update image scan action

SecurityForCloudBuilders · Oct 15, 2024 · 7ec457c · 7ec457c
1 parent c2fde38
commit 7ec457c
Showing 1 changed file with 25 additions and 15 deletions.
diff --git a/.github/workflows/secure-pipeline.yml b/.github/workflows/secure-pipeline.yml
@@ -56,32 +56,42 @@ jobs:
         id: version
         run: echo "VERSION=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
 
-      - name: build and push the docker image
+
+      - name: Docker build & tag image
         env:
           GOOGLE_PROJECT: ${{ secrets.GOOGLE_PROJECT }}
           VERSION: ${{ steps.version.outputs.VERSION }}
         run: |
           DOCKER_IMAGE="us-central1-docker.pkg.dev/${GOOGLE_PROJECT}/igors-java-goof/java-goof:${VERSION}"
-          gcloud auth configure-docker us-central1-docker.pkg.dev
-          docker build -t $DOCKER_IMAGE .
-          docker push ${DOCKER_IMAGE}
+          docker build -t $DOCKER_IMAGE -t $DOCKER_IMAGE .
+
+
+      - name: Scan Container Image with CrowdStrike
+        uses: CrowdStrike/container-image-scan-action@main
+        with:
+          container_repository: us-central1-docker.pkg.dev/${{ secrets.GOOGLE_PROJECT }}/igors-java-goof/java-goof:${{ steps.version.outputs.VERSION }}
+          crowdstrike_region: us-1
+          crowdstrike_score: 5000
+          retry_count: 30
+        env:
+          FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }}
+          FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }}
+          JSON_REPORT: /tmp/report.json
+
+      - name: Print CrowdStrike Full Image Scan Report
+        if: always()
+        run: |
+          jq '.' /tmp/report.json
 
-      - name: Falcon Image Vulnerability Analysis (IVAN)  
+      - name: Push the docker image
         env:
           GOOGLE_PROJECT: ${{ secrets.GOOGLE_PROJECT }}
           VERSION: ${{ steps.version.outputs.VERSION }}
         run: |
           DOCKER_IMAGE="us-central1-docker.pkg.dev/${GOOGLE_PROJECT}/igors-java-goof/java-goof:${VERSION}"
-          export FALCON_CLIENT_ID=${{ secrets.CLIENT_ID }}
-          export FALCON_CLIENT_SECRET=${{ secrets.CLIENT_SECRET }}
-          curl -LO https://github.com/CrowdStrike/ivan/releases/download/1.0.6/ivan_1.0.6_Linux_x86_64.tar.gz
-          tar xvzf ivan_1.0.6_Linux_x86_64.tar.gz
-          chmod +x ivan
-          docker pull ${DOCKER_IMAGE}
-          echo "Moving the binary to \"/usr/local/bin/\". It might request root access."
-          sudo mv ivan /usr/local/bin/
-          ivan -region us-1 -image ${DOCKER_IMAGE}
-    
+          gcloud auth configure-docker us-central1-docker.pkg.dev
+          docker push ${DOCKER_IMAGE}
+            
       - name: Deploy to GKE
         env:
           GOOGLE_PROJECT: ${{ secrets.GOOGLE_PROJECT }}