.github/workflows/release-build.yaml
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
# The CI runs on ubuntu-22.04; More info about the installed software is found here:
# https://github.com/actions/runner-images/blob/main/images/linux/Ubuntu2204-Readme.md
name: "Release Build"
on:
release:
types: [released, prereleased]
env:
# ---- Docker Namespace ----
# DOCKER_USER and DOCKER_TOKEN are stored as GitHub secrets as well
DOCKER_NAMESPACE: ${{ secrets.DOCKER_NAMESPACE }}
jobs:
# ---- Operator & Lurker ----
operator:
name: "Build | Operator"
runs-on: ubuntu-22.04
continue-on-error: true
strategy:
matrix:
component: ["operator", "lurker"]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Docker Meta
id: docker_meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_NAMESPACE }}/${{ matrix.component }}
tags: |
type=sha
type=semver,pattern={{version}}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and Push
uses: docker/build-push-action@v5
with:
context: ./${{ matrix.component }}
file: ./${{ matrix.component }}/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
- name: Update Docker Hub Description
uses: peter-evans/dockerhub-description@v4
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
repository: ${{ env.DOCKER_NAMESPACE }}/${{ matrix.component }}
readme-filepath: ./${{ matrix.component }}/docs/README.DockerHub-Core.md
# ---- AutoDiscovery ----
auto-discovery-kubernetes:
name: "AutoDiscovery | Kubernetes"
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Docker Meta
id: docker_meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_NAMESPACE }}/auto-discovery-kubernetes
tags: |
type=sha
type=semver,pattern={{version}}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and Push
uses: docker/build-push-action@v5
with:
context: ./auto-discovery/kubernetes/
file: ./auto-discovery/kubernetes/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
- name: Update Docker Hub Description
uses: peter-evans/dockerhub-description@v4
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
repository: ${{ env.DOCKER_NAMESPACE }}/auto-discovery-kubernetes
readme-filepath: ./auto-discovery/kubernetes/docs/README.DockerHub-Core.md
# ---- AutoDiscovery | PullSecretExtractor ----
auto-discovery-kubernetes-pull-secret-extractor:
name: "AutoDiscovery | Kubernetes | Pull Secret Extractor"
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Docker Meta
id: docker_meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_NAMESPACE }}/auto-discovery-pull-secret-extractor
tags: |
type=sha
type=semver,pattern={{version}}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and Push
uses: docker/build-push-action@v5
with:
context: ./auto-discovery/kubernetes/pull-secret-extractor
file: ./auto-discovery/kubernetes/pull-secret-extractor/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
- name: Update Docker Hub Description
uses: peter-evans/dockerhub-description@v4
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
repository: ${{ env.DOCKER_NAMESPACE }}/auto-discovery-pull-secret-extractor
readme-filepath: ./auto-discovery/kubernetes/pull-secret-extractor/readme.md
# ---- SDK Matrix ----
sdk:
name: "Build | SDKs"
runs-on: ubuntu-22.04
continue-on-error: true
strategy:
matrix:
sdk:
- parser-sdk
- hook-sdk
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Docker Meta
id: docker_meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_NAMESPACE }}/${{ matrix.sdk }}-nodejs
tags: |
type=sha
type=semver,pattern={{version}}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and Push
uses: docker/build-push-action@v5
with:
context: ./${{ matrix.sdk }}/nodejs
file: ./${{ matrix.sdk }}/nodejs/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
# ---- Matrix Hooks ----
hooks:
name: "Build | Hooks"
needs: sdk
runs-on: ubuntu-22.04
continue-on-error: true
strategy:
matrix:
hook:
- cascading-scans
- finding-post-processing
- generic-webhook
- notification
- persistence-elastic
- persistence-defectdojo
- persistence-dependencytrack
- persistence-azure-monitor
- update-field-hook
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Docker Meta
id: docker_meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_NAMESPACE }}/hook-${{ matrix.hook }}
tags: |
type=sha
type=semver,pattern={{version}}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Set baseImageTag to commit hash
run: |
echo "baseImageTag=sha-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
- name: Build and Push
uses: docker/build-push-action@v5
with:
context: ./hooks/${{ matrix.hook }}/hook
file: ./hooks/${{ matrix.hook }}/hook/Dockerfile
build-args: |
namespace=${{ env.DOCKER_NAMESPACE }}
baseImageTag=${{ env.baseImageTag }}
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
- name: Update Docker Hub Description
uses: peter-evans/dockerhub-description@v4
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
repository: ${{ env.DOCKER_NAMESPACE }}/hook-${{ matrix.hook }}
readme-filepath: ./hooks/${{ matrix.hook }}/docs/README.DockerHub-Hook.md
# ---- Dashboard Importer ----
dashboardImporter:
name: Dashboard Importer
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Docker Meta
id: docker_meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_NAMESPACE }}/persistence-elastic-dashboard-importer
tags: |
type=sha
type=semver,pattern={{version}}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and Push
uses: docker/build-push-action@v5
with:
context: ./hooks/persistence-elastic/dashboard-importer/
file: ./hooks/persistence-elastic/dashboard-importer/Dockerfile
platforms: linux/amd64
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
# ---- Build Stage | Matrix Parsers ----
parsers:
name: "Build | Parsers"
needs: sdk
runs-on: ubuntu-22.04
continue-on-error: true
strategy:
matrix:
parser:
- amass
- cmseek
- doggo
- ffuf
- git-repo-scanner
- gitleaks
- kube-hunter
- kubeaudit
- ncrack
- nikto
- nmap
- nuclei
- screenshooter
- semgrep
- ssh-scan
