Skip to content
.github/workflows/smurf.yml

fix: remvoed outout from docker scan #8

Sign in to view logs

fix: remvoed outout from docker scan

fix: remvoed outout from docker scan #8

Workflow file for this run

.github/workflows/smurf.yml at c967b45
name: Smurf
on:
workflow_call:
secrets:
docker-username:
description: 'Docker Hub username'
required: false
docker-password:
description: 'Docker Hub token'
required: false
ecr-registry:
description: 'ECR registry URL'
required: false
AWS_ACCESS_KEY_ID:
required: false
description: 'AWS Access Key ID for direct authentication'
AWS_SECRET_ACCESS_KEY:
required: false
description: 'AWS Secret Access Key for direct authentication'
AWS_SESSION_TOKEN:
required: false
description: 'AWS Session Token for direct authentication'
AZURE_CREDENTIALS:
required: false
description: 'Azure credentials for authentication'
GCP_CREDENTIALS:
required: false
description: 'GCP credentials JSON for authentication'
DIGITALOCEAN_ACCESS_TOKEN:
required: false
description: 'DigitalOcean Personal Access Token'
WORKLOAD_IDENTITY_PROVIDER:
required: false
description: 'GCP Workload Identity Provider identifier'
SERVICE_ACCOUNT:
required: false
description: 'GCP Service Account to use'
DOCKERHUB_USERNAME:
required: false
description: 'Dockerhub Username'
DOCKERHUB_PASSWORD:
required: false
description: 'Dockerhub Password'
env-vars:
required: false
description: 'Additional environment variables in JSON format'
inputs:
tool:
description: 'Tool to run (selm, stf or sdkr)'
type: string
required: true
command:
description: 'Command to run with tool'
type: string
required: false
branch:
description: 'Branch to checkout'
type: string
default: 'master'
aws-role:
description: 'AWS IAM role ARN to assume'
type: string
required: false
aws-region:
description: 'AWS region'
type: string
default: 'us-east-1'
provider:
description: 'Cloud provider (aws, azure, gcp, digitalocean)'
type: string
required: false
default: 'aws'
aws_auth_method:
description: 'AWS Auth method to use'
type: string
required: false
docker_scan:
description: 'Set true for docker scan'
type: string
required: false
docker_scan_command:
description: 'Command for docker scan'
type: string
required: false
docker_push:
description: 'Set true for docker push'
type: string
required: false
docker_push_command:
description: 'Command for docker push'
type: string
required: false
docker_build_command:
description: 'Command for docker build'
type: string
required: false
docker_tag_command:
description: 'Command for docker tag'
type: string
required: false
# Common workspace inputs
working-directory:
description: 'Working directory for command execution'
type: string
required: false
default: '.'
# Helm-specific inputs
eks-cluster:
description: 'EKS cluster name'
type: string
required: false
ecr-repository:
description: 'ECR repository URL'
type: string
required: false
dockerfile-path:
description: 'Path to Dockerfile'
type: string
required: false
helm-values-path:
description: 'Path to Helm values file'
type: string
required: false
helm-chart-path:
description: 'Path to Helm chart'
type: string
required: false
namespace:
description: 'Kubernetes namespace'
type: string
required: false
default: 'testing-smurf'
timeout:
description: 'Timeout in seconds'
type: number
default: 30
# Docker-specific inputs
image-name:
description: 'Docker image name'
type: string
required: false
image-tag:
description: 'Docker image tag'
type: string
required: false
image-tar:
description: 'Docker image tar'
type: string
required: false
registry-type:
description: 'Container registry type (docker or ecr)'
type: string
required: false
build-path:
description: 'Path to build context'
type: string
required: false
default: '.'
# Terraform-specific inputs
var-file:
description: 'Terraform var file path'
type: string
required: false
destroy:
description: 'Set to true to destroy infrastructure'
type: boolean
required: false
default: false
approvers:
description: 'Comma-separated list of approvers'
type: string
required: false
terraform-version:
description: 'Terraform version to use'
type: string
required: false
default: '1.3.6'
minimum-approvals:
description: 'Minimum approvals required'
type: string
required: false
default: '1'
token-format:
description: 'Token format (access_token or id_token)'
type: string
required: false
default: 'access_token'
access-token-lifetime:
description: 'Access token lifetime in seconds'
