Skip to content

Build, Scan & Test Containers

uses: huntridge-labs/argus/.github/workflows/build-containers.yml@1.8.1

Pipeline

5 jobs (2 matrix) ยท scroll to zoom ยท drag to pan

Triggers

  • Pull request
  • Push
  • Manual dispatch

Permissions

Scope Access
contents read
security-events write
pull-requests write
packages read

Jobs

matrix โ€” Resolve image matrix

Runs on: ubuntu-latest ยท Timeout: 5 minutes ยท Condition: github.event_name != 'push' || !startsWith(github.event.head_commit.message, 'chore(release):')

Steps:

  1. Checkout โ€” actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
  2. Build matrix from argus.yml

build โ€” Build Images

Runs on: ubuntu-latest ยท Timeout: 15 minutes ยท Depends on: matrix ยท Condition: github.event_name != 'push' || !startsWith(github.event.head_commit.message, 'chore(release):')

Steps:

  1. Checkout โ€” actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
  2. Build image
  3. Save image to artifact
  4. Upload image artifact โ€” actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a

scan โ€” Scan ${{ matrix.image }}

Runs on: ubuntu-latest ยท Timeout: 15 minutes ยท Depends on: matrix, build ยท Condition: github.event_name != 'push' || !startsWith(github.event.head_commit.message, 'chore(release):')

Steps:

  1. Download image artifact โ€” actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
  2. Load image
  3. Checkout (for argus SDK) โ€” actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
  4. Set up Python โ€” actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1
  5. Install Argus SDK
  6. Scan with Trivy (SARIF) โ€” aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25
  7. Upload Trivy SARIF โ€” github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a
  8. Scan with Grype โ€” anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2
  9. Scan with Trivy (JSON) โ€” aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25
  10. Generate report with Argus
  11. Upload scan artifacts โ€” actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a

test-cli โ€” Test Argus CLI

Runs on: ubuntu-latest ยท Timeout: 15 minutes ยท Depends on: matrix, build ยท Condition: github.event_name != 'push' || !startsWith(github.event.head_commit.message, 'chore(release):')

Steps:

  1. Checkout โ€” actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
  2. Set up Python โ€” actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1
  3. Build and install Argus wheel
  4. Download all image artifacts โ€” actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
  5. Load and retag images
  6. Package safety check
  7. Verify wheel installation
  8. Run argus scan
  9. Resolve latest run directory
  10. Verify outputs
  11. Validate SARIF
  12. Validate JSON results
  13. Validate audit trail
  14. Validate output-vars
  15. Upload test results โ€” actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a

comment-pr โ€” Container Scan Summary

Runs on: ubuntu-latest ยท Depends on: scan, test-cli

Steps:

  1. Checkout (for comment-pr action) โ€” actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
  2. Download scanner summaries โ€” actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
  3. Set up Python โ€” actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1
  4. Install Argus SDK
  5. Combine scanner summaries
  6. Comment PR with scan results โ€” ./.github/actions/comment-pr