diff --git a/.github/workflows/pr-checker.yml b/.github/workflows/pr-checker.yml deleted file mode 100644 index 036c7edd3..000000000 --- a/.github/workflows/pr-checker.yml +++ /dev/null @@ -1,97 +0,0 @@ -name: pullrequest-build-and-scan -on: - pull_request: - types: [opened, synchronize, reopened] - branches: - - ci_dev - - ci_prod -jobs: - LINUX-build-and-scan: - runs-on: ubuntu-latest - steps: - - name: Set-workflow-initiator - run: echo "Initiated by - ${GITHUB_ACTOR}" - - name: Set-branch-name-for-pr - if: ${{ github.event_name == 'pull_request' }} - run: echo "BRANCH_NAME=$(echo ${GITHUB_HEAD_REF} | tr / _)" >> $GITHUB_ENV - - name: Set-Env - run: echo "ENV=dev" >> $GITHUB_ENV - - name: Set-ACR-Registry - run: echo "ACR_REGISTRY=containerinsightsprod.azurecr.io" >> $GITHUB_ENV - - name: Set-ACR-Repository - run: echo "ACR_REPOSITORY=/public/azuremonitor/containerinsights/cidev" >> $GITHUB_ENV - - name: Set-image-tag-name - run: echo "IMAGE_TAG_NAME=cidev" >> $GITHUB_ENV - - name: Set-image-tag-suffix - run: echo "IMAGE_TAG_DATE=$(date +%m-%d-%Y)" >> $GITHUB_ENV - - name: Set-commit-sha - run: echo "COMMIT_SHA=${GITHUB_SHA::8}" >> $GITHUB_ENV - - name: Set-image-tag - run: echo "IMAGETAG=${ACR_REGISTRY}${ACR_REPOSITORY}:${IMAGE_TAG_NAME}-${BRANCH_NAME}-${IMAGE_TAG_DATE}-${COMMIT_SHA}" >> $GITHUB_ENV - - name: Set-image-telemetry-tag - run: echo "IMAGETAG_TELEMETRY=${IMAGE_TAG_NAME}-${BRANCH_NAME}-${IMAGE_TAG_DATE}-${COMMIT_SHA}" >> $GITHUB_ENV - - name: Set-Helm-OCI-Experimental-feature - run: echo "HELM_EXPERIMENTAL_OCI=1" >> $GITHUB_ENV - - name: Set-Helm-chart-version - run: echo "HELM_CHART_VERSION=0.0.1" >> $GITHUB_ENV - - name: Set-Helm-tag - run: echo "HELMTAG=${ACR_REGISTRY}${ACR_REPOSITORY}:${IMAGE_TAG_NAME}-chart-${BRANCH_NAME}-${HELM_CHART_VERSION}-${IMAGE_TAG_DATE}-${COMMIT_SHA}" >> $GITHUB_ENV - - name: Checkout-code - uses: actions/checkout@v2 - - name: Show-versions-On-build-machine - run: lsb_release -a && go version && helm version && docker version - - name: Install-build-dependencies - run: sudo apt-get install build-essential -y - - name: Build-source-code - run: cd ./build/linux/ && make - - name: Create-docker-image - run: | - cd ./kubernetes/linux/ && docker build . --file Dockerfile -t $IMAGETAG --build-arg IMAGE_TAG=$IMAGETAG_TELEMETRY - - name: List-docker-images - run: docker images --digests --all - - name: Run-trivy-scanner-on-docker-image - uses: aquasecurity/trivy-action@master - with: - image-ref: "${{ env.IMAGETAG }}" - format: 'table' - severity: 'CRITICAL,HIGH' - vuln-type: 'os,library' - exit-code: '1' - timeout: '5m0s' - ignore-unfixed: true - WINDOWS-build: - runs-on: windows-2019 - steps: - - name: Set-workflow-initiator - run: echo ("Initiated by -" + $env:GITHUB_ACTOR) - - name: Set-branch-name-for-pr - if: ${{ github.event_name == 'pull_request' }} - run: echo ("BRANCH_NAME=" + $env:GITHUB_HEAD_REF.replace('/','_')) >> $env:GITHUB_ENV - - name: Set-Env - run: echo ("ENV=dev") >> $env:GITHUB_ENV - - name: Set-ACR-Registry - run: echo ("ACR_REGISTRY=containerinsightsprod.azurecr.io") >> $env:GITHUB_ENV - - name: Set-ACR-Repository - run: echo ("ACR_REPOSITORY=/public/azuremonitor/containerinsights/cidev") >> $env:GITHUB_ENV - - name: Set-image-tag-name - run: echo ("IMAGE_TAG_NAME=cidev-win") >> $env:GITHUB_ENV - - name: Set-image-tag-suffix - run: echo ("IMAGE_TAG_DATE="+ (Get-Date -Format "MM-dd-yyyy")) >> $env:GITHUB_ENV - - name: Set-commit-sha - run: echo ("COMMIT_SHA=" + $env:GITHUB_SHA.SubString(0,8)) >> $env:GITHUB_ENV - - name: Set-image-tag - run: echo ("IMAGETAG=" + $env:ACR_REGISTRY + $env:ACR_REPOSITORY + ":" + $env:IMAGE_TAG_NAME + "-" + $env:BRANCH_NAME + "-" + $env:IMAGE_TAG_DATE + "-" + $env:COMMIT_SHA) >> $env:GITHUB_ENV - - name: Set-image-telemetry-tag - run: echo ("IMAGETAG_TELEMETRY=" + $env:IMAGE_TAG_NAME + "-" + $env:BRANCH_NAME + "-" + $env:IMAGE_TAG_DATE + "-" + $env:COMMIT_SHA) >> $env:GITHUB_ENV - - name: Checkout-code - uses: actions/checkout@v2 - - name: Show-versions-On-build-machine - run: systeminfo && go version && docker version - - name: Build-source-code - run: cd ./build/windows/ && & .\Makefile.ps1 - - name: Create-docker-image - run: | - cd ./kubernetes/windows/ && docker build . --file Dockerfile -t $env:IMAGETAG --build-arg WINDOWS_VERSION=ltsc2019 --build-arg IMAGE_TAG=$env:IMAGETAG_TELEMETRY - - name: List-docker-images - run: docker images --digests --all - diff --git a/.pipelines/azure_pipeline_dev.yaml b/.pipelines/azure_pipeline_dev.yaml index c4723e8e1..9147501ba 100644 --- a/.pipelines/azure_pipeline_dev.yaml +++ b/.pipelines/azure_pipeline_dev.yaml @@ -95,7 +95,7 @@ jobs: steps: - task: AzureCLI@2 - displayName: "Docker multi-arch linux build" + displayName: "Multi-arch Linux build and Vulnerability Scan" inputs: azureSubscription: ${{ variables.armServiceConnectionName }} scriptType: bash @@ -120,8 +120,16 @@ jobs: docker pull ${{ variables.repoImageName }}:$(linuxImagetag) else docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --build-arg IMAGE_TAG=$(linuxImagetag) . + + # load the multi-arch image to run tests + docker buildx build --tag ${{ variables.repoImageName }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --build-arg IMAGE_TAG=$(linuxImagetag) --load . fi + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + + trivy image --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --exit-code 1 ${{ variables.repoImageName }}:$(linuxImagetag) + + - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 displayName: 'Generation Task' condition: eq(variables.IS_PR, true) diff --git a/.pipelines/azure_pipeline_prod.yaml b/.pipelines/azure_pipeline_prod.yaml index 8239a7058..5e22bdd3b 100644 --- a/.pipelines/azure_pipeline_prod.yaml +++ b/.pipelines/azure_pipeline_prod.yaml @@ -99,7 +99,7 @@ jobs: steps: - task: AzureCLI@2 - displayName: "Docker multi-arch linux build" + displayName: "Multi-arch Linux build and Vulnerability Scan" inputs: azureSubscription: ${{ variables.armServiceConnectionName }} scriptType: bash @@ -124,8 +124,14 @@ jobs: docker pull ${{ variables.repoImageNameLinux }}:$(linuxImagetag) else docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageNameLinux }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json . + + # load the multi-arch image to run tests + docker buildx build --tag ${{ variables.repoImageNameLinux }}:$(linuxImagetag) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --load . fi + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + + trivy image --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --exit-code 1 ${{ variables.repoImageNameLinux }}:$(linuxImagetag) - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 displayName: 'Generation Task'