From 04230b019625364f40700003b474519260f1ef97 Mon Sep 17 00:00:00 2001 From: stevensrtw <50691414+stevensrtw@users.noreply.github.com> Date: Wed, 11 Sep 2024 08:12:46 -0400 Subject: [PATCH 01/13] Update .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 751553b3a..21b885a10 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ *.bak +.github From db68f77f6e40a79e51b0543c9b049f57f5e6eb42 Mon Sep 17 00:00:00 2001 From: stevensrtw <50691414+stevensrtw@users.noreply.github.com> Date: Wed, 11 Sep 2024 08:33:00 -0400 Subject: [PATCH 02/13] Delete .github directory --- .github/ISSUE_TEMPLATE/bug_report.md | 33 --------------- .github/ISSUE_TEMPLATE/feature_request.md | 23 ----------- .github/pull_request_template.md | 12 ------ .github/workflows/ci.yml | 49 ----------------------- 4 files changed, 117 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/bug_report.md delete mode 100644 .github/ISSUE_TEMPLATE/feature_request.md delete mode 100644 .github/pull_request_template.md delete mode 100644 .github/workflows/ci.yml diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index 6c7471a38..000000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -name: Bug report -about: Create a report to help us improve -title: "" -labels: "" -assignees: "" ---- - -### Describe the bug - -A clear and concise description of what the bug is. - -### To reproduce - -Steps to reproduce the behavior: - -1. Deploy the NGINX Docker image using ... -2. View output/logs/configuration on ... -3. See error - -### Expected behavior - -A clear and concise description of what you expected to happen. - -### Your environment - -- Version/release of Docker and method of installation (e.g. Docker Desktop / Docker Server) -- Version/tag of the NGINX Docker image (e.g. `nginx:alpine`) -- Target deployment platform (e.g. OpenShift / Kubernetes / Docker Compose / etc...) - -### Additional context - -Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md deleted file mode 100644 index e2242abbe..000000000 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ /dev/null @@ -1,23 +0,0 @@ ---- -name: Feature request -about: Suggest an idea for this project -title: "" -labels: "" -assignees: "" ---- - -### Is your feature request related to a problem? Please describe - -A clear and concise description of what the problem is. Ex. I'm always frustrated when ... - -### Describe the solution you'd like - -A clear and concise description of what you want to happen. - -### Describe alternatives you've considered - -A clear and concise description of any alternative solutions or features you've considered. - -### Additional context - -Add any other context or screenshots about the feature request here. diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md deleted file mode 100644 index e869fe513..000000000 --- a/.github/pull_request_template.md +++ /dev/null @@ -1,12 +0,0 @@ -### Proposed changes - -Describe the use case and detail of the change. If this PR addresses an issue on GitHub, make sure to include a link to that issue using one of the [supported keywords](https://docs.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue) here in this description (not in the title of the PR). - -### Checklist - -Before creating a PR, run through this checklist and mark each as complete: -- [ ] I have read the [`CONTRIBUTING`](https://github.com/nginxinc/docker-nginx/blob/master/CONTRIBUTING.md) document -- [ ] I have run `./update.sh` and ensured all entrypoint/Dockerfile template changes have been applied to the relevant image entrypoint scripts & Dockerfiles -- [ ] If applicable, I have added tests that prove my fix is effective or that my feature works -- [ ] If applicable, I have checked that any relevant tests pass after adding my changes -- [ ] I have updated any relevant documentation diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml deleted file mode 100644 index 30eccf55b..000000000 --- a/.github/workflows/ci.yml +++ /dev/null @@ -1,49 +0,0 @@ -name: GitHub CI - -on: - pull_request: - push: - schedule: - - cron: 0 10 * * Mon - -defaults: - run: - shell: 'bash -Eeuo pipefail -x {0}' - -jobs: - - generate-jobs: - name: Generate Jobs - runs-on: ubuntu-latest - outputs: - strategy: ${{ steps.generate-jobs.outputs.strategy }} - steps: - - uses: actions/checkout@v3 - - uses: docker-library/bashbrew@v0.1.8 - - id: generate-jobs - name: Generate Jobs - run: | - strategy="$(GITHUB_REPOSITORY=nginx "$BASHBREW_SCRIPTS/github-actions/generate.sh")" - strategy="$(GITHUB_REPOSITORY=nginx "$BASHBREW_SCRIPTS/github-actions/munge-i386.sh" -c <<<"$strategy")" - echo "strategy=$strategy" >> "$GITHUB_OUTPUT" - jq . <<<"$strategy" # sanity check / debugging aid - - test: - needs: generate-jobs - strategy: ${{ fromJson(needs.generate-jobs.outputs.strategy) }} - name: ${{ matrix.name }} - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@v3 - - name: Prepare Environment - run: ${{ matrix.runs.prepare }} - - name: Pull Dependencies - run: ${{ matrix.runs.pull }} - - name: Build ${{ matrix.name }} - run: ${{ matrix.runs.build }} - - name: History ${{ matrix.name }} - run: ${{ matrix.runs.history }} - - name: Test ${{ matrix.name }} - run: ${{ matrix.runs.test }} - - name: '"docker images"' - run: ${{ matrix.runs.images }} From f335f9ff94c3770a85e8f032317cfd8ce270ff84 Mon Sep 17 00:00:00 2001 From: stevensrtw <50691414+stevensrtw@users.noreply.github.com> Date: Mon, 16 Sep 2024 08:35:03 -0400 Subject: [PATCH 03/13] Update Dockerfile --- stable/alpine-slim/Dockerfile | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/stable/alpine-slim/Dockerfile b/stable/alpine-slim/Dockerfile index d1d3d8a65..c6e2bd1c5 100644 --- a/stable/alpine-slim/Dockerfile +++ b/stable/alpine-slim/Dockerfile @@ -3,7 +3,11 @@ # # PLEASE DO NOT EDIT IT DIRECTLY. # -FROM alpine:3.20 + +ARG BASE_REGISTRY=201959883603.dkr.ecr.us-east-2.amazonaws.com +ARG BASE_IMAGE=mdaca/base-images/ironbank-alpine +ARG BASE_TAG=3.20.2 +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} LABEL maintainer="NGINX Docker Maintainers " @@ -107,17 +111,21 @@ RUN set -x \ && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log \ # create a docker-entrypoint.d directory - && mkdir /docker-entrypoint.d + && mkdir /docker-entrypoint.d \ + && chown -R nginx:nginx /var/cache/nginx /etc/nginx /usr/share/nginx /run /var/log/nginx || true + +COPY --chown=nginx:nginx docker-entrypoint.sh / +COPY --chown=nginx:nginx 10-listen-on-ipv6-by-default.sh /docker-entrypoint.d +COPY --chown=nginx:nginx 15-local-resolvers.envsh /docker-entrypoint.d +COPY --chown=nginx:nginx 20-envsubst-on-templates.sh /docker-entrypoint.d +COPY --chown=nginx:nginx 30-tune-worker-processes.sh /docker-entrypoint.d + +USER nginx -COPY docker-entrypoint.sh / -COPY 10-listen-on-ipv6-by-default.sh /docker-entrypoint.d -COPY 15-local-resolvers.envsh /docker-entrypoint.d -COPY 20-envsubst-on-templates.sh /docker-entrypoint.d -COPY 30-tune-worker-processes.sh /docker-entrypoint.d ENTRYPOINT ["/docker-entrypoint.sh"] EXPOSE 80 - +EXPOSE 8080 STOPSIGNAL SIGQUIT CMD ["nginx", "-g", "daemon off;"] From c83ad6bd87ebfa5bb0fff182fe5b39b60d239ae3 Mon Sep 17 00:00:00 2001 From: stevensrtw <50691414+stevensrtw@users.noreply.github.com> Date: Mon, 16 Sep 2024 08:42:37 -0400 Subject: [PATCH 04/13] Create main.yml --- .github/workflows/main.yml | 112 +++++++++++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 000000000..060e612f8 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,112 @@ +name: Build and Push Docker Image to ECR + +on: + push: + branches: + - main + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Debug Variable Values + run: | + echo "IMAGE_TAG=${{ secrets.IMAGE_TAG }}" + echo "REPOSITORY=${{ secrets.ECR_REPOSITORY }}" + echo "REGISTRY=$AWS_ACCOUNT_ID.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com" + + - name: Build and Push Docker Image + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_REGION: ${{ secrets.AWS_REGION }} + IMAGE_TAG: 1.26.2_3.20.2 + ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx + run: | + # Set ENV for AW Cred + aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID + aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY + aws configure set default.region $AWS_REGION + + # Get token from ECR and Docker login + aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com + IMAGE_TAG=3.20.2_jdk17 + + # Set ENV for Docker build + ECR_REPOSITORY=mdaca/base-images/ironbank-alpine-nginx + REPOSITORY=$ECR_REPOSITORY + REGISTRY=201959883603.dkr.ecr.us-east-2.amazonaws.com + + # Build the Docker image + docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG . + + # Push the Docker image + docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG + + security: + runs-on: ubuntu-latest + needs: build + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + + - name: Download Docker Image from ECR + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_REGION: ${{ secrets.AWS_REGION }} + IMAGE_TAG: 1.26.2_3.20.2 + ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx + run: | + # Set ENV for AW Cred + aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID + aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY + aws configure set default.region $AWS_REGION + + # Get token from ECR and Docker login + aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com + + # Download docker image for scanning purposes + docker pull ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG + docker images + - name: Install Trivy + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin + + - name: Scan Docker Image with Trivy + env: + AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} + AWS_REGION: ${{ secrets.AWS_REGION }} + IMAGE_TAG: 1.26.2_3.20.2 + ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx + run: | + trivy image --exit-code 1 --severity HIGH,CRITICAL $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG + + - name: Install Syft + run: | + curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin + + - name: Generate SBOM with Syft + env: + AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} + AWS_REGION: ${{ secrets.AWS_REGION }} + IMAGE_TAG: 1.26.2_3.20.2 + ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx + run: | + syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG + syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG > sbom.tf + + - name: Upload SBOM + uses: actions/upload-artifact@v4 + with: + name: sbom + path: sbom.tf From dbff4f2b52dd8e8977540e33589b9754b5971d8d Mon Sep 17 00:00:00 2001 From: stevensrtw <50691414+stevensrtw@users.noreply.github.com> Date: Mon, 16 Sep 2024 08:44:30 -0400 Subject: [PATCH 05/13] Update .gitignore --- .gitignore | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitignore b/.gitignore index 21b885a10..751553b3a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ *.bak -.github From 194c3c85d4eb92b39c54796e367dfb7b44491ff9 Mon Sep 17 00:00:00 2001 From: stevensrtw <50691414+stevensrtw@users.noreply.github.com> Date: Mon, 16 Sep 2024 08:45:34 -0400 Subject: [PATCH 06/13] Create docker-image.yml --- .github/workflows/docker-image.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .github/workflows/docker-image.yml diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml new file mode 100644 index 000000000..793d8e0e3 --- /dev/null +++ b/.github/workflows/docker-image.yml @@ -0,0 +1,18 @@ +name: Docker Image CI + +on: + push: + branches: [ "master" ] + pull_request: + branches: [ "master" ] + +jobs: + + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - name: Build the Docker image + run: docker build . --file Dockerfile --tag my-image-name:$(date +%s) From d8dcb22a915f324ea6bc6db1c4c1f8c33f9494d3 Mon Sep 17 00:00:00 2001 From: stevensrtw <50691414+stevensrtw@users.noreply.github.com> Date: Mon, 16 Sep 2024 08:46:49 -0400 Subject: [PATCH 07/13] Update docker-image.yml --- .github/workflows/docker-image.yml | 110 ++++++++++++++++++++++++++--- 1 file changed, 102 insertions(+), 8 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 793d8e0e3..060e612f8 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -1,18 +1,112 @@ -name: Docker Image CI +name: Build and Push Docker Image to ECR on: push: - branches: [ "master" ] - pull_request: - branches: [ "master" ] + branches: + - main jobs: - build: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Debug Variable Values + run: | + echo "IMAGE_TAG=${{ secrets.IMAGE_TAG }}" + echo "REPOSITORY=${{ secrets.ECR_REPOSITORY }}" + echo "REGISTRY=$AWS_ACCOUNT_ID.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com" + + - name: Build and Push Docker Image + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_REGION: ${{ secrets.AWS_REGION }} + IMAGE_TAG: 1.26.2_3.20.2 + ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx + run: | + # Set ENV for AW Cred + aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID + aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY + aws configure set default.region $AWS_REGION + + # Get token from ECR and Docker login + aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com + IMAGE_TAG=3.20.2_jdk17 + + # Set ENV for Docker build + ECR_REPOSITORY=mdaca/base-images/ironbank-alpine-nginx + REPOSITORY=$ECR_REPOSITORY + REGISTRY=201959883603.dkr.ecr.us-east-2.amazonaws.com + # Build the Docker image + docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG . + + # Push the Docker image + docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG + + security: runs-on: ubuntu-latest + needs: build steps: - - uses: actions/checkout@v4 - - name: Build the Docker image - run: docker build . --file Dockerfile --tag my-image-name:$(date +%s) + - name: Checkout repository + uses: actions/checkout@v3 + + + - name: Download Docker Image from ECR + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_REGION: ${{ secrets.AWS_REGION }} + IMAGE_TAG: 1.26.2_3.20.2 + ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx + run: | + # Set ENV for AW Cred + aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID + aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY + aws configure set default.region $AWS_REGION + + # Get token from ECR and Docker login + aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com + + # Download docker image for scanning purposes + docker pull ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG + docker images + - name: Install Trivy + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin + + - name: Scan Docker Image with Trivy + env: + AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} + AWS_REGION: ${{ secrets.AWS_REGION }} + IMAGE_TAG: 1.26.2_3.20.2 + ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx + run: | + trivy image --exit-code 1 --severity HIGH,CRITICAL $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG + + - name: Install Syft + run: | + curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin + + - name: Generate SBOM with Syft + env: + AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} + AWS_REGION: ${{ secrets.AWS_REGION }} + IMAGE_TAG: 1.26.2_3.20.2 + ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx + run: | + syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG + syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG > sbom.tf + + - name: Upload SBOM + uses: actions/upload-artifact@v4 + with: + name: sbom + path: sbom.tf From aa78af912018d587f5f59ea1322e39826b8df467 Mon Sep 17 00:00:00 2001 From: stevensrtw <50691414+stevensrtw@users.noreply.github.com> Date: Mon, 16 Sep 2024 08:52:54 -0400 Subject: [PATCH 08/13] Delete .github/workflows directory --- .github/workflows/docker-image.yml | 112 ----------------------------- .github/workflows/main.yml | 112 ----------------------------- 2 files changed, 224 deletions(-) delete mode 100644 .github/workflows/docker-image.yml delete mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml deleted file mode 100644 index 060e612f8..000000000 --- a/.github/workflows/docker-image.yml +++ /dev/null @@ -1,112 +0,0 @@ -name: Build and Push Docker Image to ECR - -on: - push: - branches: - - main - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Debug Variable Values - run: | - echo "IMAGE_TAG=${{ secrets.IMAGE_TAG }}" - echo "REPOSITORY=${{ secrets.ECR_REPOSITORY }}" - echo "REGISTRY=$AWS_ACCOUNT_ID.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com" - - - name: Build and Push Docker Image - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_REGION: ${{ secrets.AWS_REGION }} - IMAGE_TAG: 1.26.2_3.20.2 - ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx - run: | - # Set ENV for AW Cred - aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID - aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY - aws configure set default.region $AWS_REGION - - # Get token from ECR and Docker login - aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com - IMAGE_TAG=3.20.2_jdk17 - - # Set ENV for Docker build - ECR_REPOSITORY=mdaca/base-images/ironbank-alpine-nginx - REPOSITORY=$ECR_REPOSITORY - REGISTRY=201959883603.dkr.ecr.us-east-2.amazonaws.com - - # Build the Docker image - docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG . - - # Push the Docker image - docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG - - security: - runs-on: ubuntu-latest - needs: build - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - - - name: Download Docker Image from ECR - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_REGION: ${{ secrets.AWS_REGION }} - IMAGE_TAG: 1.26.2_3.20.2 - ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx - run: | - # Set ENV for AW Cred - aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID - aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY - aws configure set default.region $AWS_REGION - - # Get token from ECR and Docker login - aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com - - # Download docker image for scanning purposes - docker pull ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG - docker images - - name: Install Trivy - run: | - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin - - - name: Scan Docker Image with Trivy - env: - AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} - AWS_REGION: ${{ secrets.AWS_REGION }} - IMAGE_TAG: 1.26.2_3.20.2 - ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx - run: | - trivy image --exit-code 1 --severity HIGH,CRITICAL $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG - - - name: Install Syft - run: | - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin - - - name: Generate SBOM with Syft - env: - AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} - AWS_REGION: ${{ secrets.AWS_REGION }} - IMAGE_TAG: 1.26.2_3.20.2 - ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx - run: | - syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG - syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG > sbom.tf - - - name: Upload SBOM - uses: actions/upload-artifact@v4 - with: - name: sbom - path: sbom.tf diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml deleted file mode 100644 index 060e612f8..000000000 --- a/.github/workflows/main.yml +++ /dev/null @@ -1,112 +0,0 @@ -name: Build and Push Docker Image to ECR - -on: - push: - branches: - - main - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Debug Variable Values - run: | - echo "IMAGE_TAG=${{ secrets.IMAGE_TAG }}" - echo "REPOSITORY=${{ secrets.ECR_REPOSITORY }}" - echo "REGISTRY=$AWS_ACCOUNT_ID.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com" - - - name: Build and Push Docker Image - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_REGION: ${{ secrets.AWS_REGION }} - IMAGE_TAG: 1.26.2_3.20.2 - ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx - run: | - # Set ENV for AW Cred - aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID - aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY - aws configure set default.region $AWS_REGION - - # Get token from ECR and Docker login - aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com - IMAGE_TAG=3.20.2_jdk17 - - # Set ENV for Docker build - ECR_REPOSITORY=mdaca/base-images/ironbank-alpine-nginx - REPOSITORY=$ECR_REPOSITORY - REGISTRY=201959883603.dkr.ecr.us-east-2.amazonaws.com - - # Build the Docker image - docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG . - - # Push the Docker image - docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG - - security: - runs-on: ubuntu-latest - needs: build - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - - - name: Download Docker Image from ECR - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_REGION: ${{ secrets.AWS_REGION }} - IMAGE_TAG: 1.26.2_3.20.2 - ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx - run: | - # Set ENV for AW Cred - aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID - aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY - aws configure set default.region $AWS_REGION - - # Get token from ECR and Docker login - aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com - - # Download docker image for scanning purposes - docker pull ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG - docker images - - name: Install Trivy - run: | - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin - - - name: Scan Docker Image with Trivy - env: - AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} - AWS_REGION: ${{ secrets.AWS_REGION }} - IMAGE_TAG: 1.26.2_3.20.2 - ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx - run: | - trivy image --exit-code 1 --severity HIGH,CRITICAL $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG - - - name: Install Syft - run: | - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin - - - name: Generate SBOM with Syft - env: - AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} - AWS_REGION: ${{ secrets.AWS_REGION }} - IMAGE_TAG: 1.26.2_3.20.2 - ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx - run: | - syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG - syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG > sbom.tf - - - name: Upload SBOM - uses: actions/upload-artifact@v4 - with: - name: sbom - path: sbom.tf From a6f694c610c7fe7f69733a952e423745f05bde3a Mon Sep 17 00:00:00 