From 6f0e524c545ca3628567826c4f76ab18db4df544 Mon Sep 17 00:00:00 2001 From: Shivam Kumar Date: Fri, 30 Aug 2024 23:09:18 +0530 Subject: [PATCH] Feat/GitHub action (#7) * feat/creating enigma bake command to build, scan and tag in a single command * feat:removed tag code as build command was making tag also * feat:Improved readme * feat:Added .DS_Store in .gitignore * feat:Added .DS_Store in .gitignore * feat:Added .DS_Store in .gitignore * feat:Added .DS_Store in .gitignore * feat/created publish command to Push Image on Dockerhub and cleanup images will be done on based of CLEANUP parameter in .enigma * feat/created publish command to Push Image on Dockerhub and cleanup images will be done on based of CLEANUP parameter in .enigma * feat:passed dummy values in readme.md * feat:Publish for aws and gcp also ready * feat:custom workflow for enigma docker * feat:custom workflow for enigma docker * feat:custom workflow for enigma docker * feat:custom workflow for enigma docker * feat:custom workflow for enigma docker * feat:custom workflow for enigma docker * feat:custom workflow for enigma docker * feat:custom workflow for enigma docker * feat:custom workflow for enigma docker * feat:custom workflow for enigma docker * feat:custom workflow for enigma docker * feat:custom workflow for enigma docker * removed sarif file in go code * commented scan code to test * added .enigma file * testing workflow * removed /n * modified code * removed unwanted code * added aws creds parameters * feat:added aws inputs * modified entrypoint.sh * changed Dockerfile * modified Dockerfile * testing by commenting entrypoint.sh * commented some lines * modified full correct Dockerfile and action.yml * modified entrypoint.sh * changed entrypoint.sh * modfied entry point.sh * feat:modified action.yml * modified scout command * removed vaues from .enigma * commented cleanup part * modified action.yml * modified action.yml * added aws cli install part * commented login part from custom workflow * added auth part in entrypoint.sh: * commented aws login in entrypoint * added auth part in entrypoint.sh * modified entrypoint file * added aws in dockerfile * added aws in dockerfile * added cleanup * modifed entrypoint.sh * modified readme * Update entrypoint.sh * Update readme.md * feat: modified entrypoint.sh and release.yml * feat:changed tag to v1 * feat:changed release.yml file --- .enigma | 7 ++++--- Dockerfile | 41 ++++++++++++++++++++++++++-------------- README.MD | 2 +- action.yml | 34 +++++++++++++++++++++++++++++++++ entrypoint.sh | 12 ++++++++++++ main.go | 2 +- modules/docker/docker.go | 10 +++++++++- modules/docker/readme.md | 41 ++++++++++++++++++++++++++++++++++++++-- 8 files changed, 127 insertions(+), 22 deletions(-) create mode 100644 action.yml create mode 100755 entrypoint.sh diff --git a/.enigma b/.enigma index 926bf80..018f679 100644 --- a/.enigma +++ b/.enigma @@ -1,3 +1,4 @@ -DOCKER_IMAGE -DOCKER_TAG -CLEANUP \ No newline at end of file +DOCKER_IMAGE= +DOCKER_TAG= +CLEANUP= +SCAN= \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index bd0b8fa..9c0b688 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,20 +1,33 @@ -ARG GO_VERSION=1.23 -FROM golang:${GO_VERSION} as builder -ARG PROGRAM=nothing -ARG VERSION=development +FROM golang:1.23 -RUN mkdir /src /output +# Install Docker CLI and other dependencies +RUN apt-get update && apt-get install -y \ + apt-transport-https \ + ca-certificates \ + curl \ + gnupg \ + lsb-release \ + unzip -WORKDIR /src +# Add Docker's official GPG key +RUN curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg -COPY . . -RUN GOBIN=/output make install VERSION=$VERSION -RUN PROGRAM=$(ls /output); echo "#!/bin/sh\nexec '/usr/bin/$PROGRAM' \"\$@\"" > /docker-entrypoint.sh && chmod +x /docker-entrypoint.sh +# Set up the Docker repository +RUN echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \ + $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null + +# Install Docker CE CLI +RUN apt-get update && apt-get install -y docker-ce-cli +# Install AWS CLI v2 +RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \ + unzip awscliv2.zip && \ + ./aws/install && \ + rm -rf aws awscliv2.zip -FROM gcr.io/distroless/base:latest -ARG PROGRAM=nothing +WORKDIR /go/src/app +COPY . . +RUN go build -o enigma main.go -COPY --from=builder /output/${PROGRAM} / -USER 1000 -ENTRYPOINT [""] \ No newline at end of file +ENTRYPOINT ["/go/src/app/entrypoint.sh"] \ No newline at end of file diff --git a/README.MD b/README.MD index b279168..f1106d0 100644 --- a/README.MD +++ b/README.MD @@ -28,7 +28,7 @@ This repo offers to Work effortlessly with Docker, Helm, Docker Compose, Terraform, and other essential DevOps tools. It streamlines your workflow by automating complex commands and managing configurations. Simply set your environment variables, and let Enigma handle rest. With its intuitive design