type: string
required: false
default: '300s'
gcp-project-id:
description: 'GCP Project ID'
type: string
required: false
gcp-region:
description: 'GCP region'
type: string
required: false
create-credentials-file:
description: 'Create GCP credentials file'
type: string
required: false
default: 'true'
use-gcp-credentials:
description: 'Set to true if GCP credentials are provided'
type: boolean
required: false
default: false
jobs:
# smurf-helm:
# if: inputs.tool == 'selm'
# runs-on: ubuntu-latest
# permissions:
# id-token: write
# contents: read
# steps:
# - name: Check out repo
# uses: actions/[email protected]
# with:
# ref: ${{ inputs.branch }}
# - name: Configure AWS credentials with OIDC
# if: inputs.aws_auth_method == 'oidc'
# uses: aws-actions/configure-aws-credentials@v4
# with:
# role-to-assume: ${{ inputs.aws-role }}
# aws-region: ${{ inputs.aws-region }}
# - name: Configure AWS credentials with access keys
# if: inputs.aws_auth_method == 'keys'
# env:
# AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
# AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }}
# AWS_REGION: ${{ inputs.aws-region }}
# run: |
# aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
# aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
# if [[ -n "$AWS_SESSION_TOKEN" ]]; then
# aws configure set aws_session_token $AWS_SESSION_TOKEN
# fi
# aws configure set region $AWS_REGION
# - name: Set environment variables
# run: |
# echo "AWS_DEFAULT_REGION=${{ inputs.aws-region }}" >> $GITHUB_ENV
# echo "EKS_CLUSTER_NAME=${{ inputs.eks-cluster }}" >> $GITHUB_ENV
# - name: Smurf Helm
# uses: clouddrove/[email protected]
# with:
# tool: ${{ inputs.tool }}
# command: ${{ inputs.command }}
docker-build:
if: inputs.tool == 'sdkr'
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Checkout code
uses: actions/[email protected]
with:
ref: ${{ inputs.branch }}
- name: Configure AWS credentials with OIDC
if: inputs.aws_auth_method == 'oidc'
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ inputs.aws-role }}
aws-region: ${{ inputs.aws-region }}
- name: Configure AWS credentials with access keys
if: inputs.aws_auth_method == 'keys'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }}
AWS_REGION: ${{ inputs.aws-region }}
run: |
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
if [[ -n "$AWS_SESSION_TOKEN" ]]; then
aws configure set aws_session_token $AWS_SESSION_TOKEN
fi
aws configure set region $AWS_REGION
- name: Set environment variables
run: |
echo "AWS_DEFAULT_REGION=${{ inputs.aws-region }}" >> $GITHUB_ENV
echo "EKS_CLUSTER_NAME=${{ inputs.eks-cluster }}" >> $GITHUB_ENV
- name: Docker Build
uses: clouddrove/[email protected]
with:
tool: ${{ inputs.tool }}
command: ${{ inputs.docker_build_command }}
- name: Save Docker Image as Artifact
run: |
docker save ${{ inputs.image-name }}:${{ inputs.image-tag }} -o ${{ inputs.image-tar }}
- name: Upload Docker Image Artifact
uses: actions/upload-artifact@v4
with:
name: ${{ inputs.image-name }}
path: ${{ inputs.image-tar }}
docker-scan-push:
if: inputs.tool == 'sdkr' && inputs.docker_scan == 'true'
runs-on: ubuntu-latest
# needs: docker-build
permissions:
id-token: write
contents: read
steps:
- name: Checkout code
uses: actions/[email protected]
with:
ref: ${{ inputs.branch }}
# - name: Download Docker Image Artifact
# uses: actions/download-artifact@v4
# with:
# name: ${{ inputs.image-name }}
# - name: Load Docker Image
# run: |
# docker load -i ${{ inputs.image-tar }}
- name: Configure AWS credentials with OIDC
if: inputs.aws_auth_method == 'oidc'
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ inputs.aws-role }}
aws-region: ${{ inputs.aws-region }}
- name: Configure AWS credentials with access keys
if: inputs.aws_auth_method == 'keys'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }}
AWS_REGION: ${{ inputs.aws-region }}
run: |
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
if [[ -n "$AWS_SESSION_TOKEN" ]]; then
aws configure set aws_session_token $AWS_SESSION_TOKEN
fi
aws configure set region $AWS_REGION
- name: Set environment variables
run: |
echo "AWS_DEFAULT_REGION=${{ inputs.aws-region }}" >> $GITHUB_ENV
echo "EKS_CLUSTER_NAME=${{ inputs.eks-cluster }}" >> $GITHUB_ENV
- name: Docker Scan with trivy (non-blocking)
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ inputs.image-name }}
exit-code: '1'
format: 'table'
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]

