Skip to content

work in progress for mandiant threat intel integration, cisagov/Malco… #261

work in progress for mandiant threat intel integration, cisagov/Malco…

work in progress for mandiant threat intel integration, cisagov/Malco… #261

name: hedgehog-iso-build-docker-wrap-push-ghcr
on:
push:
branches:
- main
- development
paths:
- 'hedgehog-iso/**'
- 'shared/bin/*'
- '.trigger_iso_workflow_build'
- '.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml'
workflow_dispatch:
repository_dispatch:
jobs:
build:
runs-on: ubuntu-22.04
permissions:
actions: write
packages: write
contents: read
security-events: write
defaults:
run:
shell: bash
steps:
-
name: Cancel previous run in progress
uses: styfle/[email protected]
with:
ignore_sha: true
all_but_latest: true
access_token: ${{ secrets.GITHUB_TOKEN }}
-
name: Set up QEMU
uses: docker/setup-qemu-action@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: |
image=moby/buildkit:master
-
name: Build environment setup
run: |
sudo docker rmi $(docker image ls -aq) >/dev/null 2>&1 || true
sudo rm -rf \
"$AGENT_TOOLSDIRECTORY" \
/opt/ghc \
/usr/lib/jvm \
/usr/local/.ghcup \
/usr/local/lib/android \
/usr/local/share/powershell \
/usr/share/dotnet \
/usr/share/swift >/dev/null 2>&1 || true
sudo env DEBIAN_FRONTEND=noninteractive apt-get -q -y update >/dev/null 2>&1
sudo env DEBIAN_FRONTEND=noninteractive apt-get -q -y --purge remove \
azure-cli \
dotnet* \
firefox \
google-chrome-stable \
google-cloud-cli \
microsoft-edge-stable \
mono-* \
mysql* \
postgresql* \
powershell \
temurin* >/dev/null 2>&1 || true
sudo env DEBIAN_FRONTEND=noninteractive apt-get -q -y --purge autoremove >/dev/null 2>&1 || true
sudo env DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y -q \
apt-transport-https \
bc \
build-essential \
ca-certificates \
curl \
debhelper-compat \
debian-archive-keyring \
debootstrap \
genisoimage \
gettext \
git \
gnupg2 \
imagemagick \
jq \
po4a \
rsync \
software-properties-common \
squashfs-tools \
virt-what \
xorriso
git clone --depth=1 --single-branch --recurse-submodules --shallow-submodules --branch='debian/1%20230131' 'https://salsa.debian.org/live-team/live-build.git' /tmp/live-build
cd /tmp/live-build
dpkg-buildpackage -b -uc -us
cd /tmp
sudo dpkg -i /tmp/live-build*.deb
sudo rm -rf /tmp/live-build /tmp/live-build*.deb
-
name: Checkout
uses: actions/checkout@v4
-
name: Extract branch name
shell: bash
run: echo "branch=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_OUTPUT
id: extract_branch
-
name: Extract commit SHA
shell: bash
run: echo "sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
id: extract_commit_sha
-
name: Extract Malcolm version
shell: bash
run: echo "mversion=$(grep -P "^\s+image:.*/malcolm/" docker-compose-dev.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" >> $GITHUB_OUTPUT
id: extract_malcolm_version
-
name: Build image
run: |
sudo rm -rf ${GITHUB_WORKSPACE}/.git
cp -r ./shared ./docs ./_config.yml ./_includes ./_layouts ./Gemfile ./README.md ./malcolm-iso/htpdate ./hedgehog-iso
cp ./scripts/malcolm_utils.py ./hedgehog-iso/shared/bin/
cp ./scripts/documentation_build.sh ./hedgehog-iso/docs/
mkdir -p ./hedgehog-iso/suricata
cp -r ./suricata/rules-default ./hedgehog-iso/suricata/
mkdir -p ./hedgehog-iso/nginx
cp -r ./nginx/landingpage/css ./hedgehog-iso/nginx/
cp -r ./nginx/landingpage/js ./hedgehog-iso/nginx/
pushd ./hedgehog-iso
echo "${{ steps.extract_malcolm_version.outputs.mversion }}" > ./shared/version.txt
echo "${{ secrets.MAXMIND_GEOIP_DB_LICENSE_KEY }}" > ./shared/maxmind_license.txt
echo "${{ secrets.MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL }}" > ./shared/maxmind_url.txt
echo "${{ secrets.ZEEK_DEB_ALTERNATE_DOWNLOAD_URL }}" > ./shared/zeek_url.txt
echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" > ./shared/environment.chroot
echo "VCS_REVSION=${{ steps.extract_commit_sha.outputs.sha }}" > ./shared/environment.chroot
echo "BUILD_JOBS=2" > ./shared/environment.chroot
sudo /usr/bin/env bash ./build.sh
rm -rf ./shared/ ./docs/ ./_config.yml ./_includes ./_layouts /Gemfile ./README.md ./suricata
sudo chmod 644 ./hedgehog-*.*
popd
-
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'fs'
scan-ref: './hedgehog-iso'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
-
name: Upload Trivy scan results to GitHub Security tab
if: ${{ matrix.platform == 'linux/amd64' }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
-
name: ghcr.io login
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Build and push ISO image
uses: docker/build-push-action@v5
with:
context: ./hedgehog-iso
push: true
provenance: false
tags: ghcr.io/${{ github.repository_owner }}/malcolm/hedgehog:${{ steps.extract_branch.outputs.branch }}