-
Notifications
You must be signed in to change notification settings - Fork 0
49 lines (45 loc) · 2.02 KB
/
malware.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
name: malware-scanner
on:
push:
branches:
- "*"
jobs:
malware-scanner:
runs-on: ubuntu-latest
env:
GROUP: demo
COMMIT: ${{ github.sha }}
REPO: infra-mon
DEEPFENCE_CONSOLE_URL: ${{secrets.DEEPFENCE_URL}}
DEEPFENCE_KEY: ${{secrets.DEEPFENCE_KEY}}
steps:
- uses: actions/checkout@v4
# Build docker image for servicess
- name: Build docker image
uses: docker/build-push-action@v4
with:
context: .
push: false
tags: ${{ env.GROUP }}/${{ env.REPO }}:${{ github.sha }}
# Run Deepfence Malware Scanner to check for malwares in image
- name: Run Deepfence Malware Scanner
env:
DEEPFENCE_CONSOLE_URL: ${{ env.DEEPFENCE_CONSOLE_URL }}
DEEPFENCE_KEY: ${{ env.DEEPFENCE_KEY }}
FULL_IMAGE_NAME: ${{ env.GROUP }}/${{ env.REPO }}:${{ github.sha }}
FAIL_MALWARE_COUNT: 100 # Fail build if number of malwares found is >= this number. Set -1 to pass regardless of malwares.
FAIL_HIGH_MALWARE_COUNT: 10 # Fail build if number of high malwares found is >= this number. Set -1 to pass regardless of high malwares.
FAIL_MEDIUM_MALWARE_COUNT: 20 # Fail build if number of medium malwares found is >= this number. Set -1 to pass regardless of medium malwares.
FAIL_LOW_MALWARE_COUNT: 50 # Fail build if number of low malwares found is >= this number. Set -1 to pass regardless of low malwares.
run: |
docker pull deepfenceio/deepfence_malware_scanner_ce:2.1.1
docker run -i --rm --net=host --privileged=true \
--cpus=0.3 \
-v /var/run/docker.sock:/var/run/docker.sock:rw deepfenceio/deepfence_malware_scanner_ce:2.1.1 \
-image-name "$FULL_IMAGE_NAME" \
-console-url "$DEEPFENCE_CONSOLE_URL" \
-deepfence-key "$DEEPFENCE_KEY" \
-fail-on-count=$FAIL_MALWARE_COUNT \
-fail-on-high-count=$FAIL_HIGH_MALWARE_COUNT \
-fail-on-medium-count=$FAIL_MEDIUM_MALWARE_COUNT -\
fail-on-low-count=$FAIL_LOW_MALWARE_COUNT