Skip to content

chore(deps): bump github/codeql-action from 1 to 3 #263

chore(deps): bump github/codeql-action from 1 to 3

chore(deps): bump github/codeql-action from 1 to 3 #263

Workflow file for this run

on: pull_request
name: PR Checks
jobs:
golanglint:
name: golang lint
runs-on: ubuntu-latest
steps:
-
uses: actions/checkout@v3
-
uses: reviewdog/action-golangci-lint@v2
with:
reporter: github-pr-review
golangci_lint_flags: "./healthcheck"
github_token: ${{ secrets.GITHUB_TOKEN }}
dockerfilelint:
name: dockerfile lint
runs-on: ubuntu-latest
steps:
-
uses: actions/checkout@v3
-
name: hadolint
uses: burdzwastaken/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
HADOLINT_ACTION_DOCKERFILE_FOLDER: .
dockerbuild:
name: docker build
runs-on: ubuntu-latest
steps:
-
uses: actions/checkout@v3
-
name: extract tag
id: vars
run: echo ::set-output name=redis_version::$(grep '^FROM redis' Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2)
-
name: docker build
run: docker build . --file Dockerfile --tag image:${{ steps.vars.outputs.redis_version }}
-
name: save docker image for cache
run: mkdir -p image/ && docker save -o image/image.tar image:${{ steps.vars.outputs.redis_version }}
-
name: cache docker image
uses: actions/[email protected]
with:
path: image/
key: ${{ runner.os }}-docker-${{ github.sha }}
dockerscan:
name: docker security scan
runs-on: ubuntu-latest
needs: dockerbuild
steps:
-
uses: actions/checkout@v3
-
name: extract tag
id: vars
run: echo ::set-output name=redis_version::$(grep '^FROM redis' Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2)
-
name: load cached docker image
uses: actions/[email protected]
with:
path: image/
key: ${{ runner.os }}-docker-${{ github.sha }}
-
name: load cached docker container
run: docker load -i image/image.tar
-
name: cached scan db
uses: actions/[email protected]
with:
path: vulndb/
key: trivy-vulndb
-
name: Run vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: image:${{ steps.vars.outputs.redis_version }}
format: table
exit-code: 1
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
goscan:
name: Go Scan
runs-on: ubuntu-latest
steps:
-
uses: actions/checkout@v3
-
name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: go
-
name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3