This repository contains a CI/CD pipeline configured with GitHub Actions. It covers the following stages:
- Running Unit Tests.
- Building and Pushing Docker Images
- Security Scanning with Aqua Enterprise Scanner (Trivy)
- Scan Results are uploaded as artifacts
- Image is scanned against Aqua's Golden Image Policy
- Failed scans will fail the build
- Passed scans will continue the build
- notification is sent to Teams, see next steps:
- Assigning Tasks
- Assigning tasks to product teams based on scan results
- Notifying Teams
- Notify Teams with scan results
- Generating SBOM with Aqua Supply Chain Security
- SBOM is uploaded as an artifact
- SBOM is uploaded to GitHub Pages
- SBOM is uploaded to Aqua Supply Chain Security
- Signing and Verifying Docker Images
- Recording Metadata
- Publishing Metadata to GitHub Pages
- Deploying to GitHub Pages
- Publishing Metadata to GitHub Pages
- Promoting Docker Images to AWS ECR
- image-bakery is immutable
The main workflow is defined in: .github/workflows/main.yml
.
- Checkout code
- Setup Node.js environment
- Install dependencies and run tests
- Checkout code
- Docker login to GitHub Container Registry
- Build and push Docker image
- Pull Aqua Scanner
- Run Aqua Security scan against the Docker image
- Upload Aqua scan reports as artifacts
- Setup Python environment
- Run script to assign tasks
- Download Aqua scan reports
- Notify Teams with scan results
- Generate Software Bill of Materials (SBOM) using Aqua
- Sign the Docker image using Cosign
- Verify the signed Docker image using Cosign
- Generate and upload metadata artifacts
- Deploy metadata to GitHub Pages
- Pull the image from GitHub Container Registry
- Tag and push the image to AWS ECR
The following secrets need to be configured in GitHub:
CI_TOKEN
: GitHub Container Registry tokenAWS_ACCESS_KEY_ID
: AWS Access Key IDAWS_SECRET_ACCESS_KEY
: AWS Secret Access KeyAWS_SESSION_TOKEN
: AWS Session TokenTEAMS_WEBHOOK_URL
: Microsoft Teams Webhook URLAQUA_SERVER
: Aqua Server URLAQUA_TOKEN
: Aqua TokenCOSIGN_PRIVATE_KEY
: Cosign Private KeyCOSIGN_PUBLIC_KEY
: Cosign Public Key
To run this pipeline, make a push to the main
branch.
Our Golden Image is the high-quality, standardized output - like a bakery's signature bread. It ensures that our final Docker container maintains the same level of quality, performance, and security every time.
Aqua's scanner is integrated throughout the pipeline to ensure the code's security. By catching vulnerabilities early, we maintain the high standards of our Golden Image.
This template encapsulates the information you provided and the Container Bakery/Golden Image process. You may need to adjust based on your specific application or setup.