and powerful automation, you’ll achieve greater efficiency and consistency in your DevOps processes. ## 🚀 Table Of Content -1. [Docker](https://github.com/clouddrove/enigma/blob/master/modules/docker/README.md) +1. [Docker](https://github.com/clouddrove/enigma/blob/main/modules/docker/readme.md) ## ✨ Contributors diff --git a/action.yml b/action.yml new file mode 100644 index 0000000..f2aac91 --- /dev/null +++ b/action.yml @@ -0,0 +1,34 @@ +name: 'Enigma Docker Build and Publish' +description: 'Builds, scans, tags, and pushes Docker images using the Enigma tool' +inputs: + command: + description: 'Command to run (bake or publish)' + required: true + DOCKER_IMAGE: + description: 'Docker image name' + required: true + DOCKER_TAG: + description: 'Docker image tag' + required: true + CLEANUP: + description: 'Cleanup after push (true or false)' + required: false + default: 'false' + AWS_REGION: + description: 'AWS Region' + required: true + AWS_ACCOUNT_ID: + description: 'AWS Account ID' + required: true +runs: + using: 'docker' + image: 'Dockerfile' + env: + DOCKER_IMAGE: ${{ inputs.DOCKER_IMAGE }} + DOCKER_TAG: ${{ inputs.DOCKER_TAG }} + AWS_ACCOUNT_ID: ${{ inputs.AWS_ACCOUNT_ID }} + AWS_REGION: ${{ inputs.AWS_REGION }} + CLEANUP: ${{ inputs.AWS_REGION }} + + args: + - ${{ inputs.command }} \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 0000000..4c89723 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,12 @@ +#!/bin/sh +set -e + +# Check if provider is AWS +if [ "$PROVIDER" = "aws" ]; then + aws ecr get-login-password --region "$AWS_REGION" | docker login --username AWS --password-stdin "$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com" + +else + echo "Please pass a valid provider" +fi + +exec "/go/src/app/enigma" "$@" \ No newline at end of file diff --git a/main.go b/main.go index eeeea13..1c617c6 100644 --- a/main.go +++ b/main.go @@ -41,4 +41,4 @@ func main() { fmt.Println("Unknown command:", command) fmt.Println("Commands: bake, publish") } -} +} \ No newline at end of file diff --git a/modules/docker/docker.go b/modules/docker/docker.go index c02e293..ab3d0e8 100644 --- a/modules/docker/docker.go +++ b/modules/docker/docker.go @@ -31,12 +31,20 @@ func BuildDockerImage() { fmt.Println("Build complete.") + fmt.Println("Build complete.") TagDockerImage() } // ScanDockerImage performs a security scan of the Docker image and saves the report in SARIF format. // It uses the `docker scout` command to scan the image for vulnerabilities. func ScanDockerImage() { + scan := os.Getenv("SCAN") + + if scan != "true" { + fmt.Println("SCAN is not set to true. Skipping Docker image scan.") + return + } + dockerTag := os.Getenv("DOCKER_TAG") if dockerTag == "" { @@ -56,6 +64,7 @@ func ScanDockerImage() { log.Fatalf("Error running docker scout scan: %v", err) } + fmt.Println("Docker image scan complete.") fmt.Printf("Scan complete. Report saved to %s\n", sarifFile) } @@ -83,7 +92,6 @@ func TagDockerImage() { fmt.Println("Docker image tagged successfully.") } - // PushDockerImage pushes the tagged Docker image to the specified registry and optionally cleans up local images. // It uses the `docker push` command to upload the image to the registry specified in DOCKER_TAG. // Cleanup is performed by default or when explicitly set to "true". It's only disabled when set to "false". diff --git a/modules/docker/readme.md b/modules/docker/readme.md index eeae3ce..9da3b7e 100644 --- a/modules/docker/readme.md +++ b/modules/docker/readme.md @@ -8,8 +8,11 @@ DOCKER_IMAGE=nginx DOCKER_TAG=xyz:v1 CLEANUP=true +SCAN=false ``` +when working on local keep SCAN=true to it scan your image and generate report for it. + 3. Add Dockerfile of your in root of the folder 4. Now from root of the folder run: @@ -20,7 +23,7 @@ go build -o enigma main.go ``` ### To work with Docker commands run- -- To Build, Scan and Tag: +- To Build and Tag: ``` ./enigma bake ``` @@ -28,4 +31,38 @@ go build -o enigma main.go - To Push Image to Registry and cleanup Image at end(Cleanup will be only done if in `.enigma` CLEANUP is set true or by default it will take true): ``` ./enigma publish - ``` \ No newline at end of file + ``` + +## Usage in GitHub Actions +### This GitHub Action builds docker image, tags and pushes to the registry you want. + +```yaml +name: Enigma Docker + +on: + push: + branches: main + +jobs: + login: + runs-on: ubuntu-latest + steps: + + - name: Build Docker Image + uses: clouddrove/enigma@main + with: + command: bake + DOCKER_IMAGE: ${{ env.DOCKER_IMAGE }} + DOCKER_TAG: ${{ env.DOCKER_TAG }} + AWS_ACCOUNT_ID: ${{ env.AWS_ACCOUNT_ID }} + AWS_REGION: ${{ env.AWS_REGION }} + + - name: Publish Docker Image + uses: clouddrove/enigma@main + with: + command: publish + DOCKER_IMAGE: ${{ env.DOCKER_IMAGE }} + DOCKER_TAG: ${{ env.DOCKER_TAG }} + AWS_ACCOUNT_ID: ${{ env.AWS_ACCOUNT_ID }} + AWS_REGION: ${{ env.AWS_REGION }} +```