mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
157 lines
4.6 KiB
YAML
157 lines
4.6 KiB
YAML
name: 'SDK: Container Checks'
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- 'master'
|
|
- 'v5.*'
|
|
paths:
|
|
- 'prowler/**'
|
|
- 'Dockerfile*'
|
|
- 'pyproject.toml'
|
|
- 'uv.lock'
|
|
- '.github/workflows/sdk-container-checks.yml'
|
|
pull_request:
|
|
branches:
|
|
- 'master'
|
|
- 'v5.*'
|
|
paths:
|
|
- 'prowler/**'
|
|
- 'Dockerfile*'
|
|
- 'pyproject.toml'
|
|
- 'uv.lock'
|
|
- '.github/workflows/sdk-container-checks.yml'
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
env:
|
|
IMAGE_NAME: prowler
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
sdk-dockerfile-lint:
|
|
if: github.repository == 'prowler-cloud/prowler'
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
|
|
with:
|
|
egress-policy: block
|
|
allowed-endpoints: >
|
|
github.com:443
|
|
|
|
- name: Checkout repository
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
# zizmor: ignore[artipacked]
|
|
persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
|
|
|
|
- name: Check if Dockerfile changed
|
|
id: dockerfile-changed
|
|
uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
|
|
with:
|
|
files: Dockerfile
|
|
|
|
- name: Lint Dockerfile with Hadolint
|
|
if: steps.dockerfile-changed.outputs.any_changed == 'true'
|
|
uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
|
|
with:
|
|
dockerfile: Dockerfile
|
|
ignore: DL3013
|
|
|
|
sdk-container-build-and-scan:
|
|
if: github.repository == 'prowler-cloud/prowler'
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
pull-requests: write
|
|
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
|
|
with:
|
|
egress-policy: block
|
|
allowed-endpoints: >
|
|
github.com:443
|
|
registry-1.docker.io:443
|
|
auth.docker.io:443
|
|
production.cloudflare.docker.com:443
|
|
api.github.com:443
|
|
mirror.gcr.io:443
|
|
check.trivy.dev:443
|
|
debian.map.fastlydns.net:80
|
|
release-assets.githubusercontent.com:443
|
|
objects.githubusercontent.com:443
|
|
pypi.org:443
|
|
files.pythonhosted.org:443
|
|
www.powershellgallery.com:443
|
|
aka.ms:443
|
|
cdn.powershellgallery.com:443
|
|
_http._tcp.deb.debian.org:443
|
|
powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443
|
|
get.trivy.dev:443
|
|
|
|
- name: Checkout repository
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
# zizmor: ignore[artipacked]
|
|
persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
|
|
|
|
- name: Check for SDK changes
|
|
id: check-changes
|
|
uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
|
|
with:
|
|
files: ./**
|
|
files_ignore: |
|
|
.github/**
|
|
prowler/CHANGELOG.md
|
|
docs/**
|
|
permissions/**
|
|
api/**
|
|
ui/**
|
|
dashboard/**
|
|
mcp_server/**
|
|
skills/**
|
|
README.md
|
|
mkdocs.yml
|
|
.backportrc.json
|
|
.env
|
|
docker-compose*
|
|
examples/**
|
|
.gitignore
|
|
contrib/**
|
|
**/AGENTS.md
|
|
|
|
- name: Set up Docker Buildx
|
|
if: steps.check-changes.outputs.any_changed == 'true'
|
|
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
|
|
|
|
- name: Build SDK container
|
|
if: steps.check-changes.outputs.any_changed == 'true'
|
|
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
|
|
with:
|
|
context: .
|
|
push: false
|
|
load: true
|
|
tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }}
|
|
|
|
- name: Scan SDK container with Trivy
|
|
if: steps.check-changes.outputs.any_changed == 'true'
|
|
uses: ./.github/actions/trivy-scan
|
|
with:
|
|
image-name: ${{ env.IMAGE_NAME }}
|
|
image-tag: ${{ github.sha }}
|
|
fail-on-critical: 'false'
|
|
severity: 'CRITICAL'
|