- ssh-audit
- sslyze
- test-scan
- trivy
- trivy-sbom
- typo3scan
- whatweb
- wpscan
- zap
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Docker Meta
id: docker_meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_NAMESPACE }}/parser-${{ matrix.parser }}
tags: |
type=sha
type=semver,pattern={{version}}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Set baseImageTag to commit hash
run: |
echo "baseImageTag=sha-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
- name: Build and Push
uses: docker/build-push-action@v5
with:
context: ./scanners/${{ matrix.parser }}/parser
file: ./scanners/${{ matrix.parser }}/parser/Dockerfile
build-args: |
namespace=${{ env.DOCKER_NAMESPACE }}
baseImageTag=${{ env.baseImageTag }}
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
- name: Update Docker Hub Description
uses: peter-evans/dockerhub-description@v4
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
repository: ${{ env.DOCKER_NAMESPACE }}/parser-${{ matrix.parser }}
readme-filepath: ./scanners/${{ matrix.parser }}/docs/README.DockerHub-Parser.md
# ---- Build | Scanners ----
# Note we only build images for scanner that don't provider official public container images
# ---- Build | Scanners | Third Party Scanner ----
# This Matrix should contain Third Party Scanners
# The Tag for the Image should be the current version of the Scanner
scanners-third-party:
name: "Build | Third Party Scanner"
runs-on: ubuntu-22.04
continue-on-error: true
strategy:
matrix:
scanner:
- amass
- cmseek
- ffuf
- kube-hunter
- kubeaudit
- ncrack
- nmap
- nikto
- ssh-audit
- sslyze
- typo3scan
- whatweb
- wpscan
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set ENV Var with Scanner Version
uses: mikefarah/yq@v4.43.1
# Notice: The current version of the scanner is provided via the Chart.yaml to ensure
# there is only one place to edit the version of a scanner
with:
cmd: echo scannerVersion=$(yq e .appVersion scanners/${{ matrix.scanner }}/Chart.yaml) >> $GITHUB_ENV
# extract the supported cpu architectures from the Chart.yaml
- name: Set ENV Var with Supported Platforms
uses: mikefarah/yq@v4.43.1
with:
cmd: echo supportedPlatforms=$(yq e .annotations.supported-platforms scanners/${{ matrix.scanner }}/Chart.yaml) >> $GITHUB_ENV
- name: Docker Meta
id: docker_meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_NAMESPACE }}/scanner-${{ matrix.scanner }}
tags: |
type=sha
${{ env.scannerVersion }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and Push
uses: docker/build-push-action@v5
with:
context: ./scanners/${{ matrix.scanner }}/scanner
file: ./scanners/${{ matrix.scanner }}/scanner/Dockerfile
build-args: |
scannerVersion=${{ env.scannerVersion }}
platforms: ${{ env.supportedPlatforms }}
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
- name: Update Docker Hub Description
uses: peter-evans/dockerhub-description@v4
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
repository: ${{ env.DOCKER_NAMESPACE }}/scanner-${{ matrix.scanner }}
readme-filepath: ./scanners/${{ matrix.scanner }}/docs/README.DockerHub-Scanner.md
# ---- Build | Scanners | Custom Scanner ----
# This Section contains Scanners that are developed by the secureCodeBox project
# The tag for these images will be the Semver of the release
scanners-custom:
name: "Build | Custom Scanner"
runs-on: ubuntu-22.04
continue-on-error: true
strategy:
matrix:
scanner:
- git-repo-scanner
- screenshooter
- test-scan
- zap-advanced
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Docker Meta
id: docker_meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_NAMESPACE }}/scanner-${{ matrix.scanner }}
tags: |
type=sha
type=semver,pattern={{version}}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Set baseImageTag to commit hash
run: |
echo "baseImageTag=sha-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
- name: Build and Push
uses: docker/build-push-action@v5
with:
context: ./scanners/${{ matrix.scanner }}/scanner
file: ./scanners/${{ matrix.scanner }}/scanner/Dockerfile
build-args: |
baseImageTag=${{ env.baseImageTag }}
platforms: linux/amd64
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
- name: Update Docker Hub Description
uses: peter-evans/dockerhub-description@v4
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
repository: ${{ env.DOCKER_NAMESPACE }}/scanner-${{ matrix.scanner }}
readme-filepath: ./scanners/${{ matrix.scanner }}/docs/README.DockerHub-Scanner.md
# ---- Build | Demo-Targets | Custom ----
# This Section contains Demo-Targets that are developed by the secureCodeBox project
# The tag for these images will be the Semver of the release
demo-targets:
name: "Build | Custom Demo-Targets"
runs-on: ubuntu-22.04
continue-on-error: true
strategy:
matrix:
target:
- old-joomla
- old-typo3
- old-wordpress
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set ENV Var with Demo-Target Version
uses: mikefarah/yq@v4.43.1
# Notice: The current version of the demo-target is provided via the Chart.yaml to ensure
# there is only one place to edit the version of a scanner
with:
cmd: echo targetVersion=$(yq e .appVersion demo-targets/${{ matrix.target }}/Chart.yaml) >> $GITHUB_ENV
- name: Docker Meta
id: docker_meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_NAMESPACE }}/demo-target-${{ matrix.target }}
tags: |
type=sha
latest
${{ env.targetVersion }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and Push
uses: docker/build-push-action@v5
with:
context: ./demo-targets/${{ matrix.target }}/container
file: ./demo-targets/${{ matrix.target }}/container/Dockerfile
platforms: linux/amd64
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
- name: Update Docker Hub Description
uses: peter-evans/dockerhub-description@v4
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
repository: ${{ env.DOCKER_NAMESPACE }}/demo-target-${{ matrix.target }}
readme-filepath: ./demo-targets/${{ matrix.target }}/docs/README.DockerHub-Target.md