From 8ada3968f1db3a598424e55889489ae5931d6b79 Mon Sep 17 00:00:00 2001
From: James Blair <mail@jamesblair.net>
Date: Wed, 28 Aug 2024 11:47:07 +1200
Subject: [PATCH] Add some more documentation.

---
 2024-08-28-rhacs-actions-pipeline/README.org | 63 +++++++++++++++++++-
 1 file changed, 60 insertions(+), 3 deletions(-)

diff --git a/2024-08-28-rhacs-actions-pipeline/README.org b/2024-08-28-rhacs-actions-pipeline/README.org
index 9e791af..1ae55ce 100644
--- a/2024-08-28-rhacs-actions-pipeline/README.org
+++ b/2024-08-28-rhacs-actions-pipeline/README.org
@@ -3,7 +3,7 @@
 #+AUTHOR: James Blair
 
 
-Red Hat Advanced Cluster Security can be easily integrated into an existing GitHub actions pipeline through the existing Stackrox suite of [[https://github.com/marketplace?query=stackrox][open source actions]].
+Red Hat Advanced Cluster Security can be easily integrated into an existing GitHub actions pipeline through the existing Stackrox suite of [[https://github.com/marketplace?query=stackrox][open source actions]]. The ~roxctl~ cli can be used to scan images for vulnerabilities or common misconfigurations.
 
 * Configure rhacs github oidc auth
 
@@ -18,9 +18,66 @@ Refer: https://docs.openshift.com/acs/4.5/operating/manage-user-access/configure
 
 * Create github actions pipeline
 
-
-An example pipeline would look like:
+An example pipeline is included below and in this repository.
 
 #+begin_src yaml
+---
+name: Secure image build
+on: workflow_dispatch
+permissions:
+  contents: read
 
+jobs:
+
+  build-and-push-image:
+    name: Build and push image
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Build image
+        uses: redhat-actions/buildah-build@v2
+        with:
+          image: quay.io/rh_ee_jablair/ubi9
+          tags: v0.0.1-${{ github.sha }}
+          containerfiles: |
+            ./2024-08-28-rhacs-actions-pipeline/Containerfile
+
+      - name: Push to quay.io
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ubi9
+          tags: v0.0.1-${{ github.sha }}
+          registry: quay.io/rh_ee_jablair
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_PASSWORD }}
+
+
+  scan-image:
+    runs-on: ubuntu-latest
+    needs: build-and-push-image
+    permissions:
+      id-token: write
+    steps:
+
+      - name: Rhacs login
+        uses: stackrox/central-login@v1
+        with:
+          endpoint: ${{ secrets.CENTRAL_ENDPOINT }}
+          skip-tls-verify: true
+
+      - name: Install roxctl
+        uses: stackrox/roxctl-installer-action@v1
+        with:
+          central-endpoint: ${{ secrets.CENTRAL_ENDPOINT }}
+          central-token: ${{ secrets.ROX_API_TOKEN }}
+          skip-tls-verify: true
+
+      - name: Scan image with roxctl
+        shell: bash
+        run: |
+          roxctl image scan --output=table --image="quay.io/rh_ee_jablair/ubi9:v0.0.1-${{ github.sha }}" --insecure-skip-tls-verify
+          roxctl image check --output=table --image="quay.io/rh_ee_jablair/ubi9:v0.0.1-${{ github.sha }}" --insecure-skip-tls-verify
 #+end_src