MDACA 3.0.1 #654
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Maven Build and Push Docker Image to MDACA ECR | ||
| on: | ||
| push: | ||
| branches: | ||
| - mdaca-3.0.1 | ||
| jobs: | ||
| build: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v3 | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
| - name: Build and Push Docker Image | ||
| env: | ||
| IMAGE_TAG: 3.0.1 | ||
| ECR_REPOSITORY: mdaca/ohdsi/webapi | ||
| AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} | ||
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| AWS_REGION: ${{ secrets.AWS_REGION }} | ||
| run: | | ||
| # Set ENV for AWS ECR and CodeArtifact Creds | ||
| aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID | ||
| aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY | ||
| aws configure set default.region $AWS_REGION | ||
| echo "Running Maven Build" | ||
| CODEARTIFACT_TOKEN_FILE=${{ github.workspace }}/codeartifact-auth | ||
| aws codeartifact get-authorization-token \ | ||
| --domain ${{ secrets.CODEARTIFACT_DOMAIN }} \ | ||
| --domain-owner $AWS_ACCOUNT_ID \ | ||
| --region $AWS_REGION \ | ||
| --query authorizationToken \ | ||
| --output text > $CODEARTIFACT_TOKEN_FILE | ||
| export CODEARTIFACT_AUTH_TOKEN=$(cat $CODEARTIFACT_TOKEN_FILE) | ||
| echo "$CODEARTIFACT_AUTH_TOKEN" | ||
| # Get token from ECR and Docker login | ||
| aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com | ||
| REGISTRY=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com | ||
| # Build the Docker image | ||
| docker build --build-arg CODEARTIFACT_AUTH_TOKEN=$CODEARTIFACT_AUTH_TOKEN -f Dockerfile-mvn-no-local -t $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . | ||
| # Push the Docker image | ||
| docker push $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG | ||
| # Add latest tag | ||
| docker tag $REGISTRY/$REPOSITORY:$IMAGE_TAG $REGISTRY/$REPOSITORY:latest | ||
| # push latest Docker Image | ||
| docker push $REGISTRY/$REPOSITORY:latest | ||
| security: | ||
| runs-on: ubuntu-latest | ||
| needs: build | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v3 | ||
| - name: Download Docker Image from ECR | ||
| env: | ||
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| AWS_REGION: ${{ secrets.AWS_REGION }} | ||
| IMAGE_TAG: 3.0.1 | ||
| ECR_REPOSITORY: mdaca/ohdsi/webapi | ||
| run: | | ||
| # Set ENV for AW Cred | ||
| aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID | ||
| aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY | ||
| aws configure set default.region $AWS_REGION | ||
| # Get token from ECR and Docker login | ||
| aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com | ||
| IMAGE_TAG=3.0.1 | ||
| docker pull ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG | ||
| docker images | ||
| - name: Install Trivy | ||
| run: | | ||
| curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin | ||
| - name: Scan Docker Image with Trivy | ||
| env: | ||
| AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} | ||
| AWS_REGION: ${{ secrets.AWS_REGION }} | ||
| IMAGE_TAG: 3.0.1 | ||
| ECR_REPOSITORY: mdaca/ohdsi/webapi | ||
| run: | | ||
| trivy image --severity HIGH,CRITICAL $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG | ||
| trivy image --format json $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG > OHDSI-Webapi.json | ||
| jq -r '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | [.SeveritySource, .VulnerabilityID, .PkgName, .PkgPath, .InstalledVersion, .FixedVersion, .Status, .Severity] | @csv' OHDSI-Webapi.json > OHDSI-Webapi-Trivy.csv | ||
| - name: Install Syft | ||
| run: | | ||
| curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin | ||
| - name: Generate SBOM with Syft | ||
| env: | ||
| AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} | ||
| AWS_REGION: ${{ secrets.AWS_REGION }} | ||
| IMAGE_TAG: 3.0.1 | ||
| ECR_REPOSITORY: mdaca/ohdsi/webapi | ||
| run: | | ||
| syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG | ||
| syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG > OHDSI-WEBAPI-sbom.tf | ||
| - name: Upload Reports | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: trivy-and-sbom-reports | ||
| path: | | ||
| OHDSI-Webapi.csv | ||
| OHDSI-Webapi-sbom.tf | ||
