GitHub Actions Pipeline Documentation with CoGuard Integration

Amaresh Pelleti

Overview

This GitHub Actions pipeline automates the build, linting, and deployment process for a Docker image named gcpcli to Google Cloud Platform’s Container Registry. The pipeline also integrates CoGuard.io for scanning the Docker image for vulnerabilities.

Ensure you have the necessary secrets set up in your GitHub repository:
– `GOOGLE_CREDENTIALS`: Google Cloud service account credentials.
– `CoGuardUserName`: CoGuard username for authentication.
– `CoGuardPassword`: CoGuard password for authentication.

Pipeline Structure

The pipeline consists of the following stages:

  1. Checkout: Fetches the repository code.
  2. Debug: Prints the GitHub reference.
  3. Linting: Uses Hadolint to lint the Dockerfile.
  4. Authentication: Authenticates with Google Cloud.
  5. Cloud SDK Setup: Sets up the Google Cloud SDK.
  6. Docker Authentication: Configures Docker authentication for Google Container Registry.
  7. Build Docker Image: Builds the Docker image using the specified Dockerfile.
  8. Push Docker Image: Pushes the built Docker image to Google Container Registry.
  9. CoGuard Scan: Scans the Docker image for vulnerabilities using CoGuard.io.

Pipeline Code

name: GCPS Build and publish a Docker image
on:
  push:
    branches:
      - '*'

env:
  PROJECT_ID: nomadic-rush-408023
  REGISTRY_name: gcpcli
  IMAGE_NAME: gcpcli
  REGION: northamerica-northeast2

jobs:
  build:
    name: GCP Build & push docker image
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Debug
        run: |
          echo "github.ref -> {{ github.ref }}"

      - name: lint Action for GCP
        uses: hadolint/[email protected]
        with:
          dockerfile: gcp/Dockerfile
          ignore: DL3018,SC2046,DL4006
          failure-threshold: warning
          no-color: false
          no-fail: true

      - id: "auth"
        uses: "google-github-actions/auth@v1"
        with:
          credentials_json: "${{ secrets.GOOGLE_CREDENTIALS }}"

      - name: "Set up Cloud SDK"
        uses: "google-github-actions/setup-gcloud@v1"

      - name: "Use gcloud CLI"
        run: "gcloud info"

      - name: "Docker auth"
        run: |-
          gcloud auth configure-docker ${{ env.REGION }}-docker.pkg.dev --quiet

      - name: Build Docker image
        run: docker build . --file "gcp/Dockerfile" --tag ${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REGISTRY_name }}/${{ env.IMAGE_NAME }}

      - name: Push Docker image
        run: docker push ${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REGISTRY_name }}/${{ env.IMAGE_NAME }}

      - name: Run the CoGuard CLI Action
        uses: coguardio/[email protected]
        with:
          dockerImageName: '${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REGISTRY_name }}/${{ env.IMAGE_NAME }}:latest'
          failLevel: 6
          username: ${{ secrets.CoGuardUserName }}
          password: ${{ secrets.CoGuardPassword }}

CoGuard CLI Action Explanation

The CoGuard Scan step in the pipeline utilizes the coguardio/[email protected] GitHub Action to scan the Docker image for vulnerabilities using CoGuard.io. CoGuard is a static analysis tool for configuration files that helps developers and infrastructure teams reduce false positives and find actionable fixes for cloud infrastructure and application configurations before and after provisioning.

  • dockerImageName: Specifies the Docker image to scan. It references the image built and pushed in the previous steps.
  • failLevel: Sets the threshold for failing the scan. A value of 6 means that the scan will fail if any vulnerabilities with a severity level of 6 or higher are found.
  • username and password: These are secret credentials provided to authenticate with CoGuard.io for scanning the Docker image.

CoGuard’s Features

  • IaC, Container, and Application Configuration Scanning: CoGuard scans configuration files in your code repository, including Terraform, Kubernetes YAML, Dockerfile, and other configuration files. It also connects to your cloud provider and extracts your configurations.
  • Automating Compliance: CoGuard can be added to your CI/CD pipeline, allowing for continual compliance testing and monitoring. It supports a wide range of compliance frameworks and can provide ongoing reporting.
  • Remediation with or without Automation: CoGuard provides auto-remediation tools that can create a pull-request and fit in the code review process. It also provides manual remediation steps for configuration switches across containers and applications.
  • Reduce CVE False Positives: CoGuard is built to focus on actionable configuration changes, not CVE noise. It uses a predicate logic engine to add new technologies or new rulesets that are independent of the configuration of environments.
  • Fast and Extensible: CoGuard is built from the ground up to be extensible, and its predicate logic engine allows teams to extend the policies and configuration rules supported quickly.
  • Supported Technologies: CoGuard supports a wide range of technologies, including public cloud providers, infrastructure as code (IaC), and containerization technologies. It also supports databases, serverless technologies, and more.
  • Dashboard and Reporting: CoGuard provides a dashboard that displays all reports, including history and trends. It also provides remediation steps and allows teams to view their full infrastructure and access additional features.

CoGuard offers a free Developer Tier that supports common IaC and AMP technology stacks. It also offers a paid tier with additional features, including auto-remediation and access to the full infrastructure.

By integrating CoGuard.io into the pipeline, the company ensures that the Docker images deployed to production are secure and free from known vulnerabilities, enhancing the overall security posture of the applications running in the containerized environment.