- Workflow Overview
- GitHub Actions Shown in This Workflow
- Getting Started
-
Deep Dive into GitHub Actions Workflow
- Job1:
sast_scan - Step 1: Checkout Code sast-scan
- Step 2: Set Up Python
- Step 3: Install Bandit
- Step 4: Run Bandit Scan
- Step 5: Upload Bandit Scan Artifact
- Job2:
image_scan - Step 1: Checkout Code for image-scan
- Step 2: Set Up Docker
- Step 3: Build Docker Image
- Step 4: Docker Scout Scan
- Step 5: Upload Docker Scout Scan Artifact
- Job1:
- Acknowledgment
Welcome to the "Learning-GitHub-Actions" project! This Project is designed for beginners to understand and practice GitHub Actions, utilizing a sample workflow inspired by the OWASP PyGoat intentionally vulnerable web project.
Workflow Overview
The GitHub Actions workflow defined in .github/workflows/main.yml comprises two jobs:
sast_scan: This job checks the codebase for security issues using Bandit, a Python static analysis tool. The findings are stored as an artifact.
image_scan: This job builds a Docker image using the provided Dockerfile and performs security scans using Docker Scout. The scan results are saved as an artifact.
GitHub Actions Shown in This Workflow
Getting Started
- Clone the Repository:
git clone https://github.com/panchanandevops/Learning-GitHub-Actions.git
cd Learning-GitHub-Actions
-
Run GitHub Actions Workflow:
- Manually trigger the workflow by navigating to the "Actions" tab on GitHub and selecting "Run workflow" for the desired workflow.
-
Explore Results:
- View Bandit scan results in the
bandit-findingsartifact. - Check Docker Scout scan findings in the
docker-scout-findingsartifact.
- View Bandit scan results in the
Deep Dive into GitHub Actions Workflow
Let's break down the YAML code by each job level, then explain each step inside it:
Job1: sast_scan
sast_scan:
name: Run Bandit Scan
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Set Up Python
uses: actions/setup-python@v3
with:
python-version: 3.8
- name: Install Bandit
run: pip install bandit
- name: Run Bandit Scan
run: bandit -ll -ii -r . -f json -o bandit-report.json
- name: Upload Bandit Scan Artifact
uses: actions/upload-artifact@v4
if: always()
with:
name: bandit-findings
path: bandit-report.json
Let's break down the sast_scan job into individual steps:
Step 1: Checkout Code sast-scan
- name: Checkout Code
uses: actions/checkout@v4
-
Explanation: This step uses the
actions/checkoutaction to fetch the repository code, ensuring that the latest code from the repository is available for the subsequent steps.
Step 2: Set Up Python
- name: Set Up Python
uses: actions/setup-python@v3
with:
python-version: 3.8
-
Explanation: This step uses the
actions/setup-pythonaction to set up Python version 3.8, ensuring that the correct Python version is available for the Bandit tool.
Step 3: Install Bandit
- name: Install Bandit
run: pip install bandit
-
Explanation: This step installs the Bandit tool using the
pippackage manager, ensuring that Bandit is available for static analysis of Python code.
Step 4: Run Bandit Scan
- name: Run Bandit Scan
run: bandit -ll -ii -r . -f json -o bandit-report.json
-
Explanation:
-
-ll: Log level set to low, displaying only critical issues. -
-ii: Confidence level set to high, reporting only high-confidence issues. -
-r .: Recursive scan of the current directory and its subdirectories. -
-f json: Output the scan results in JSON format. -
-o bandit-report.json: Save the scan report to a file namedbandit-report.json. This command runs the Bandit tool to identify security issues in Python code.
-
Step 5: Upload Bandit Scan Artifact
- name: Upload Bandit Scan Artifact
uses: actions/upload-artifact@v4
if: always()
with:
name: bandit-findings
path: bandit-report.json
-
Explanation:
-
name: Upload Bandit Scan Artifact: Descriptive name for the step. -
uses: actions/upload-artifact@v4: Specifies the version of theupload-artifactaction to use. -
if: always(): Ensures that the artifact is uploaded even if previous steps fail. -
withsection: -
name: bandit-findings: Name of the artifact. It will be used to identify the uploaded artifact. -
path: bandit-report.json: Path to the file or directory to be uploaded. In this case, it's the Bandit scan report (bandit-report.json).
