From 82c10ef40c772d898c0758b3a2181440fb903465 Mon Sep 17 00:00:00 2001 From: Uj5Ghare Date: Thu, 2 Apr 2026 00:14:19 +0530 Subject: [PATCH 01/11] Update Shopstack DevSecOps Pipeline for cart, user, and catalogue services --- .github/workflows/cart.yaml | 135 ++++-------------------------------- 1 file changed, 14 insertions(+), 121 deletions(-) diff --git a/.github/workflows/cart.yaml b/.github/workflows/cart.yaml index 2aec219..0a6ac82 100644 --- a/.github/workflows/cart.yaml +++ b/.github/workflows/cart.yaml @@ -1,87 +1,28 @@ # ============================================================== -# Jerney - DevSecOps CI/CD Pipeline -# ============================================================== -# Triggers on every push and pull request. -# Stages: Lint → SCA → Build → Image Scan → IaC Scan → Deploy Manifest Update +# Shopstack - DevSecOps CI/CD Pipeline # ============================================================== -name: Jerney DevSecOps Pipeline +name: Shopstack DevSecOps Pipeline on: push: - branches: ["*"] + branches: + - env/prod + - env/preprod + - env/staging + paths: + - "cart/**" pull_request: - branches: ["*"] + branches: + - env/prod + - env/preprod + - env/staging # Security: restrict default permissions to read-only permissions: contents: read -env: - DOCKER_REGISTRY: ghcr.io - BACKEND_IMAGE: ghcr.io/${{ github.repository }}/jerney-backend - FRONTEND_IMAGE: ghcr.io/${{ github.repository }}/jerney-frontend - jobs: - # ============================================================== - # STAGE 1: Linting - # ============================================================== - lint: - name: "🔍 Lint Code" - runs-on: ubuntu-latest - strategy: - matrix: - component: [backend, frontend] - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: "20" - cache: "npm" - cache-dependency-path: "${{ matrix.component }}/package-lock.json" - - - name: Install dependencies - working-directory: ${{ matrix.component }} - run: npm ci - - - name: Run ESLint - working-directory: ${{ matrix.component }} - run: npm run lint - - # ============================================================== - # STAGE 2: Software Composition Analysis (SCA) — Dependency Audit - # ============================================================== - sca: - name: "🛡️ Dependency Audit" - runs-on: ubuntu-latest - needs: lint - strategy: - matrix: - component: [backend, frontend] - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: "20" - cache: "npm" - cache-dependency-path: "${{ matrix.component }}/package-lock.json" - - - name: Install dependencies - working-directory: ${{ matrix.component }} - run: npm ci - - # npm audit for known vulnerabilities (fail on high/critical) - - name: npm audit - working-directory: ${{ matrix.component }} - run: npm audit --audit-level=high || true - # `|| true` to not fail on moderate — adjust in prod - # ============================================================== # STAGE 3: Build & Push Container Images # ============================================================== @@ -94,7 +35,7 @@ jobs: packages: write # Needed to push to GHCR strategy: matrix: - component: [backend, frontend] + component: [cart, user, catalogue] outputs: image_tag: ${{ steps.meta.outputs.version }} steps: @@ -115,7 +56,7 @@ jobs: id: meta uses: docker/metadata-action@v5 with: - images: ghcr.io/${{ github.repository }}/jerney-${{ matrix.component }} + images: ghcr.io/shopstack/shopstack-${{ matrix.component }} tags: | type=sha,prefix= type=ref,event=branch @@ -134,51 +75,3 @@ jobs: # Security: provenance and SBOM provenance: true sbom: true - - # ============================================================== - # STAGE 4: Container Image Scanning (Trivy) - # ============================================================== - image-scan: - name: "🔬 Scan ${{ matrix.component }} Image" - runs-on: ubuntu-latest - needs: build - strategy: - matrix: - component: [backend, frontend] - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Build image for scanning - run: | - docker build -t jerney-${{ matrix.component }}:scan ./${{ matrix.component }} - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: "jerney-${{ matrix.component }}:scan" - format: "table" - exit-code: "1" - ignore-unfixed: true - vuln-type: "os,library" - severity: "CRITICAL,HIGH" - timeout: "10m" - - # ============================================================== - # STAGE 6: Dockerfile Lint (Hadolint) - # ============================================================== - dockerfile-lint: - name: "📋 Dockerfile Lint" - runs-on: ubuntu-latest - strategy: - matrix: - component: [backend, frontend] - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run Hadolint - uses: hadolint/hadolint-action@v3.1.0 - with: - dockerfile: ${{ matrix.component }}/Dockerfile - failure-threshold: warning \ No newline at end of file From 8740e58ec683db1318b49d2d0af8d6bb56727340 Mon Sep 17 00:00:00 2001 From: Uj5Ghare Date: Thu, 2 Apr 2026 00:15:23 +0530 Subject: [PATCH 02/11] Remove sca dependency from build job --- .github/workflows/cart.