Update main.yaml #41

Workflow file for this run

	#triggering
	name: Build & Test

	on:
	push:
	pull_request:

	jobs:
	Build-and-Aqua:
	runs-on: ubuntu-latest

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Pipeline Enforcer
	uses: aquasecurity/pipeline-enforcer-action@main
	with:
	aqua-key: ${{ secrets.AQUA_KEY }}
	aqua-secret: ${{ secrets.AQUA_SECRET }}
	access-token: ${{ secrets.GITHUB_TOKEN }}

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Log in to Docker Hub
	uses: docker/login-action@v3
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}

	- name: Build Docker image
	run: docker build -t my-flask-app:${{ github.sha }} .

	- name: Manifest Generation
	run: \|
	export BILLY_SERVER=https://billy.codesec.aquasec.com
	curl -sLo install.sh download.codesec.aquasec.com/billy/install.sh
	curl -sLo install.sh.checksum https://github.com/argonsecurity/releases/releases/latest/download/install.sh.checksum
	if ! cat install.sh.checksum \| sha256sum -c ; then
	echo "install.sh checksum failed"
	exit 1
	fi
	BINDIR="." sh install.sh
	rm install.sh install.sh.checksum
	./billy generate \
	--access-token "${{ secrets.GITHUB_TOKEN }}" \
	--aqua-key "${{ secrets.AQUA_KEY }}" \
	--aqua-secret "${{ secrets.AQUA_SECRET }}" \
	--cspm-url "${{ env.CSPM_URL }}" \
	--artifact-path "my-flask-app:${{ github.sha }}"
	env:
	CSPM_URL: ${{ env.CSPM_URL }}
	AQUA_URL: ${{ env.AQUA_URL }}
	AQUA_KEY: ${{ secrets.AQUA_KEY }}
	AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
	GITHUB_TOKEN: ${{ github.token }}

	- name: Archive Artifacts
	uses: actions/upload-artifact@v4
	with:
	name: sbom
	path: "my-flask-app:${{ github.sha }}"

	- name: Run Aqua scanner
	uses: docker://aquasec/aqua-scanner
	with:
	args: trivy fs --sast --scanners misconfig,vuln,secret .
	env:
	AQUA_KEY: ${{ secrets.AQUA_KEY }}
	AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
	GITHUB_TOKEN: ${{ github.token }}
	AQUA_URL: ${{ env.AQUA_URL }}
	CSPM_URL: ${{ env.CSPM_URL }}
	TRIVY_RUN_AS_PLUGIN: "aqua"

	- name: Tag Docker image
	run: docker tag my-flask-app:${{ github.sha }} pitonemaledetto/sbom:${{ github.sha }}

	- name: Push Docker image to Docker Hub
	run: docker push pitonemaledetto/sbom:${{ github.sha }}

	deploy-sbom:
	runs-on: ubuntu-latest
	needs: Build-and-Aqua
	steps:
	- name: Download Artifact
	uses: actions/download-artifact@v4
	with:
	name: sbom
	path: /opt

	- name: List Artifacts
	run: ls /opt

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update main.yaml #41

Workflow file

Update main.yaml #41

Jobs

Run details

Workflow file for this run