Here is code that is bound to fail. It's using old docker images and not using best practices in multiple areas. This code demonstrates how GitHub actions can be used to safely create, scan, and publish container images using some nice best practices like fail-left and don't do unneeded work
small change
Look at the .github/workflows/main.yaml file.
CI Pipeline flow....
- developer pushes a
featurebranch- triggers a SAST code scan of code (python, npm, java etc) - scan issues won't fail the build
- triggers a scan of the
Dockerfilescan issues won't fail the build
- store container artifact locally
- deploys container and runs mock tests
- reports go to output folder
- if these pass, then artifact promotes to integration container repo
- a GIT tag is cut
- container image is tagged with latest and git-tag and pushed to CI repo
- image is deployed into CI
- tests are fired off
- report generated
- if these pass, container is retagged with git-tag and pushed to the final ECR image repo
- continuous scanning happens on PROD ECR repo
- only build if files have changed or have been added
- add tagging
- add push to registry if the scan passed
- integrate with tooling selected by InfoSec
- get feedback
- InfoSec
- Dev Teams management
- Architects
- SRE
- Create drawing to visually display the flow
- Create SBOM (software bill of materials)
- Scan for licenses
- Auto create release notes
- Helm chart scanning
- Helm chart promotion
- Jira GitHub integration GitHub link
- create issues based on failing tests
- link issues in Jira
- GitHub repo best practices
- global git
- set default branch to main
git config --global init.defaultBranch main - create user and email
- set default branch to main
- don't allow anyone to push to
main
- global git