:**  
+   - Parses the Trivy report using `jq` to count the number of vulnerabilities and outputs the count to the GitHub environment. 
+4. **Set Tag:** 
+   - Extracts the tag from the Docker image reference and appends "-immunized" to create a new tag. Sets this new tag in the GitHub environment. 
+5. **Copa Action:**  
+   - Conditionally executes the `project-copacetic/copa-action` if vulnerabilities are found.
+   - Utilizes Copa to apply security patches to the Docker image, generating a patched image and a detailed report.  
+6. **Log into ghcr:**  
+   - Logs into GitHub Container Registry (ghcr.io) using the `docker/login-action` with the GitHub token. 
+7. **Tag Image for GHCR:** 
+   - Tags the patched Docker image and prepares it for pushing to GitHub Container Registry. 
+8. **Docker Push Patched Image:** 
+   - Pushes the patched Docker image to GitHub Container Registry for storage and distribution.  
+
+## Send-Mail-Report Job
+### Overview:
+
+This job is dependent on the completion of the "Immunize" job and is responsible for sending an email report.  
+If you dont need this job you can comment it out in the pipeline manifest.  
+### Steps: 
+1. **Checkout Repository:** 
+   - Checks out the repository to access necessary files and scripts. 
+2. **Send Mail Report:**  
+   - Executes a Python script (`send_mail_report.py`) located in the repository, sending a report via email.  
+   - Configures email recipient addresses, sender address, and password using secrets.  
+3. **Report Example**:  
+
+
+
+> [!Note]
+> The pateched images can be found [here](https://github.com/R3DRUN3?tab=packages&repo_name=immunize).  
 
-2. **Generate Trivy Report**
-   - Action: `aquasecurity/trivy-action`
-   - Description: Scans Docker images for vulnerabilities using Trivy, generates a JSON report, and ignores unfixed vulnerabilities.
 
-3. **Check Vuln Count**
-   - Description: Uses *jq* to count the number of vulnerabilities in the Trivy report and outputs the count to `$GITHUB_OUTPUT`.
-
-4. **Copa Action**
-   - Action: `project-copacetic/copa-action`
-   - Description: Runs Copa Action to handle vulnerabilities based on the Trivy report.  
-   If vulnerabilities are present, it immunizes the image.
-
-1. **Log into ghcr**
-   - Action: `docker/login-action`
-   - Description: Logs into GitHub Container Registry (ghcr.io) using the GitHub token if the Copa Action was successful.
-
-2. **Tag Image for GHCR**
-   - Description: Tags the immunized Docker image for GitHub Container Registry (*GHCR*) using the patched image from the Copa Action.
-
-3. **Docker Push Patched Image**
-   - Description: Pushes the tagged immunized Docker image to GitHub Container Registry (GHCR) if the login was successful.
-
-The pateched images can be found [here](https://github.com/R3DRUN3?tab=packages&repo_name=immunize).  
 
 
 To perform image pulls, authentication is not required; however, GitHub may prompt for a token if the API call limit is exceeded.  
@@ -74,8 +89,8 @@ Total: 41 (UNKNOWN: 0, LOW: 11, MEDIUM: 21, HIGH: 9, CRITICAL: 0)
 
 And then on the immunized version of that same image:  
 ```console
-docker pull ghcr.io/r3drun3/immunize/docker.io/openpolicyagent/opa:immunized \
-&& trivy image ghcr.io/r3drun3/immunize/docker.io/openpolicyagent/opa:immunized
+docker pull ghcr.io/r3drun3/immunize/docker.io/openpolicyagent/opa:0.46.0-immunized \
+&& trivy image ghcr.io/r3drun3/immunize/docker.io/openpolicyagent/opa:0.46.0-immunized
 ```  
 
 Output for OS CVEs: