DockSec/.github/workflows/python-app.yml at main · OWASP/DockSec · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
name: Python Application CI

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  workflow_dispatch:

permissions:
  contents: read

jobs:
  build-and-test:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v6

    - name: Set up Python
      uses: actions/setup-python@v6
      with:
        python-version: '3.12'

    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install -r requirements.txt

    - name: Build and install package
      run: |
        pip install build
        python -m build
        pip install -e .

    - name: Setup Hadolint
      run: |
        curl -sL -o hadolint https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64
        chmod +x hadolint
        sudo mv hadolint /usr/local/bin/

    - name: Setup Trivy
      run: |
        sudo apt-get update -qq
        sudo apt-get install -y wget apt-transport-https gnupg lsb-release
        wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo gpg --dearmor -o /usr/share/keyrings/trivy.gpg
        echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/trivy.list
        sudo apt-get update -qq
        sudo apt-get install -y trivy

    - name: Run unit tests
      run: |
        pip install pytest
        pytest tests/ -v

    - name: Lint Dockerfiles with Hadolint
      run: |
        find . -name "Dockerfile*" -exec hadolint {} \;

    - name: Scan Dockerfiles with Trivy
      run: |
        find . -name "Dockerfile*" -exec trivy config {} \;

    - name: Verify CLI installs correctly
      run: |
        docksec --version
        docksec --help

    - name: Run scan-only mode (no AI required)
      run: |
        mkdir -p test_dir
        cat > test_dir/Dockerfile << 'EOF'
        FROM alpine:latest
        RUN apk add --no-cache curl
        WORKDIR /app
        COPY . .
        CMD ["sh"]
        EOF
        docker pull alpine:latest
        docksec test_dir/Dockerfile --scan-only -i alpine:latest
        rm -rf test_dir

    - name: Run image-only scan
      run: |
        docksec --image-only -i alpine:latest

    - name: Upload scan results
      uses: actions/upload-artifact@v7
      if: always()
      with:
        name: scan-results
        path: results/
        if-no-files-found: ignore