-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathTaskfile.yml
More file actions
93 lines (87 loc) · 2.49 KB
/
Copy pathTaskfile.yml
File metadata and controls
93 lines (87 loc) · 2.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# yaml-language-server: $schema=https://taskfile.dev/schema.json
version: '3'
tasks:
init:
desc: "Install required tools (dive, container-structure-test)"
cmds:
- |
sudo apt update
sudo apt install -y \
yq
- |
echo "Fetching latest Dive version..."
DIVE_VERSION=$(curl -sL "https://api.github.com/repos/wagoodman/dive/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
echo "Installing Dive ${DIVE_VERSION}..."
curl -LO https://github.com/wagoodman/dive/releases/download/v${DIVE_VERSION}/dive_${DIVE_VERSION}_linux_amd64.deb
sudo apt install -y ./dive_${DIVE_VERSION}_linux_amd64.deb
rm dive_${DIVE_VERSION}_linux_amd64.deb
status:
- command -v yq
- command -v dive
lint:
desc: "Lint the Dockerfile using Hadolint (Docker-based)"
dir: "{{.IMAGE_DIR}}"
cmds:
- docker run --rm -i ghcr.io/hadolint/hadolint hadolint --failure-threshold error - < Dockerfile
requires:
vars:
- IMAGE_DIR
build:
run: when_changed
dir: "{{.IMAGE_DIR}}"
cmds:
- docker build -t {{.IMAGE}} .
env:
IMAGE: "{{.IMAGE_NAME}}:{{.IMAGE_TAG}}"
requires:
vars:
- IMAGE_DIR
- IMAGE_NAME
- IMAGE_TAG
sources:
- Dockerfile
scan:
deps:
- build
desc: "Scan the built Docker image for vulnerabilities using Trivy (Docker-based)"
dir: "{{.IMAGE_DIR}}"
cmds:
- docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/workdir -w /workdir aquasec/trivy image -c {{.TRIVY_CONF}} {{.IMAGE}}
vars:
TRIVY_CONF: 'trivy_conf.yml'
env:
IMAGE: "{{.IMAGE_NAME}}:{{.IMAGE_TAG}}"
requires:
vars:
- IMAGE_DIR
- IMAGE_NAME
- IMAGE_TAG
analyze:
deps:
- build
desc: "Analyze the built image layers with Dive"
cmds:
- dive {{.IMAGE}} --ci
env:
IMAGE: "{{.IMAGE_NAME}}:{{.IMAGE_TAG}}"
requires:
vars:
- IMAGE_NAME
- IMAGE_TAG
push:
deps:
- build
desc: "Push the built Docker image to GitHub Container Registry (GHCR)"
cmds:
- |
docker tag {{.CURRENT_IMAGE}} {{.PUBLISHED_IMAGE}}
docker push {{.PUBLISHED_IMAGE}}
env:
CURRENT_IMAGE: "{{.IMAGE_NAME}}:{{.IMAGE_TAG}}"
PUBLISHED_IMAGE: "{{.REGISTRY}}/{{.IMAGE_NAME}}:{{.IMAGE_TAG}}"
requires:
vars:
- IMAGE_DIR
- IMAGE_NAME
- IMAGE_TAG
- REGISTRY