Add some more documentation.
This commit is contained in:
@ -3,7 +3,7 @@
|
|||||||
#+AUTHOR: James Blair
|
#+AUTHOR: James Blair
|
||||||
|
|
||||||
|
|
||||||
Red Hat Advanced Cluster Security can be easily integrated into an existing GitHub actions pipeline through the existing Stackrox suite of [[https://github.com/marketplace?query=stackrox][open source actions]].
|
Red Hat Advanced Cluster Security can be easily integrated into an existing GitHub actions pipeline through the existing Stackrox suite of [[https://github.com/marketplace?query=stackrox][open source actions]]. The ~roxctl~ cli can be used to scan images for vulnerabilities or common misconfigurations.
|
||||||
|
|
||||||
* Configure rhacs github oidc auth
|
* Configure rhacs github oidc auth
|
||||||
|
|
||||||
@ -18,9 +18,66 @@ Refer: https://docs.openshift.com/acs/4.5/operating/manage-user-access/configure
|
|||||||
|
|
||||||
* Create github actions pipeline
|
* Create github actions pipeline
|
||||||
|
|
||||||
|
An example pipeline is included below and in this repository.
|
||||||
An example pipeline would look like:
|
|
||||||
|
|
||||||
#+begin_src yaml
|
#+begin_src yaml
|
||||||
|
---
|
||||||
|
name: Secure image build
|
||||||
|
on: workflow_dispatch
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
|
||||||
|
build-and-push-image:
|
||||||
|
name: Build and push image
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
|
||||||
|
- name: Checkout code
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Build image
|
||||||
|
uses: redhat-actions/buildah-build@v2
|
||||||
|
with:
|
||||||
|
image: quay.io/rh_ee_jablair/ubi9
|
||||||
|
tags: v0.0.1-${{ github.sha }}
|
||||||
|
containerfiles: |
|
||||||
|
./2024-08-28-rhacs-actions-pipeline/Containerfile
|
||||||
|
|
||||||
|
- name: Push to quay.io
|
||||||
|
uses: redhat-actions/push-to-registry@v2
|
||||||
|
with:
|
||||||
|
image: ubi9
|
||||||
|
tags: v0.0.1-${{ github.sha }}
|
||||||
|
registry: quay.io/rh_ee_jablair
|
||||||
|
username: ${{ secrets.QUAY_USERNAME }}
|
||||||
|
password: ${{ secrets.QUAY_PASSWORD }}
|
||||||
|
|
||||||
|
|
||||||
|
scan-image:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
needs: build-and-push-image
|
||||||
|
permissions:
|
||||||
|
id-token: write
|
||||||
|
steps:
|
||||||
|
|
||||||
|
- name: Rhacs login
|
||||||
|
uses: stackrox/central-login@v1
|
||||||
|
with:
|
||||||
|
endpoint: ${{ secrets.CENTRAL_ENDPOINT }}
|
||||||
|
skip-tls-verify: true
|
||||||
|
|
||||||
|
- name: Install roxctl
|
||||||
|
uses: stackrox/roxctl-installer-action@v1
|
||||||
|
with:
|
||||||
|
central-endpoint: ${{ secrets.CENTRAL_ENDPOINT }}
|
||||||
|
central-token: ${{ secrets.ROX_API_TOKEN }}
|
||||||
|
skip-tls-verify: true
|
||||||
|
|
||||||
|
- name: Scan image with roxctl
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
roxctl image scan --output=table --image="quay.io/rh_ee_jablair/ubi9:v0.0.1-${{ github.sha }}" --insecure-skip-tls-verify
|
||||||
|
roxctl image check --output=table --image="quay.io/rh_ee_jablair/ubi9:v0.0.1-${{ github.sha }}" --insecure-skip-tls-verify
|
||||||
#+end_src
|
#+end_src
|
||||||
|
|||||||
Reference in New Issue
Block a user