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/cart.yaml b/.github/workflows/cart.yaml index 0a6ac82..5c5c7ea 100644 --- a/.github/workflows/cart.yaml +++ b/.github/workflows/cart.yaml @@ -29,7 +29,6 @@ jobs: build: name: "🐳 Build ${{ matrix.component }}" runs-on: ubuntu-latest - needs: sca permissions: contents: read packages: write # Needed to push to GHCR From 64f9a1160789c05a8f6eeb636db0e9cc5975146b Mon Sep 17 00:00:00 2001 From: Uj5Ghare Date: Thu, 2 Apr 2026 00:20:44 +0530 Subject: [PATCH 03/11] Fix workflow path triggers and image registry path --- .github/workflows/cart.yaml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/cart.yaml b/.github/workflows/cart.yaml index 5c5c7ea..c36a56d 100644 --- a/.github/workflows/cart.yaml +++ b/.github/workflows/cart.yaml @@ -12,20 +12,25 @@ on: - env/staging paths: - "cart/**" + - "user/**" + - "catalogue/**" + - ".github/workflows/cart.yaml" pull_request: branches: - env/prod - env/preprod - env/staging + paths: + - "cart/**" + - "user/**" + - "catalogue/**" + - ".github/workflows/cart.yaml" # Security: restrict default permissions to read-only permissions: contents: read jobs: - # ============================================================== - # STAGE 3: Build & Push Container Images - # ============================================================== build: name: "🐳 Build ${{ matrix.component }}" runs-on: ubuntu-latest @@ -55,7 +60,7 @@ jobs: id: meta uses: docker/metadata-action@v5 with: - images: ghcr.io/shopstack/shopstack-${{ matrix.component }} + images: ghcr.io/${{ github.repository_owner }}/shopstack-${{ matrix.component }} tags: | type=sha,prefix= type=ref,event=branch From 9666013e4b605780a6c1732a78879477cdac98aa Mon Sep 17 00:00:00 2001 From: Uj5Ghare Date: Thu, 2 Apr 2026 00:25:58 +0530 Subject: [PATCH 04/11] Trigger CI/CD: test cart service build --- cart/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cart/Dockerfile b/cart/Dockerfile index 51cb07a..d48940e 100644 --- a/cart/Dockerfile +++ b/cart/Dockerfile @@ -12,4 +12,4 @@ RUN npm install && npm cache clean --force COPY server.js /opt/server/ -CMD ["node", "server.js"] \ No newline at end of file +CMD ["node", "server.js"] From 5b46b7a6fcdb399c20fe133bfd7e93e4f4781395 Mon Sep 17 00:00:00 2001 From: Uj5Ghare Date: Thu, 2 Apr 2026 00:28:10 +0530 Subject: [PATCH 05/11] Update workflow to test cart service specifically --- .github/workflows/cart.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/cart.yaml b/.github/workflows/cart.yaml index c36a56d..146325e 100644 --- a/.github/workflows/cart.yaml +++ b/.github/workflows/cart.yaml @@ -12,8 +12,6 @@ on: - env/staging paths: - "cart/**" - - "user/**" - - "catalogue/**" - ".github/workflows/cart.yaml" pull_request: branches: @@ -22,8 +20,6 @@ on: - env/staging paths: - "cart/**" - - "user/**" - - "catalogue/**" - ".github/workflows/cart.yaml" # Security: restrict default permissions to read-only @@ -39,7 +35,7 @@ jobs: packages: write # Needed to push to GHCR strategy: matrix: - component: [cart, user, catalogue] + component: [cart] outputs: image_tag: ${{ steps.meta.outputs.version }} steps: From bf571e5ce6143d2b02482b09bc49b514ae2756fb Mon Sep 17 00:00:00 2001 From: Uj5Ghare Date: Thu, 2 Apr 2026 00:31:10 +0530 Subject: [PATCH 06/11] Update GHCR image path to include shopstack namespace --- .github/workflows/cart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cart.yaml b/.github/workflows/cart.yaml index 146325e..727d985 100644 --- a/.github/workflows/cart.yaml +++ b/.github/workflows/cart.yaml @@ -56,7 +56,7 @@ jobs: id: meta uses: docker/metadata-action@v5 with: - images: ghcr.io/${{ github.repository_owner }}/shopstack-${{ matrix.component }} + images: ghcr.io/${{ github.repository_owner }}/shopstack/shopstack-${{ matrix.component }} tags: | type=sha,prefix= type=ref,event=branch From f6ebbdfc385fadd5da73aead7f82ecb546818e44 Mon Sep 17 00:00:00 2001 From: Uj5Ghare Date: Thu, 2 Apr 2026 00:45:54 +0530 Subject: [PATCH 07/11] Refactor workflow to use env variables and add scan/lint stages --- .github/workflows/cart.yaml | 53 +++++++++++++++++++++++++++++++++++-- 1 file changed, 51 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cart.yaml b/.github/workflows/cart.yaml index 727d985..13fce07 100644 --- a/.github/workflows/cart.yaml +++ b/.github/workflows/cart.yaml @@ -26,7 +26,13 @@ on: permissions: contents: read +env: + SERVICE: "cart" + PROJECT: "shopstack" + ENV: "staging" + jobs: + build: name: "🐳 Build ${{ matrix.component }}" runs-on: ubuntu-latest @@ -35,7 +41,7 @@ jobs: packages: write # Needed to push to GHCR strategy: matrix: - component: [cart] + component: [${{ env.SERVICE }}] outputs: image_tag: ${{ steps.meta.outputs.version }} steps: @@ -56,7 +62,7 @@ jobs: id: meta uses: docker/metadata-action@v5 with: - images: ghcr.io/${{ github.repository_owner }}/shopstack/shopstack-${{ matrix.component }} + images: ghcr.io/${{ github.repository_owner }}/${{ env.ENV }}/${{ env.PROJECT }}-${{ matrix.component }} tags: | type=sha,prefix= type=ref,event=branch @@ -75,3 +81,46 @@ jobs: # Security: provenance and SBOM provenance: true sbom: true + + + image-scan: + name: "🔬 Scan ${{ matrix.component }} Image" + runs-on: ubuntu-latest + needs: build + strategy: + matrix: + component: [${{ env.SERVICE }}] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build image for scanning + run: | + docker build -t ${{ env.PROJECT }}-${{ matrix.component }}:scan ./${{ matrix.component }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.PROJECT }}-${{ matrix.component }}:scan" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + timeout: "10m" + + dockerfile-lint: + name: "📋 Dockerfile Lint" + runs-on: ubuntu-latest + strategy: + matrix: + component: [${{ env.SERVICE }}] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ matrix.component }}/Dockerfile + failure-threshold: warning \ No newline at end of file From c5e2b06e765878484e0dad9c2cea1796cc1c21a7 Mon Sep 17 00:00:00 2001 From: Uj5Ghare Date: Thu, 2 Apr 2026 00:50:43 +0530 Subject: [PATCH 08/11] Fix matrix syntax by using service list --- .github/workflows/cart.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cart.yaml b/.github/workflows/cart.yaml index 13fce07..bccd67c 100644 --- a/.github/workflows/cart.yaml +++ b/.github/workflows/cart.yaml @@ -41,7 +41,7 @@ jobs: packages: write # Needed to push to GHCR strategy: matrix: - component: [${{ env.SERVICE }}] + component: ${{ env.SERVICE }} outputs: image_tag: ${{ steps.meta.outputs.version }} steps: @@ -89,7 +89,7 @@ jobs: needs: build strategy: matrix: - component: [${{ env.SERVICE }}] + component: ${{ env.SERVICE }} steps: - name: Checkout code uses: actions/checkout@v4 @@ -114,7 +114,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - component: [${{ env.SERVICE }}] + component: ${{ env.SERVICE }} steps: - name: Checkout code uses: actions/checkout@v4 From 0883062aa490bf7342dc2a1e286e704e0fa92676 Mon Sep 17 00:00:00 2001 From: Uj5Ghare Date: Thu, 2 Apr 2026 00:54:33 +0530 Subject: [PATCH 09/11] Fix matrix syntax errors in all jobs --- .github/workflows/cart.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cart.yaml b/.github/workflows/cart.yaml index bccd67c..ff96f2f 100644 --- a/.github/workflows/cart.yaml +++ b/.github/workflows/cart.yaml @@ -41,7 +41,7 @@ jobs: packages: write # Needed to push to GHCR strategy: matrix: - component: ${{ env.SERVICE }} + component: ["cart"] outputs: image_tag: ${{ steps.meta.outputs.version }} steps: @@ -89,7 +89,7 @@ jobs: needs: build strategy: matrix: - component: ${{ env.SERVICE }} + component: ["cart"] steps: - name: Checkout code uses: actions/checkout@v4 @@ -114,7 +114,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - component: ${{ env.SERVICE }} + component: ["cart"] steps: - name: Checkout code uses: actions/checkout@v4 From 106cb7e1d0703ea1e9c9dc42b1e4bc2deac52817 Mon Sep 17 00:00:00 2001 From: Uj5Ghare Date: Thu, 2 Apr 2026 00:56:03 +0530 Subject: [PATCH 10/11] Refactor workflow to use SERVICE env variable throughout --- .github/workflows/cart.