create v100.1.0 container

2026-02-06 10:47:23 +00:00 · 2023-02-28 17:52:50 +01:00 · 2023-02-28 17:52:50 +01:00 · 0169409783
commit 0169409783
parent ae829d6de2
4 changed files with 64 additions and 1 deletions
--- a/.github/Dockerfile_PreBuild
+++ b/.github/Dockerfile_PreBuild
@ -1,4 +1,4 @@
-FROM jetty:9.4-jre11-slim
+FROM jetty:9.4.49-jre11-alpine

 # Copy OBP source code
 # Copy build artifact (.war file) into jetty from 'maven' stage.
--- a/.github/Dockerfile_PreBuild_OC
+++ b/.github/Dockerfile_PreBuild_OC
@ -0,0 +1,10 @@
+FROM jetty:9.4.49-jre11-alpine
+
+# Copy OBP source code
+# Copy build artifact (.war file) into jetty from 'maven' stage.
+COPY /target/API_Explorer-1.0.war /var/lib/jetty/webapps/ROOT.war
+USER root
+RUN chgrp -R 0 /tmp/jetty && chmod -R g+rwX /tmp/jetty
+RUN chgrp -R 0 /var/lib/jetty && chmod -R g+rwX /var/lib/jetty
+RUN chgrp -R 0 /usr/local/jetty && chmod -R g+rwX /usr/local/jetty
+USER jetty
--- a/.github/workflows/build_package.yml
+++ b/.github/workflows/build_package.yml
@ -26,6 +26,7 @@ jobs:
        run: |
          echo "${{ secrets.DOCKER_HUB_TOKEN }}" | docker login -u "${{ secrets.DOCKER_HUB_USERNAME }}" --password-stdin docker.io
          docker build . --file .github/Dockerfile_PreBuild --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:v100.1.0
+          docker build . --file .github/Dockerfile_PreBuild_OC  --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA-OC --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:v100.1.0-OC
          docker push docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }} --all-tags
          echo docker done

--- a/.github/workflows/run_trivy.yml
+++ b/.github/workflows/run_trivy.yml
@ -0,0 +1,52 @@
+name: scan container image
+
+on:
+  workflow_run:
+    workflows: [build and publish container]
+    types:
+      - completed
+env:
+  ## Sets environment variable
+  DOCKER_HUB_ORGANIZATION: openbankproject
+  DOCKER_HUB_REPOSITORY: obp-api
+
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+
+    steps:
+      - uses: actions/checkout@v3
+      - id: trivy-db
+        name: Check trivy db sha
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          endpoint='/orgs/aquasecurity/packages/container/trivy-db/versions'
+          headers='Accept: application/vnd.github+json'
+          jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
+          sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
+          echo "Trivy DB sha256:${sha}"
+          echo "::set-output name=sha::${sha}"
+      - uses: actions/cache@v3
+        with:
+          path: .trivy
+          key: ${{ runner.os }}-trivy-db-${{ steps.trivy-db.outputs.sha }}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ github.sha }}'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          security-checks: 'vuln'
+          severity: 'CRITICAL,HIGH'
+          timeout: '30m'
+          cache-dir: .trivy
+      - name: Fix .trivy permissions
+        run: sudo chown -R $(stat . -c %u:%g) .trivy
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'