pr.yaml

on: pull_request
name: dockerfile linting
jobs:

  golanglint:
    name: golang lint
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2.3.4
    - uses: hazcod/action-golangci-lint@master
      with:
        github_token: ${{ secrets.GITHUB_TOKEN }}
        directory: healthcheck

  dockerfilelint:
    name: dockerfile lint
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2.3.4
    - name: hadolint
      uses: burdzwastaken/hadolint-action@1.10.0
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        HADOLINT_ACTION_DOCKERFILE_FOLDER: .
  
  dockerbuild:
    name: docker build
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2.3.4
    - name: extract tag
      id: vars
      run: echo ::set-output name=nginx_version::$(grep '^FROM nginx' Dockerfile  | cut -d ' ' -f 2 | cut -d ':' -f 2)
    - name: docker build
      run: docker build . --file Dockerfile --tag image:${{ steps.vars.outputs.nginx_version }}

  dockerscan:
    name: docker security scan
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2.3.4
    - name: docker build
      run: docker build . --file Dockerfile --tag image
    - name: cached scan db
      uses: actions/cache@v2.1.7
      with:
        path: vulndb/
        key: trivy-vulndb
    - name: run security scan
      env:
        DISTRO: debian
      run: |
        docker run --rm \
          -v /var/run/docker.sock:/var/run/docker.sock \
          -v "$(pwd)/vulndb/":/root/.cache/ \
          aquasec/trivy --severity HIGH,CRITICAL,MEDIUM --no-progress --only-update $DISTRO --ignore-unfixed --exit-code 1 --cache-dir /root/.cache/ image
        docker run --rm -v "$(pwd)/vulndb/":/root/.cache/ alpine:latest chmod 777 -R /root/.cache/