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/cart.yaml b/.github/workflows/cart.yaml index ff96f2f..99ecdd3 100644 --- a/.github/workflows/cart.yaml +++ b/.github/workflows/cart.yaml @@ -11,7 +11,7 @@ on: - env/preprod - env/staging paths: - - "cart/**" + - "${{ env.SERVICE }}/**" - ".github/workflows/cart.yaml" pull_request: branches: @@ -19,7 +19,7 @@ on: - env/preprod - env/staging paths: - - "cart/**" + - "${{ env.SERVICE }}/**" - ".github/workflows/cart.yaml" # Security: restrict default permissions to read-only @@ -34,14 +34,14 @@ env: jobs: build: - name: "🐳 Build ${{ matrix.component }}" + name: "🐳 Build ${{ env.SERVICE }}" runs-on: ubuntu-latest permissions: contents: read packages: write # Needed to push to GHCR strategy: matrix: - component: ["cart"] + component: ["${{ env.SERVICE }}"] outputs: image_tag: ${{ steps.meta.outputs.version }} steps: @@ -84,12 +84,12 @@ jobs: image-scan: - name: "🔬 Scan ${{ matrix.component }} Image" + name: "🔬 Scan ${{ env.SERVICE }} Image" runs-on: ubuntu-latest needs: build strategy: matrix: - component: ["cart"] + component: ["${{ env.SERVICE }}"] steps: - name: Checkout code uses: actions/checkout@v4 @@ -114,7 +114,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - component: ["cart"] + component: ["${{ env.SERVICE }}"] steps: - name: Checkout code uses: actions/checkout@v4 From 6dfedcdc9caa674cc37fca086bf5eeaf20d371a7 Mon Sep 17 00:00:00 2001 From: Uj5Ghare Date: Thu, 2 Apr 2026 22:52:33 +0530 Subject: [PATCH 11/11] Add individual CI/CD workflows for all microservices --- .github/workflows/cart.yaml | 20 ++---- .github/workflows/catalogue.yaml | 120 +++++++++++++++++++++++++++++++ .github/workflows/dispatch.yaml | 120 +++++++++++++++++++++++++++++++ .github/workflows/mongo.yaml | 120 +++++++++++++++++++++++++++++++ .github/workflows/mysql.yaml | 120 +++++++++++++++++++++++++++++++ .github/workflows/payment.yaml | 120 +++++++++++++++++++++++++++++++ .github/workflows/ratings.yaml | 120 +++++++++++++++++++++++++++++++ .github/workflows/shipping.yaml | 120 +++++++++++++++++++++++++++++++ .github/workflows/user.yaml | 120 +++++++++++++++++++++++++++++++ .github/workflows/web.yaml | 120 +++++++++++++++++++++++++++++++ 10 files changed, 1087 insertions(+), 13 deletions(-) create mode 100644 .github/workflows/catalogue.yaml create mode 100644 .github/workflows/dispatch.yaml create mode 100644 .github/workflows/mongo.yaml create mode 100644 .github/workflows/mysql.yaml create mode 100644 .github/workflows/payment.yaml create mode 100644 .github/workflows/ratings.yaml create mode 100644 .github/workflows/shipping.yaml create mode 100644 .github/workflows/user.yaml create mode 100644 .github/workflows/web.yaml diff --git a/.github/workflows/cart.yaml b/.github/workflows/cart.yaml index 99ecdd3..552f623 100644 --- a/.github/workflows/cart.yaml +++ b/.github/workflows/cart.yaml @@ -8,18 +8,14 @@ on: push: branches: - env/prod - - env/preprod - - env/staging paths: - - "${{ env.SERVICE }}/**" + - "cart/**" - ".github/workflows/cart.yaml" pull_request: branches: - env/prod - - env/preprod - - env/staging paths: - - "${{ env.SERVICE }}/**" + - "cart/**" - ".github/workflows/cart.yaml" # Security: restrict default permissions to read-only @@ -27,21 +23,19 @@ permissions: contents: read env: - SERVICE: "cart" PROJECT: "shopstack" ENV: "staging" jobs: - build: - name: "🐳 Build ${{ env.SERVICE }}" + name: "🐳 Build ${{ matrix.component }}" runs-on: ubuntu-latest permissions: contents: read packages: write # Needed to push to GHCR strategy: matrix: - component: ["${{ env.SERVICE }}"] + component: ["cart"] outputs: image_tag: ${{ steps.meta.outputs.version }} steps: @@ -84,12 +78,12 @@ jobs: image-scan: - name: "🔬 Scan ${{ env.SERVICE }} Image" + name: "🔬 Scan ${{ matrix.component }} Image" runs-on: ubuntu-latest needs: build strategy: matrix: - component: ["${{ env.SERVICE }}"] + component: ["cart"] steps: - name: Checkout code uses: actions/checkout@v4 @@ -114,7 +108,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - component: ["${{ env.SERVICE }}"] + component: ["cart"] steps: - name: Checkout code uses: actions/checkout@v4 diff --git a/.github/workflows/catalogue.yaml b/.github/workflows/catalogue.yaml new file mode 100644 index 0000000..f0cf50b --- /dev/null +++ b/.github/workflows/catalogue.yaml @@ -0,0 +1,120 @@ +# ============================================================== +# Shopstack - DevSecOps CI/CD Pipeline +# ============================================================== + +name: Shopstack DevSecOps Pipeline + +on: + push: + branches: + - env/prod + paths: + - "catalogue/**" + - ".github/workflows/catalogue.yaml" + pull_request: + branches: + - env/prod + paths: + - "catalogue/**" + - ".github/workflows/catalogue.yaml" + +# Security: restrict default permissions to read-only +permissions: + contents: read + +env: + PROJECT: "shopstack" + ENV: "staging" + +jobs: + build: + name: "🐳 Build ${{ matrix.component }}" + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Needed to push to GHCR + strategy: + matrix: + component: ["catalogue"] + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository_owner }}/${{ env.ENV }}/${{ env.PROJECT }}-${{ matrix.component }} + tags: | + type=sha,prefix= + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and push image + uses: docker/build-push-action@v6 + with: + context: ./${{ matrix.component }} + file: ./${{ matrix.component }}/Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Security: provenance and SBOM + provenance: true + sbom: true + + + image-scan: + name: "🔬 Scan ${{ matrix.component }} Image" + runs-on: ubuntu-latest + needs: build + strategy: + matrix: + component: ["catalogue"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build image for scanning + run: | + docker build -t ${{ env.PROJECT }}-${{ matrix.component }}:scan ./${{ matrix.component }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.PROJECT }}-${{ matrix.component }}:scan" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + timeout: "10m" + + dockerfile-lint: + name: "📋 Dockerfile Lint" + runs-on: ubuntu-latest + strategy: + matrix: + component: ["catalogue"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ matrix.component }}/Dockerfile + failure-threshold: warning \ No newline at end of file diff --git a/.github/workflows/dispatch.yaml b/.github/workflows/dispatch.yaml new file mode 100644 index 0000000..e9b1453 --- /dev/null +++ b/.github/workflows/dispatch.yaml @@ -0,0 +1,120 @@ +# ============================================================== +# Shopstack - DevSecOps CI/CD Pipeline +# ============================================================== + +name: Shopstack DevSecOps Pipeline + +on: + push: + branches: + - env/prod + paths: + - "dispatch/**" + - ".github/workflows/dispatch.yaml" + pull_request: + branches: + - env/prod + paths: + - "dispatch/**" + - ".github/workflows/dispatch.yaml" + +# Security: restrict default permissions to read-only +permissions: + contents: read + +env: + PROJECT: "shopstack" + ENV: "staging" + +jobs: + build: + name: "🐳 Build ${{ matrix.component }}" + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Needed to push to GHCR + strategy: + matrix: + component: ["dispatch"] + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository_owner }}/${{ env.ENV }}/${{ env.PROJECT }}-${{ matrix.component }} + tags: | + type=sha,prefix= + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and push image + uses: docker/build-push-action@v6 + with: + context: ./${{ matrix.component }} + file: ./${{ matrix.component }}/Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Security: provenance and SBOM + provenance: true + sbom: true + + + image-scan: + name: "🔬 Scan ${{ matrix.component }} Image" + runs-on: ubuntu-latest + needs: build + strategy: + matrix: + component: ["dispatch"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build image for scanning + run: | + docker build -t ${{ env.PROJECT }}-${{ matrix.component }}:scan ./${{ matrix.component }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.PROJECT }}-${{ matrix.component }}:scan" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + timeout: "10m" + + dockerfile-lint: + name: "📋 Dockerfile Lint" + runs-on: ubuntu-latest + strategy: + matrix: + component: ["dispatch"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ matrix.component }}/Dockerfile + failure-threshold: warning \ No newline at end of file diff --git a/.github/workflows/mongo.yaml b/.github/workflows/mongo.yaml new file mode 100644 index 0000000..fcb8e00 --- /dev/null +++ b/.github/workflows/mongo.yaml @@ -0,0 +1,120 @@ +# ============================================================== +# Shopstack - DevSecOps CI/CD Pipeline +# ============================================================== + +name: Shopstack DevSecOps Pipeline + +on: + push: + branches: + - env/prod + paths: + - "mongo/**" + - ".github/workflows/mongo.yaml" + pull_request: + branches: + - env/prod + paths: + - "mongo/**" + - ".github/workflows/mongo.yaml" + +# Security: restrict default permissions to read-only +permissions: + contents: read + +env: + PROJECT: "shopstack" + ENV: "staging" + +jobs: + build: + name: "🐳 Build ${{ matrix.component }}" + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Needed to push to GHCR + strategy: + matrix: + component: ["mongo"] + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository_owner }}/${{ env.ENV }}/${{ env.PROJECT }}-${{ matrix.component }} + tags: | + type=sha,prefix= + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and push image + uses: docker/build-push-action@v6 + with: + context: ./${{ matrix.component }} + file: ./${{ matrix.component }}/Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Security: provenance and SBOM + provenance: true + sbom: true + + + image-scan: + name: "🔬 Scan ${{ matrix.component }} Image" + runs-on: ubuntu-latest + needs: build + strategy: + matrix: + component: ["mongo"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build image for scanning + run: | + docker build -t ${{ env.PROJECT }}-${{ matrix.component }}:scan ./${{ matrix.component }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.PROJECT }}-${{ matrix.component }}:scan" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + timeout: "10m" + + dockerfile-lint: + name: "📋 Dockerfile Lint" + runs-on: ubuntu-latest + strategy: + matrix: + component: ["mongo"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ matrix.component }}/Dockerfile + failure-threshold: warning \ No newline at end of file diff --git a/.github/workflows/mysql.yaml b/.github/workflows/mysql.yaml new file mode 100644 index 0000000..1e24a7e --- /dev/null +++ b/.github/workflows/mysql.yaml @@ -0,0 +1,120 @@ +# ============================================================== +# Shopstack - DevSecOps CI/CD Pipeline +# ============================================================== + +name: Shopstack DevSecOps Pipeline + +on: + push: + branches: + - env/prod + paths: + - "mysql/**" + - ".github/workflows/mysql.yaml" + pull_request: + branches: + - env/prod + paths: + - "mysql/**" + - ".github/workflows/mysql.yaml" + +# Security: restrict default permissions to read-only +permissions: + contents: read + +env: + PROJECT: "shopstack" + ENV: "staging" + +jobs: + build: + name: "🐳 Build ${{ matrix.component }}" + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Needed to push to GHCR + strategy: + matrix: + component: ["mysql"] + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository_owner }}/${{ env.ENV }}/${{ env.PROJECT }}-${{ matrix.component }} + tags: | + type=sha,prefix= + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and push image + uses: docker/build-push-action@v6 + with: + context: ./${{ matrix.component }} + file: ./${{ matrix.component }}/Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Security: provenance and SBOM + provenance: true + sbom: true + + + image-scan: + name: "🔬 Scan ${{ matrix.component }} Image" + runs-on: ubuntu-latest + needs: build + strategy: + matrix: + component: ["mysql"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build image for scanning + run: | + docker build -t ${{ env.PROJECT }}-${{ matrix.component }}:scan ./${{ matrix.component }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.PROJECT }}-${{ matrix.component }}:scan" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + timeout: "10m" + + dockerfile-lint: + name: "📋 Dockerfile Lint" + runs-on: ubuntu-latest + strategy: + matrix: + component: ["mysql"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ matrix.component }}/Dockerfile + failure-threshold: warning \ No newline at end of file diff --git a/.github/workflows/payment.yaml b/.github/workflows/payment.yaml new file mode 100644 index 0000000..6a89aff --- /dev/null +++ b/.github/workflows/payment.yaml @@ -0,0 +1,120 @@ +# ============================================================== +# Shopstack - DevSecOps CI/CD Pipeline +# ============================================================== + +name: Shopstack DevSecOps Pipeline + +on: + push: + branches: + - env/prod + paths: + - "payment/**" + - ".github/workflows/payment.yaml" + pull_request: + branches: + - env/prod + paths: + - "payment/**" + - ".github/workflows/payment.yaml" + +# Security: restrict default permissions to read-only +permissions: + contents: read + +env: + PROJECT: "shopstack" + ENV: "staging" + +jobs: + build: + name: "🐳 Build ${{ matrix.component }}" + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Needed to push to GHCR + strategy: + matrix: + component: ["payment"] + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository_owner }}/${{ env.ENV }}/${{ env.PROJECT }}-${{ matrix.component }} + tags: | + type=sha,prefix= + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and push image + uses: docker/build-push-action@v6 + with: + context: ./${{ matrix.component }} + file: ./${{ matrix.component }}/Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Security: provenance and SBOM + provenance: true + sbom: true + + + image-scan: + name: "🔬 Scan ${{ matrix.component }} Image" + runs-on: ubuntu-latest + needs: build + strategy: + matrix: + component: ["payment"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build image for scanning + run: | + docker build -t ${{ env.PROJECT }}-${{ matrix.component }}:scan ./${{ matrix.component }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.PROJECT }}-${{ matrix.component }}:scan" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + timeout: "10m" + + dockerfile-lint: + name: "📋 Dockerfile Lint" + runs-on: ubuntu-latest + strategy: + matrix: + component: ["payment"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ matrix.component }}/Dockerfile + failure-threshold: warning \ No newline at end of file diff --git a/.github/workflows/ratings.yaml b/.github/workflows/ratings.yaml new file mode 100644 index 0000000..ce27f99 --- /dev/null +++ b/.github/workflows/ratings.yaml @@ -0,0 +1,120 @@ +# ============================================================== +# Shopstack - DevSecOps CI/CD Pipeline +# ============================================================== + +name: Shopstack DevSecOps Pipeline + +on: + push: + branches: + - env/prod + paths: + - "ratings/**" + - ".github/workflows/ratings.yaml" + pull_request: + branches: + - env/prod + paths: + - "ratings/**" + - ".github/workflows/ratings.yaml" + +# Security: restrict default permissions to read-only +permissions: + contents: read + +env: + PROJECT: "shopstack" + ENV: "staging" + +jobs: + build: + name: "🐳 Build ${{ matrix.component }}" + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Needed to push to GHCR + strategy: + matrix: + component: ["ratings"] + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository_owner }}/${{ env.ENV }}/${{ env.PROJECT }}-${{ matrix.component }} + tags: | + type=sha,prefix= + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and push image + uses: docker/build-push-action@v6 + with: + context: ./${{ matrix.component }} + file: ./${{ matrix.component }}/Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Security: provenance and SBOM + provenance: true + sbom: true + + + image-scan: + name: "🔬 Scan ${{ matrix.component }} Image" + runs-on: ubuntu-latest + needs: build + strategy: + matrix: + component: ["ratings"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build image for scanning + run: | + docker build -t ${{ env.PROJECT }}-${{ matrix.component }}:scan ./${{ matrix.component }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.PROJECT }}-${{ matrix.component }}:scan" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + timeout: "10m" + + dockerfile-lint: + name: "📋 Dockerfile Lint" + runs-on: ubuntu-latest + strategy: + matrix: + component: ["ratings"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ matrix.component }}/Dockerfile + failure-threshold: warning \ No newline at end of file diff --git a/.github/workflows/shipping.yaml b/.github/workflows/shipping.yaml new file mode 100644 index 0000000..5c51b2c --- /dev/null +++ b/.github/workflows/shipping.yaml @@ -0,0 +1,120 @@ +# ============================================================== +# Shopstack - DevSecOps CI/CD Pipeline +# ============================================================== + +name: Shopstack DevSecOps Pipeline + +on: + push: + branches: + - env/prod + paths: + - "shipping/**" + - ".github/workflows/shipping.yaml" + pull_request: + branches: + - env/prod + paths: + - "shipping/**" + - ".github/workflows/shipping.yaml" + +# Security: restrict default permissions to read-only +permissions: + contents: read + +env: + PROJECT: "shopstack" + ENV: "staging" + +jobs: + build: + name: "🐳 Build ${{ matrix.component }}" + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Needed to push to GHCR + strategy: + matrix: + component: ["shipping"] + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository_owner }}/${{ env.ENV }}/${{ env.PROJECT }}-${{ matrix.component }} + tags: | + type=sha,prefix= + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and push image + uses: docker/build-push-action@v6 + with: + context: ./${{ matrix.component }} + file: ./${{ matrix.component }}/Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Security: provenance and SBOM + provenance: true + sbom: true + + + image-scan: + name: "🔬 Scan ${{ matrix.component }} Image" + runs-on: ubuntu-latest + needs: build + strategy: + matrix: + component: ["shipping"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build image for scanning + run: | + docker build -t ${{ env.PROJECT }}-${{ matrix.component }}:scan ./${{ matrix.component }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.PROJECT }}-${{ matrix.component }}:scan" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + timeout: "10m" + + dockerfile-lint: + name: "📋 Dockerfile Lint" + runs-on: ubuntu-latest + strategy: + matrix: + component: ["shipping"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ matrix.component }}/Dockerfile + failure-threshold: warning \ No newline at end of file diff --git a/.github/workflows/user.yaml b/.github/workflows/user.yaml new file mode 100644 index 0000000..9a15e05 --- /dev/null +++ b/.github/workflows/user.yaml @@ -0,0 +1,120 @@ +# ============================================================== +# Shopstack - DevSecOps CI/CD Pipeline +# ============================================================== + +name: Shopstack DevSecOps Pipeline + +on: + push: + branches: + - env/prod + paths: + - "user/**" + - ".github/workflows/user.yaml" + pull_request: + branches: + - env/prod + paths: + - "user/**" + - ".github/workflows/user.yaml" + +# Security: restrict default permissions to read-only +permissions: + contents: read + +env: + PROJECT: "shopstack" + ENV: "staging" + +jobs: + build: + name: "🐳 Build ${{ matrix.component }}" + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Needed to push to GHCR + strategy: + matrix: + component: ["user"] + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository_owner }}/${{ env.ENV }}/${{ env.PROJECT }}-${{ matrix.component }} + tags: | + type=sha,prefix= + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and push image + uses: docker/build-push-action@v6 + with: + context: ./${{ matrix.component }} + file: ./${{ matrix.component }}/Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Security: provenance and SBOM + provenance: true + sbom: true + + + image-scan: + name: "🔬 Scan ${{ matrix.component }} Image" + runs-on: ubuntu-latest + needs: build + strategy: + matrix: + component: ["user"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build image for scanning + run: | + docker build -t ${{ env.PROJECT }}-${{ matrix.component }}:scan ./${{ matrix.component }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.PROJECT }}-${{ matrix.component }}:scan" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + timeout: "10m" + + dockerfile-lint: + name: "📋 Dockerfile Lint" + runs-on: ubuntu-latest + strategy: + matrix: + component: ["user"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ matrix.component }}/Dockerfile + failure-threshold: warning \ No newline at end of file diff --git a/.github/workflows/web.yaml b/.github/workflows/web.yaml new file mode 100644 index 0000000..1253701 --- /dev/null +++ b/.github/workflows/web.yaml @@ -0,0 +1,120 @@ +# ============================================================== +# Shopstack - DevSecOps CI/CD Pipeline +# ============================================================== + +name: Shopstack DevSecOps Pipeline + +on: + push: + branches: + - env/prod + paths: + - "web/**" + - ".github/workflows/web.yaml" + pull_request: + branches: + - env/prod + paths: + - "web/**" + - ".github/workflows/web.yaml" + +# Security: restrict default permissions to read-only +permissions: + contents: read + +env: + PROJECT: "shopstack" + ENV: "staging" + +jobs: + build: + name: "🐳 Build ${{ matrix.component }}" + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Needed to push to GHCR + strategy: + matrix: + component: ["web"] + outputs: + image_tag: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository_owner }}/${{ env.ENV }}/${{ env.PROJECT }}-${{ matrix.component }} + tags: | + type=sha,prefix= + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and push image + uses: docker/build-push-action@v6 + with: + context: ./${{ matrix.component }} + file: ./${{ matrix.component }}/Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Security: provenance and SBOM + provenance: true + sbom: true + + + image-scan: + name: "🔬 Scan ${{ matrix.component }} Image" + runs-on: ubuntu-latest + needs: build + strategy: + matrix: + component: ["web"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build image for scanning + run: | + docker build -t ${{ env.PROJECT }}-${{ matrix.component }}:scan ./${{ matrix.component }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.PROJECT }}-${{ matrix.component }}:scan" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + timeout: "10m" + + dockerfile-lint: + name: "📋 Dockerfile Lint" + runs-on: ubuntu-latest + strategy: + matrix: + component: ["web"] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ matrix.component }}/Dockerfile + failure-threshold: warning \ No newline at end of file