2001 From: stevensrtw <50691414+stevensrtw@users.noreply.github.com> Date: Mon, 16 Sep 2024 08:53:07 -0400 Subject: [PATCH 09/13] Create docker-image.yml --- .github/workflows/docker-image.yml | 47 ++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 .github/workflows/docker-image.yml diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml new file mode 100644 index 000000000..a8624e968 --- /dev/null +++ b/.github/workflows/docker-image.yml @@ -0,0 +1,47 @@ +name: Build Nginx slim on Alpine + +on: + push: + branches: [ "master" ] + +jobs: + + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - name: Debug Variable Values + run: | + echo "IMAGE_TAG=${{ secrets.IMAGE_TAG }}" + echo "REPOSITORY=${{ secrets.ECR_REPOSITORY }}" + echo "REGISTRY=$AWS_ACCOUNT_ID.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com" + + - name: Build and Push Docker Image + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_REGION: ${{ secrets.AWS_REGION }} + IMAGE_TAG: 1.26.2_3.20.2 + ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx + run: | + # Set ENV for AW Cred + aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID + aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY + aws configure set default.region $AWS_REGION + + # Get token from ECR and Docker login + aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com + IMAGE_TAG=3.20.2_jdk17 + + # Set ENV for Docker build + ECR_REPOSITORY=mdaca/base-images/ironbank-alpine-nginx + REPOSITORY=$ECR_REPOSITORY + REGISTRY=201959883603.dkr.ecr.us-east-2.amazonaws.com + + # Build the Docker image + docker build -f stable/alpine-slim/Dockerfile -t $REGISTRY/$REPOSITORY:$IMAGE_TAG stable/alpine-slim + + # Push the Docker image + docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG From 20a9ffe38c1d8f6c861129ef26e9c8d0b61fb5be Mon Sep 17 00:00:00 2001 From: stevensrtw <50691414+stevensrtw@users.noreply.github.com> Date: Mon, 16 Sep 2024 08:54:05 -0400 Subject: [PATCH 10/13] Update docker-image.yml --- .github/workflows/docker-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index a8624e968..8301e8222 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -18,7 +18,7 @@ jobs: echo "REPOSITORY=${{ secrets.ECR_REPOSITORY }}" echo "REGISTRY=$AWS_ACCOUNT_ID.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com" - - name: Build and Push Docker Image + - name: Build and Push Docker Image env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} From c5e33dd007d10a8ea6209c9cccf4c4083e9994cb Mon Sep 17 00:00:00 2001 From: stevensrtw <50691414+stevensrtw@users.noreply.github.com> Date: Mon, 16 Sep 2024 08:55:19 -0400 Subject: [PATCH 11/13] Update docker-image.yml --- .github/workflows/docker-image.yml | 58 ++++++++++++++---------------- 1 file changed, 26 insertions(+), 32 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 8301e8222..84a294864 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -1,47 +1,41 @@ -name: Build Nginx slim on Alpine +name: Build Nginx Slim on Alpine on: push: branches: [ "master" ] jobs: - build: - runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + - name: Debug Variable Values - run: | - echo "IMAGE_TAG=${{ secrets.IMAGE_TAG }}" - echo "REPOSITORY=${{ secrets.ECR_REPOSITORY }}" - echo "REGISTRY=$AWS_ACCOUNT_ID.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com" + run: | + echo "IMAGE_TAG=${{ secrets.IMAGE_TAG }}" + echo "REPOSITORY=${{ secrets.ECR_REPOSITORY }}" + echo "REGISTRY=$AWS_ACCOUNT_ID.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com" - name: Build and Push Docker Image - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_REGION: ${{ secrets.AWS_REGION }} - IMAGE_TAG: 1.26.2_3.20.2 - ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx - run: | - # Set ENV for AW Cred - aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID - aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY - aws configure set default.region $AWS_REGION + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_REGION: ${{ secrets.AWS_REGION }} + AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} + IMAGE_TAG: "1.26.2_3.20.2" + ECR_REPOSITORY: "mdaca/base-images/ironbank-alpine-nginx" + run: | + # Configure AWS credentials + aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID + aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY + aws configure set default.region $AWS_REGION - # Get token from ECR and Docker login - aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com - IMAGE_TAG=3.20.2_jdk17 - - # Set ENV for Docker build - ECR_REPOSITORY=mdaca/base-images/ironbank-alpine-nginx - REPOSITORY=$ECR_REPOSITORY - REGISTRY=201959883603.dkr.ecr.us-east-2.amazonaws.com - - # Build the Docker image - docker build -f stable/alpine-slim/Dockerfile -t $REGISTRY/$REPOSITORY:$IMAGE_TAG stable/alpine-slim - - # Push the Docker image - docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG + # Log in to ECR + aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com + + # Build Docker image + docker build -f stable/alpine-slim/Dockerfile -t $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG . + + # Push Docker image to ECR + docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG From 41b2c920caadf3951dda7bdcac66469213127ac5 Mon Sep 17 00:00:00 2001 From: stevensrtw <50691414+stevensrtw@users.noreply.github.com> Date: Mon, 16 Sep 2024 09:02:21 -0400 Subject: [PATCH 12/13] Update Dockerfile --- stable/alpine-slim/Dockerfile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/stable/alpine-slim/Dockerfile b/stable/alpine-slim/Dockerfile index c6e2bd1c5..081d2a365 100644 --- a/stable/alpine-slim/Dockerfile +++ b/stable/alpine-slim/Dockerfile @@ -114,11 +114,11 @@ RUN set -x \ && mkdir /docker-entrypoint.d \ && chown -R nginx:nginx /var/cache/nginx /etc/nginx /usr/share/nginx /run /var/log/nginx || true -COPY --chown=nginx:nginx docker-entrypoint.sh / -COPY --chown=nginx:nginx 10-listen-on-ipv6-by-default.sh /docker-entrypoint.d -COPY --chown=nginx:nginx 15-local-resolvers.envsh /docker-entrypoint.d -COPY --chown=nginx:nginx 20-envsubst-on-templates.sh /docker-entrypoint.d -COPY --chown=nginx:nginx 30-tune-worker-processes.sh /docker-entrypoint.d +COPY --chown=nginx:nginx stable/alpine-slim/docker-entrypoint.sh / +COPY --chown=nginx:nginx stable/alpine-slim/10-listen-on-ipv6-by-default.sh /docker-entrypoint.d +COPY --chown=nginx:nginx stable/alpine-slim/15-local-resolvers.envsh /docker-entrypoint.d +COPY --chown=nginx:nginx stable/alpine-slim/20-envsubst-on-templates.sh /docker-entrypoint.d +COPY --chown=nginx:nginx stable/alpine-slim/30-tune-worker-processes.sh /docker-entrypoint.d USER nginx From 912c6c69c68442be97eec1bc6806f545db29fd4c Mon Sep 17 00:00:00 2001 From: stevensrtw <50691414+stevensrtw@users.noreply.github.com> Date: Mon, 16 Sep 2024 09:08:33 -0400 Subject: [PATCH 13/13] Update docker-image.yml --- .github/workflows/docker-image.yml | 61 ++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 84a294864..e6fbece78 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -39,3 +39,64 @@ jobs: # Push Docker image to ECR docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG + + security: + runs-on: ubuntu-latest + needs: build + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + + - name: Download Docker Image from ECR + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_REGION: ${{ secrets.AWS_REGION }} + IMAGE_TAG: 1.26.2_3.20.2 + ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx + run: | + # Set ENV for AW Cred + aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID + aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY + aws configure set default.region $AWS_REGION + + # Get token from ECR and Docker login + aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com + + # Download docker image for scanning purposes + docker pull ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG + docker images + - name: Install Trivy + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin + + - name: Scan Docker Image with Trivy + env: + AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} + AWS_REGION: ${{ secrets.AWS_REGION }} + IMAGE_TAG: 1.26.2_3.20.2 + ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx + run: | + trivy image --exit-code 1 --severity HIGH,CRITICAL $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG + + - name: Install Syft + run: | + curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin + + - name: Generate SBOM with Syft + env: + AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} + AWS_REGION: ${{ secrets.AWS_REGION }} + IMAGE_TAG: 1.26.2_3.20.2 + ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx + run: | + syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG + syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG > alpine-nginx-sbom.tf + + - name: Upload SBOM + uses: actions/upload-artifact@v4 + with: + name: sbom + path: alpine-nginx-sbom.tf