Skip to content

Latest commit

 

History

History
133 lines (89 loc) · 6.14 KB

README.md

File metadata and controls

133 lines (89 loc) · 6.14 KB

NeuRIS - Importer for migrated norms into the norms database tables

Pipeline Scan Secrets Check

Importer for mirgated norms from the migration database tables into the norms database tables

Prerequisites

Docker for building + running the containerized application:

brew install --cask docker # or just `brew install docker` if you don't want the Desktop app

For the provided Git hooks you will need:

brew install lefthook node talisman

Git hooks

The repo contains a Lefthook configuration, providing a Git hooks setup out of the box.

To install these hooks, run:

./run.sh init

The hooks are supposed to help you to:

Container image

Container images running the application are automatically published by the pipeline to the GitHub Packages Container registry.

To run the latest published image:

docker run "ghcr.io/digitalservicebund/ris-norms-migration-import:$(git log -1 origin/main --format='%H')"

Container images in the registry are signed with keyless signatures.

To verify an image:

cosign verify "ghcr.io/digitalservicebund/ris-norms-migration-import:$(git log -1 origin/main --format='%H')" --certificate-identity="https://github.com/digitalservicebund/ris-norms-migration-import/.github/workflows/pipeline.yml@refs/heads/main" --certificate-oidc-issuer="https://token.actions.githubusercontent.com"

If you need to push a new container image to the registry manually there are two ways to do this:

Via built-in Gradle task:

IMAGE_VERSION="$(git log -1 --format='%H')"
docker build -t ghcr.io/digitalservicebund/ris-norms-migration-import:$IMAGE_VERSION .
echo [github-token] | docker login ghcr.io -u [github-user] --password-stdin
docker push ghcr.io/digitalservicebund/ris-norms-migration-import:$IMAGE_VERSION

Note: Make sure you're using a GitHub token with the necessary write:packages scope for this to work.

Using Docker:

echo [github-token] | docker login ghcr.io -u [github-user] --password-stdin
docker push "ghcr.io/digitalservicebund/ris-norms-migration-import:$(git log -1 --format='%H')"

Note: Make sure you're using a GitHub token with the necessary write:packages scope for this to work.

Vulnerability Scanning

Scanning container images for vulnerabilities is performed with Trivy as part of the pipeline's build job, as well as each night for the latest published image in the container repository.

To run a scan locally:

Install Trivy:

brew install aquasecurity/trivy/trivy
docker build -t ghcr.io/digitalservicebund/ris-norms-migration-import:latest .
trivy image --severity HIGH,CRITICAL ghcr.io/digitalservicebund/ris-norms-migration-import:latest

As part of the automated vulnerability scanning we are generating a Cosign vulnerability scan record using Trivy, and then use Cosign to attach an attestation of it to the container image, again signed with keyless signatures similar to signing the container image itself. Using a policy engine in a cluster the vulnerability scan can be verified and for instance running a container rejected if a scan is not current.

Slack notifications

Opt in to CI posting notifications for failing jobs to a particular Slack channel by setting a repository secret with the name SLACK_WEBHOOK_URL, containing a url for Incoming Webhooks.

Contributing

🇬🇧 Everyone is welcome to contribute the development of the ris-norms-migration-import. You can contribute by opening pull request, providing documentation or answering questions or giving feedback. Please always follow the guidelines and our Code of Conduct.

🇩🇪 Jede:r ist herzlich eingeladen, die Entwicklung der ris-norms-migration-import mitzugestalten. Du kannst einen Beitrag leisten, indem du Pull-Requests eröffnest, die Dokumentation erweiterst, Fragen beantwortest oder Feedback gibst. Bitte befolge immer die Richtlinien und unseren Verhaltenskodex.

Code Contributions

🇬🇧 Open a pull request with your changes and it will be reviewed by someone from the team. When you submit a pull request, you declare that you have the right to license your contribution to DigitalService and the community. By submitting the patch, you agree that your contributions are licensed under the GPLv3 license.

Please make sure that your changes have been tested before submitting a pull request.

🇩🇪 Nach dem Erstellen eines Pull Requests wird dieser von einer Person aus dem Team überprüft. Wenn du einen Pull Request einreichst, erklärst du dich damit einverstanden, deinen Beitrag an den DigitalService und die Community zu lizenzieren. Durch das Einreichen des Patches erklärst du dich damit einverstanden, dass deine Beiträge unter der GPLv3-Lizenz lizenziert sind.

Bitte stelle sicher, dass deine Änderungen getestet wurden, bevor du einen Pull Request sendest.