prime-reportstream icon indicating copy to clipboard operation
prime-reportstream copied to clipboard
verified publisher icon CDCgov

Candidates for container scanning

Open devopsmatt opened this issue 1 year ago • 2 comments

Identify all instances of container builds and deployments in GH workflows and document their locations, workload type (frontend, backend, etc.) and workflow file, line number.

devopsmatt avatar Oct 08 '24 19:10 devopsmatt

https://github.com/CDCgov/prime-reportstream/blob/ffbe8be416583efaa6ee20dcdac11e24f084552c/.github/actions/build-backend/action.yml#L206

devopsmatt avatar Oct 09 '24 20:10 devopsmatt

Assign to Mike once he's in the Org

devopsmatt avatar Oct 09 '24 20:10 devopsmatt

prime-reportstream.github\actions\deploy-backend\action.yml - 203 prime-reportstream.github\actions\build-backend\action.yml - 208 prime-reportstream.github\workflows\publish_docker.yaml - 104 prime-reportstream.github\workflows\release_chatops_app.yml - 58

Gabenewman avatar Oct 15 '24 20:10 Gabenewman

These are all the instances in the project where the docker build instruction is performed:

$ find . -not -iwholename '*/.git/*' -type f | \
  xargs -I {} egrep -iHn "docker([[:blank:]]*)build" {} ;

Front-End:
./frontend-react/run.container.sh:8:
docker build -t "${IMG?}:${TAG?}" .

Back-End:
./.github/workflows/release_chatops_app.yml:56:
docker build -t slack_boltjs_app -f Dockerfile.example . \

./.github/workflows/publish_docker.yaml:103:
docker build --build-arg AZ_ENV=${{ matrix.AZ_ENV }} -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.AZ_ENV }} .

./.github/actions/build-backend/action.yml:206:
run: docker build . --file Dockerfile --tag cdcgov/reportstream:latest

./.github/actions/deploy-backend/action.yml:197:
docker build . \

Documentation:
./prime-router/docs/docs-deprecated/docker-content-trust.md:132:
docker build -t your.container.repo/my-image:v1 .

emvaldes avatar Oct 25 '24 15:10 emvaldes

The objectives/targets for this GitHub Issue are now addressed and resolved. The actual line numbers for these references will change in time and this might be non-updated information but we can identify them at any time (using the shell command I have posted).

emvaldes avatar Oct 25 '24 15:10 emvaldes

If I expand on the search and include ANYTHING that might exist between the word docker and the word build, this is what I have found as files containing docker references:

$ find . -not -iwholename '*/.git/*' -type f | xargs -I {} egrep -iHn "docker.*build" {} | egrep -v -i "docker([[:blank:]]*)build" | awk -F':' '{print $1}' | sort | uniq -c ;

   1 ./.environment/gitleaks/gitleaks-config.toml
   2 ./operations/Makefile
   1 ./prime-router/Dockerfile.build
   1 ./prime-router/Dockerfile.dev
  10 ./prime-router/Makefile
   3 ./prime-router/build.sh
   5 ./prime-router/cleanslate.sh
   2 ./prime-router/devenv-infrastructure.sh
   1 ./prime-router/docker-compose.build.yml
   1 ./prime-router/docs/docs-deprecated/getting-started/faster-development.md
   2 ./prime-router/docs/docs-deprecated/getting-started/getting-started.md
   3 ./prime-router/docs/docs-deprecated/how-to-onboard-a-sender.md
   6 ./prime-router/docs/getting-started/README.md
   4 ./prime-router/docs/getting-started/postgres-database.md

emvaldes avatar Oct 25 '24 16:10 emvaldes