diff --git a/.drone.star b/.drone.star deleted file mode 100644 index c17d654..0000000 --- a/.drone.star +++ /dev/null @@ -1,114 +0,0 @@ -def main(ctx): - archs = ["amd64" ] - flavours = [ "sqlite3", "mysql" ] - upstream_versions = [ "6.0", "7.0" ] - out = [] - for flavour in flavours: - for ver in upstream_versions: - for arch in archs: - out += pipeline(flavour, arch, ver) - out += manifest(flavour, ver, archs) - return out - -def pipeline(flavour, arch, ver): - out = [{ - "kind": "pipeline", - "type": "docker", - "name": "zabbix-proxy-%s-%s-%s" % (flavour, ver, arch), - "platform": { - "arch": arch, - "os": "linux", - }, - "steps": [{ - "name": "build_on_push", - "image": "plugins/docker:linux-%s" % (arch), - "settings": { - "context": "src", - "dockerfile": "src/Dockerfile-%s" % (ver), - "build_args": [ - "UPSTREAM_FLAVOUR=" + flavour, - "UPSTREAM_VERSION=" + ver - ], - "username": { - "from_secret": "docker_username", - }, - "password": { - "from_secret": "docker_password", - }, - "registry": "docker.asperti.com", - "repo": "docker.asperti.com/paspo/zabbix-proxy-%s-mssql" % (flavour), - "tags": [ - "%s-%s" % (ver, arch) - ], - "auto_tag": False, - "force_tag": True, - "daemon_off": False, - }, - }], - "trigger": { - "ref": [ - "refs/heads/master", - "refs/tags/**", - ], - } - }] - return out - -def manifest(flavour, ver, archs): - commands = [ - 'echo "image: docker.asperti.com/paspo/zabbix-proxy-%s-mssql:%s" >> manifest-%s.tmpl' % (flavour, ver, flavour), - 'echo "manifests:" >> manifest-%s.tmpl' % (flavour), - 'echo "- image: docker.asperti.com/paspo/zabbix-proxy-%s-mssql:%s-amd64" >> manifest-%s.tmpl' % (flavour, ver, flavour), - 'echo " platform:" >> manifest-%s.tmpl' % (flavour), - 'echo " architecture: amd64" >> manifest-%s.tmpl' % (flavour), - 'echo " os: linux" >> manifest-%s.tmpl' % (flavour), - 'echo "- image: docker.asperti.com/paspo/zabbix-proxy-%s-mssql:%s-arm64" >> manifest-%s.tmpl' % (flavour, ver, flavour), - 'echo " platform:" >> manifest-%s.tmpl' % (flavour), - 'echo " architecture: arm64" >> manifest-%s.tmpl' % (flavour), - 'echo " variant: v8" >> manifest-%s.tmpl' % (flavour), - 'echo " os: linux" >> manifest-%s.tmpl' % (flavour), - 'echo "- image: docker.asperti.com/paspo/zabbix-proxy-%s-mssql:%s-arm" >> manifest-%s.tmpl' % (flavour, ver, flavour), - 'echo " platform:" >> manifest-%s.tmpl' % (flavour), - 'echo " architecture: arm" >> manifest-%s.tmpl' % (flavour), - 'echo " variant: v7" >> manifest-%s.tmpl' % (flavour), - 'echo " os: linux" >> manifest-%s.tmpl' % (flavour), - ] - - return [{ - "kind": "pipeline", - "type": "docker", - "name": "manifest-%s-%s" % (flavour, ver), - "platform": { - "arch": archs[0], - "os": "linux", - }, - "steps": [{ - "name": "generate", - "image": "alpine", - "commands": commands, - },{ - "name": "manifest", - "image": "plugins/manifest", - "settings": { - "spec": "manifest-%s.tmpl" % (flavour), - "username": { - "from_secret": "docker_username", - }, - "password": { - "from_secret": "docker_password", - }, - "tags": [ - ver - ], - "ignore_missing": True, - "force_tag": True, - }, - }], - "trigger": { - "ref": [ - "refs/heads/master", - "refs/tags/**", - ], - }, - "depends_on": ["zabbix-proxy-%s-%s-%s" % (flavour, ver, arch) for arch in archs] - }] diff --git a/.gitea/workflows/build_and_publish.yaml b/.gitea/workflows/build_and_publish.yaml new file mode 100644 index 0000000..12e06b0 --- /dev/null +++ b/.gitea/workflows/build_and_publish.yaml @@ -0,0 +1,80 @@ +--- +name: Container Publish + +env: + REGISTRY: docker.asperti.com + REPOSITORY: paspo/zabbix-proxy + +on: + push: + tags: + - '*' + schedule: + - cron: "0 12 3 * *" + workflow_dispatch: + workflow_call: + workflow_run: + workflows: [vulnscan.yaml] + types: [completed] + +jobs: + on-success-skip: + runs-on: + labels: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' }} + steps: + - run: exit_with_success + + build-image: + runs-on: + labels: [ubuntu-latest, "arch-${{ matrix.arch }}"] + container: + image: catthehacker/ubuntu:act-latest + strategy: + matrix: + arch: [amd64, arm64] + flavour: [sqlite3, mysql] + ver: ["6.0", "7.0"] + + + steps: + - uses: actions/checkout@v4 + + - name: Login to registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.REGISTRY_USER }} + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: Build and publish + run: | + docker build \ + --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} \ + --build-arg UPSTREAM_FLAVOUR=${{ matrix.flavour }} \ + --build-arg UPSTREAM_VERSION=${{ matrix.ver }} \ + --platform linux/${{ matrix.arch }} -f src/Dockerfile-${{ matrix.ver }} . + docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}-${{ matrix.flavour }}-mssql:${{ matrix.ver }}-${{ matrix.arch }} + + manifest: + name: update docker manifest + needs: build-image + runs-on: ubuntu-latest + container: + image: catthehacker/ubuntu:act-latest + + steps: + - name: Login to registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.REGISTRY_USER }} + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: latest + run: | + docker manifest create \ + ${{ env.REGISTRY }}/${{ env.REPOSITORY }}-${{ matrix.flavour }}-mssql:${{ matrix.ver }} \ + --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}-${{ matrix.flavour }}-mssql:${{ matrix.ver }}-amd64 \ + --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}-${{ matrix.flavour }}-mssql:${{ matrix.ver }}-arm64 + docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}-${{ matrix.flavour }}-mssql:${{ matrix.ver }} diff --git a/.gitea/workflows/vulnscan.yaml b/.gitea/workflows/vulnscan.yaml new file mode 100644 index 0000000..bfd25f6 --- /dev/null +++ b/.gitea/workflows/vulnscan.yaml @@ -0,0 +1,66 @@ +--- +name: Vulnerability Scan + +env: + REGISTRY: docker.asperti.com + REPOSITORY: paspo/zabbix-proxy + +on: + schedule: + - cron: "0 14 * * *" + workflow_dispatch: + workflow_call: + workflow_run: + workflows: [build_and_publish.yaml] + types: [completed] + +jobs: + scan: + name: Daily Vulnerability Scan + runs-on: + labels: [ubuntu-latest, "arch-${{ matrix.arch }}"] + container: + image: catthehacker/ubuntu:act-latest + strategy: + matrix: + arch: [amd64, arm64] + flavour: [sqlite3, mysql] + ver: ["6.0", "7.0"] + + steps: + - name: Pull docker image + run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}-${{ matrix.flavour }}-mssql:${{ matrix.ver }} + + - name: Setup trivy + run: | + echo "Installing Trivy for arch: $(uname -m)" + case $(uname -m) in + x86_64) + wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;; + aarch64) + wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;; + *) exit 1 ;; + esac + dpkg -i /tmp/trivy.deb + + - name: Run Trivy vulnerability scanner + id: scan + run: | + trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}-${{ matrix.flavour }}-mssql:${{ matrix.ver }} > trivy-results.json + + # if some vulnerability is found, we fail + - name: check output + id: vulncount + run: | + echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT} + if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi + + - name: send telegram notification + if: failure() + uses: appleboy/telegram-action@master + with: + to: ${{ secrets.TELEGRAM_TO }} + token: ${{ secrets.TELEGRAM_TOKEN }} + format: markdown + message: | + Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`