-
This step uses the upload-artifact action to upload the Bandit scan report as a build artifact named bandit-findings. The artifact can be later accessed and used for analysis or reporting purposes. The if: always() ensures that the artifact is uploaded regardless of the success or failure of previous steps.
These five steps together define the sast_scan job, providing a comprehensive overview of the Bandit scan workflow.
Job2: image_scan
image_scan:
name: Build Image and Run Image Scan
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Set Up Docker
uses: docker-practice/actions-setup-docker@master
with:
docker_version: "20.10.7"
- name: Build Docker Image
run: docker build -f Dockerfile -t myapp:latest ./Pygoat
- name: Docker Scout Scan
uses: docker/scout-action@v1.3.0
with:
dockerhub-user: ${{ secrets.REPO_USER }}
dockerhub-password: ${{ secrets.REPO_PWD }}
command: quickview,cves
only-severities: critical,high
sarif-file: scout-report.sarif
- name: Upload Docker Scout Scan Artifact
uses: actions/upload-artifact@v4
if: always()
with:
name: docker-scout-findings
path: scout-report.sarif
Let's break down the image_scan job into individual steps:
Step 1: Checkout Code for image-scan
- name: Checkout Code
uses: actions/checkout@v4
Explanation:
- Name: Descriptive name for the step.
-
Uses: Utilizes the
actions/checkoutaction to fetch the repository code.
Step 2: Set Up Docker
- name: Set Up Docker
uses: docker-practice/actions-setup-docker@master
with:
docker_version: "20.10.7"
Explanation:
- Name: Descriptive name for the step.
-
Uses: Utilizes the
docker-practice/actions-setup-dockeraction to set up Docker with version 20.10.7.
Step 3: Build Docker Image
- name: Build Docker Image
run: docker build -f Dockerfile -t myapp:latest ./Pygoat
Explanation:
- Name: Descriptive name for the step.
-
Run: Executes a shell command to build a Docker image using the provided Dockerfile and tags it as
myapp:latest.
Step 4: Docker Scout Scan
- name: Docker Scout Scan
uses: docker/scout-action@v1.3.0
with:
dockerhub-user: ${{ secrets.REPO_USER }}
dockerhub-password: ${{ secrets.REPO_PWD }}
command: quickview,cves
only-severities: critical,high
sarif-file: scout-report.sarif
Explanation:
- Name: Descriptive name for the step.
-
Uses: Utilizes the
docker/scout-actionaction to perform security scans on the Docker image. - With: Provides configuration options such as Docker Hub credentials, scan command, severity levels, and output SARIF file.
- You have to add your Docker Hub user id as GitHub secret called
REPO_USER, and Docker Hub password or PAT as GitHub secret calledREPO_PWD.
Step 5: Upload Docker Scout Scan Artifact
- name: Upload Docker Scout Scan Artifact
uses: actions/upload-artifact@v4
if: always()
with:
name: docker-scout-findings
path: scout-report.sarif
Explanation:
- Name: Descriptive name for the step.
-
Uses: Utilizes the
actions/upload-artifactaction to upload the Docker Scout scan report as an artifact. - If: Specifies that this step should always be executed, even if previous steps fail.
-
With: Specifies the artifact name (
docker-scout-findings) and the path of the SARIF file to be uploaded.
These steps collectively define the image_scan job, providing a clear sequence of actions to build a Docker image, perform security scans, and upload the findings as an artifact.
Acknowledgment
Special thanks to Nana Janashia for her valuable guidance and teachings. You can find her on Techworld with Nana.
This concludes our detailed exploration of the GitHub Actions workflow. Feel free to explore further and apply these concepts to your own projects. Happy coding!
Top comments (0)