Check failure on line 377 in .github/workflows/smurf.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/smurf.yml

Invalid workflow file 

You have an error in your yaml syntax on line 377
with:
image-ref: ${{ inputs.image-name }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
# - name: Docker Tag
# uses: clouddrove/[email protected]
# with:
# tool: ${{ inputs.tool }}
# command: ${{ inputs.docker_tag_command }}
# - name: Docker Push
# uses: clouddrove/[email protected]
# with:
# tool: ${{ inputs.tool }}
# command: ${{ inputs.docker_push_command }}
# smurf-terraform:
# if: inputs.tool == 'stf'
# runs-on: ubuntu-latest
# permissions:
# id-token: write
# contents: read
# pull-requests: write
# steps:
# - name: Checkout code
# uses: actions/[email protected]
# with:
# ref: ${{ inputs.branch }}
# # Configure cloud provider authentication based on provider type
# - name: Configure AWS credentials with OIDC
# if: inputs.aws_auth_method == 'oidc'
# uses: aws-actions/configure-aws-credentials@v4
# with:
# role-to-assume: ${{ inputs.aws-role }}
# aws-region: ${{ inputs.aws-region }}
# - name: Configure AWS credentials with access keys
# if: inputs.aws_auth_method == 'keys'
# env:
# AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
# AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }}
# AWS_REGION: ${{ inputs.aws-region }}
# run: |
# aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
# aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
# if [[ -n "$AWS_SESSION_TOKEN" ]]; then
# aws configure set aws_session_token $AWS_SESSION_TOKEN
# fi
# aws configure set region $AWS_REGION
# echo "AWS_REGION=$AWS_REGION" >> $GITHUB_ENV
# - name: Azure Login
# if: inputs.provider == 'azure'
# uses: azure/login@v1
# with:
# creds: ${{ secrets.AZURE_CREDENTIALS }}
# - name: GCP Authentication
# if: inputs.provider == 'gcp' && inputs.use-gcp-credentials
# uses: google-github-actions/auth@v1
# with:
# credentials_json: ${{ secrets.GCP_CREDENTIALS }}
# service_account: ${{ inputs.SERVICE_ACCOUNT }}
# workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
# token_format: ${{ inputs.token-format }}
# access_token_lifetime: ${{ inputs.access-token-lifetime }}
# create_credentials_file: ${{ inputs.create-credentials-file == 'true' }}
# - name: Set GCP Project
# if: inputs.provider == 'gcp' && inputs.gcp-project-id
# run: |
# gcloud config set project ${{ inputs.gcp-project-id }}
# - name: Smurf Terraform
# uses: clouddrove/[email protected]
# with:
# tool: ${{ inputs.tool }}
# command: ${{ inputs.command }}