From f748378d71571b367318e725ab4ac7e565dc3a5c Mon Sep 17 00:00:00 2001 From: Yeshwanth D Gunasekaran Date: Wed, 6 Sep 2023 12:29:55 -0400 Subject: [PATCH] Add a on push action which runs aactl (#114) * Add github action usage example and readme file, tested and works * Remove trailing space from action example --- examples/github-actions/README.md | 19 ++++------- examples/github-actions/on-push.yaml | 49 ++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+), 12 deletions(-) create mode 100644 examples/github-actions/on-push.yaml diff --git a/examples/github-actions/README.md b/examples/github-actions/README.md index 06d71045..62569126 100644 --- a/examples/github-actions/README.md +++ b/examples/github-actions/README.md @@ -1,28 +1,23 @@ # aactl as builder in GitHub Actions (GHA) -In addition to being used as a CLI, `aactl` can also be used as a builder. +In addition to being used as a CLI, `aactl` can also be used as a github action. ## inputs * `project` - (required) GCP Project ID -* `digest` - (required) Image digest +* `source` - (required) Full image path with tag or digest * `file` - (required) Path to the vulnerability file -* `format` - (required) Format of the vulnerability file ## usage Below example, shows how to import vulnerabilities from previously generated report. -> Make sure to use the latest tag release from [here](https://github.com/GoogleCloudPlatform/aactl/releases) ```yaml -uses: GoogleCloudPlatform/aactl@v0.3.4` -with: - type: vulnerability - project: ${{ env.PROJECT_ID }} - digest: ${{ steps.build.outputs.digest }} - file: ${{ steps.scan.outputs.output }} - format: ${{ steps.scan.outputs.format }} + - name: 'Run aactl' + uses: docker://gcr.io/cloud-builders/aactl:latest + with: + args: vuln --project ${{ env.PROJECT_ID }} --source ${{ env.IMAGE_ID }} --file ${{ steps.scan.outputs.output }} ``` -> Fully working example can be found in [.github/workflows/import.yaml](../../.github/workflows/import.yaml). +> Fully working example can be found in [on-push.yaml](on-push.yaml). diff --git a/examples/github-actions/on-push.yaml b/examples/github-actions/on-push.yaml new file mode 100644 index 00000000..5da3389c --- /dev/null +++ b/examples/github-actions/on-push.yaml @@ -0,0 +1,49 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: on-push +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + aactl: + permissions: + contents: 'read' + id-token: 'write' + runs-on: 'ubuntu-latest' + steps: + - name: 'Checkout Code' + uses: 'actions/checkout@v3.5.3' + + # Look at https://github.com/google-github-actions/auth + # on how to setup Google Auth Github Action. + # Look at https://github.com/google-github-actions/auth#setting-up-workload-identity-federation + # on how to setup Workload Identity federation. + # Make sure the service account + # @.iam.gserviceaccount.com has roles/containeranalysis.admin. + - name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@v1' + with: + workload_identity_provider: 'projects/PROJECT_ID/locations/global/workloadIdentityPools//providers/' + service_account: '@.iam.gserviceaccount.com' + + - name: 'Run aactl' + uses: docker://gcr.io/cloud-builders/aactl:latest + with: + args: vuln --project ${{ env.PROJECT_ID }} --source ${{ env.IMAGE_ID }} --file ${{ steps.scan.outputs.output }}