feat(docs): add initial job to generate security reports for Apps
This commit is contained in:
parent
9dbbaf349c
commit
85f4a037be
|
@ -0,0 +1,109 @@
|
|||
name: "Chore: Generate Security Docs"
|
||||
|
||||
concurrency: helm-release
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
gen-sec:
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: ghcr.io/truecharts/devcontainer:v3.1.1@sha256:f0ecaa533663f88346b745eb497f6f6acf63561ad88e345cd71c8280963b8c1e
|
||||
steps:
|
||||
- name: Install Kubernetes tools
|
||||
uses: yokawasa/action-setup-kube-tools@b91bb02bc122bd84ac7bbea5f25ed6b0f2ec6275 # tag=v0.9.2
|
||||
with:
|
||||
setup-tools: |
|
||||
helmv3
|
||||
helm: "3.8.0"
|
||||
|
||||
- name: Prep Helm
|
||||
run: |
|
||||
helm repo add truecharts https://charts.truecharts.org
|
||||
helm repo add truecharts-library https://library-charts.truecharts.org
|
||||
helm repo add bitnami https://charts.bitnami.com/bitnami
|
||||
helm repo add prometheus https://prometheus-community.github.io/helm-charts
|
||||
helm repo update
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3
|
||||
with:
|
||||
token: ${{ secrets.BOT_TOKEN }}
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Setting repo parent dir as safe safe.directory
|
||||
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3
|
||||
with:
|
||||
fetch-depth: 1
|
||||
repository: truecharts/website
|
||||
token: ${{ secrets.BOT_TOKEN }}
|
||||
path: website
|
||||
|
||||
- name: Copy docs to website
|
||||
shell: bash
|
||||
run: |
|
||||
helm_sec_scan() {
|
||||
local chart="$1"
|
||||
local chartname="$2"
|
||||
local train="$3"
|
||||
echo "Scanning helm security for ${chartname}"
|
||||
mkdir -p ${chart}/render
|
||||
rm -rf website/docs/charts/${train}/${chartname}/helm-security.md | echo "removing old sec-scan.md file failed..."
|
||||
echo "# Security Scan" >> website/docs/charts/${train}/${chartname}/helm-security.md
|
||||
echo "" >> website/docs/charts/${train}/${chartname}/helm-security.md
|
||||
echo "## Helm-Chart" >> website/docs/charts/${train}/${chartname}/helm-security.md
|
||||
echo "" >> website/docs/charts/${train}/${chartname}/helm-security.md
|
||||
echo "##### Scan Results" >> website/docs/charts/${train}/${chartname}/helm-security.md
|
||||
echo "" >> website/docs/charts/${train}/${chartname}/helm-security.md
|
||||
helm template ${chart} --output-dir ${chart}/render
|
||||
trivy config -f template --template "@./templates/trivy.tpl" ${chart}/render >> website/docs/charts/${train}/${chartname}/helm-security.md
|
||||
echo "" >> website/docs/charts/${train}/${chartname}/helm-security.md
|
||||
}
|
||||
container_sec_scan() {
|
||||
local chart="$1"
|
||||
local chartname="$2"
|
||||
local train="$3"
|
||||
echo "Scanning container security for ${chartname}"
|
||||
echo "## Containers" >> website/docs/charts/${train}/${chartname}/container-security.md
|
||||
echo "" >> website/docs/charts/${train}/${chartname}/container-security.md
|
||||
echo "##### Detected Containers" >> website/docs/charts/${train}/${chartname}/container-security.md
|
||||
echo "" >> website/docs/charts/${train}/${chartname}/container-security.md
|
||||
find ${chart}/render/ -name '*.yaml' -type f -exec cat {} \; | grep image: | sed "s/image: //g" | sed "s/\"//g" >> ${chart}/render/containers.tmp
|
||||
cat ${chart}/render/containers.tmp >> website/docs/charts/${train}/${chartname}/container-security.md
|
||||
echo "" >> website/docs/charts/${train}/${chartname}/container-security.md
|
||||
echo "##### Scan Results" >> website/docs/charts/${train}/${chartname}/container-security.md
|
||||
echo "" >> website/docs/charts/${train}/${chartname}/container-security.md
|
||||
for container in $(cat ${chart}/render/containers.tmp); do
|
||||
echo "**Container: ${container}**" >> website/docs/charts/${train}/${chartname}/container-security.md
|
||||
echo "" >> website/docs/charts/${train}/${chartname}/container-security.md
|
||||
ghcrcont=$(echo ${container} | sed "s/tccr.io/ghcr.io/g")
|
||||
trivy image -f template --template "@./templates/trivy.tpl" ${ghcrcont} >> website/docs/charts/${train}/${chartname}/container-security.md
|
||||
echo "" >> website/docs/charts/${train}/${chartname}/container-security.md
|
||||
done
|
||||
|
||||
}
|
||||
for train in stable SCALE incubator games enterprise develop non-free deprecated dependency core; do
|
||||
for chart in charts/${train}/*; do
|
||||
if [ -d "${chart}" ]; then
|
||||
chartname="$(basename "$(dirname "$path")")"
|
||||
helm_sec_scan ${chart} ${chartname} ${train}
|
||||
#container_sec_scan ${chart} ${chartname} ${train}
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
- name: Commit Website Changes
|
||||
if: |
|
||||
steps.collect-changes.outputs.changesDetected == 'true'
|
||||
run: |
|
||||
cd website
|
||||
git config user.name "TrueCharts-Bot"
|
||||
git config user.email "bot@truecharts.org"
|
||||
git add --all
|
||||
git commit -sm "Commit released docs for TrueCharts" || exit 0
|
||||
git push
|
||||
|
Loading…
Reference in New Issue