tech-stack-advisor3/.github/workflows/ci.yml at main · devops-0001/tech-stack-advisor3 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
name: CI Pipeline

on:
  push:
    branches: [ "main", "develop" ]

env:
  REGISTRY: docker.io
  IMAGE_NAME: ${{ secrets.DOCKERHUB_USERNAME }}/tech-stack-advisor

permissions:
  contents: read
  security-events: write
  actions: read

jobs:
  build-and-test:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Set up Python
      uses: actions/setup-python@v4
      with:
        python-version: '3.11'

    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install -r requirements.txt

    - name: Train model
      run: python train.py

    - name: Test application
      run: |
        # Check if model files were created
        if [ -f "model.pkl" ] && [ -f "encoders.pkl" ]; then
          echo "✅ Model files created successfully"
        else
          echo "❌ Model files missing"
          exit 1
        fi

    - name: Upload model artifacts
      uses: actions/upload-artifact@v4
      with:
        name: trained-models
        path: |
          model.pkl
          encoders.pkl

  docker-build:
    needs: build-and-test
    runs-on: ubuntu-latest
    outputs:
      image-digest: ${{ steps.build.outputs.digest }}
      image-tags: ${{ steps.meta.outputs.tags }}

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Download model artifacts
      uses: actions/download-artifact@v5
      with:
        name: trained-models

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3

    - name: Log in to Docker Hub
      uses: docker/login-action@v3
      with:
        username: ${{ secrets.DOCKERHUB_USERNAME }}
        password: ${{ secrets.DOCKERHUB_TOKEN }}

    - name: Extract metadata
      id: meta
      uses: docker/metadata-action@v5
      with:
        images: ${{ env.IMAGE_NAME }}
        tags: |
          type=ref,event=branch
          type=ref,event=pr
          type=sha,prefix={{branch}}-
          type=raw,value=latest,enable={{is_default_branch}}

    - name: Build and push multi-architecture image
      uses: docker/build-push-action@v6
      id: build
      with:
        context: .
        platforms: linux/amd64,linux/arm64
        push: true
        tags: ${{ steps.meta.outputs.tags }}
        labels: ${{ steps.meta.outputs.labels }}
        cache-from: type=gha
        cache-to: type=gha,mode=max

    - name: Generate build summary
      run: |
        echo "## 🐳 Docker Build Summary" >> $GITHUB_STEP_SUMMARY
        echo "| Property | Value |" >> $GITHUB_STEP_SUMMARY
        echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
        echo "| Image | \`${{ env.IMAGE_NAME }}\` |" >> $GITHUB_STEP_SUMMARY
        echo "| Platforms | linux/amd64, linux/arm64 |" >> $GITHUB_STEP_SUMMARY
        echo "| Tags | ${{ steps.meta.outputs.tags }} |" >> $GITHUB_STEP_SUMMARY
        echo "| Registry | Docker Hub |" >> $GITHUB_STEP_SUMMARY

  security-scan:
    needs: docker-build
    runs-on: ubuntu-latest

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Set up Trivy
      run: |
        sudo apt-get update
        sudo apt-get install wget apt-transport-https gnupg lsb-release
        wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
        echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
        sudo apt-get update
        sudo apt-get install trivy

    - name: Log in to Docker Hub
      uses: docker/login-action@v3
      with:
        username: ${{ secrets.DOCKERHUB_USERNAME }}
        password: ${{ secrets.DOCKERHUB_TOKEN }}

    - name: Run Trivy vulnerability scan
      run: |
        echo "🔍 Running Trivy vulnerability scan..."
        trivy image \
          --format sarif \
          --output trivy-results.sarif \
          ${{ env.IMAGE_NAME }}:latest

    - name: Run Trivy vulnerability scan (table format)
      run: |
        echo "🔍 Running Trivy scan for human-readable output..."
        trivy image \
          --format table \
          --output trivy-results.txt \
          ${{ env.IMAGE_NAME }}:latest

    - name: Generate SBOM with Trivy
      run: |
        echo "📋 Generating SBOM with Trivy..."
        trivy image \
          --format spdx-json \
          --output sbom.spdx.json \
          ${{ env.IMAGE_NAME }}:latest

    - name: Check for HIGH and CRITICAL vulnerabilities
      id: vuln-check
      run: |
        echo "🚨 Checking for HIGH/CRITICAL vulnerabilities..."

        # Count HIGH and CRITICAL vulnerabilities
        HIGH_COUNT=$(trivy image --format json ${{ env.IMAGE_NAME }}:latest | jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "HIGH")] | length')
        CRITICAL_COUNT=$(trivy image --format json ${{ env.IMAGE_NAME }}:latest | jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL")] | length')

        echo "high-count=$HIGH_COUNT" >> $GITHUB_OUTPUT
        echo "critical-count=$CRITICAL_COUNT" >> $GITHUB_OUTPUT

        echo "Found $CRITICAL_COUNT CRITICAL and $HIGH_COUNT HIGH severity vulnerabilities"

        # Display summary
        echo "## 🔒 Security Scan Results" >> $GITHUB_STEP_SUMMARY
        echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY
        echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
        echo "| CRITICAL | $CRITICAL_COUNT |" >> $GITHUB_STEP_SUMMARY
        echo "| HIGH | $HIGH_COUNT |" >> $GITHUB_STEP_SUMMARY

    - name: Security gate - Fail on CRITICAL vulnerabilities
      if: steps.vuln-check.outputs.critical-count > 5
      run: |
        echo "❌ SECURITY GATE FAILED: Found ${{ steps.vuln-check.outputs.critical-count }} CRITICAL vulnerabilities"
        echo "🚨 Build blocked due to critical security issues"
        exit 1

    - name: Security gate - Warn on HIGH vulnerabilities
      if: steps.vuln-check.outputs.high-count > 5
      run: |
        echo "⚠️  WARNING: Found ${{ steps.vuln-check.outputs.high-count }} HIGH severity vulnerabilities"
        echo "💡 Consider reviewing and addressing these vulnerabilities"

    - name: Upload security artifacts
      uses: actions/upload-artifact@v4
      if: always()
      with:
        name: security-reports
        path: |
          trivy-results.sarif
          trivy-results.txt
          sbom.spdx.json

    - name: Upload SARIF results to GitHub Security
      uses: github/codeql-action/upload-sarif@v3
      if: always()
      with:
        sarif_file: trivy-results.sarif
        category: trivy