0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-16 21:56:37 -05:00
zot/.github/workflows/web-scan.yaml
Andrei Aaron 375c35c5a1
chore: update to go 1.22 (#2330)
* chore: update to go 1.22

Only go toolchain version is updated.
We compile with go 1.22, but we allow others to compile using language version 1.21 if they wish to.
If we also updated the go version in go.mod everyone would be forced to update, as that is enforced as a minimum allowed version.

This comment explains the difference well enough https://news.ycombinator.com/item?id=36455759

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>

* chore: fix freeBSD AMD64 build

Looks like they made some cleanup in the logic allowing buildmode pie on various platforms.

Related to https://github.com/golang/go/issues/31544
See the code at: https://cs.opensource.google/go/go/+/master:src/internal/platform/supported.go;l=222-231;drc=d7fcb5cf80953f1d63246f1ae9defa60c5ce2d76;bpv=1;bpt=0

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>

---------

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-03-20 11:53:11 -07:00

67 lines
1.9 KiB
YAML

name: 'Security web scan for zot'
on:
push:
branches:
- main
pull_request:
branches:
- main
release:
types:
- published
permissions:
contents: read
jobs:
zap_scan:
runs-on: ubuntu-latest-4-cores
name: Scan ZOT using ZAP
strategy:
matrix:
flavor: [zot-linux-amd64-minimal, zot-linux-amd64]
steps:
- name: Install go
uses: actions/setup-go@v5
with:
cache: false
go-version: 1.22.x
- name: Checkout
uses: actions/checkout@v4
- name: Build zot
run: |
echo "Building $FLAVOR"
cd $GITHUB_WORKSPACE
if [[ $FLAVOR == "zot-linux-amd64-minimal" ]]; then
make binary-minimal
else
make binary
fi
ls -l bin/
env:
FLAVOR: ${{ matrix.flavor }}
- name: Bringup zot server
run: |
# upload images, zot can serve OCI image layouts directly like so
mkdir /tmp/zot
skopeo copy --format=oci docker://busybox:latest oci:/tmp/zot/busybox:latest
# start zot
if [[ $FLAVOR == "zot-linux-amd64-minimal" ]]; then
./bin/${{ matrix.flavor }} serve examples/config-conformance.json &
else
./bin/${{ matrix.flavor }} serve examples/config-ui.json &
fi
# wait until service is up
while true; do x=0; curl -f http://localhost:8080/v2/ || x=1; if [ $x -eq 0 ]; then break; fi; sleep 1; done
env:
FLAVOR: ${{ matrix.flavor }}
- name: ZAP Scan Rest API
uses: zaproxy/action-baseline@v0.11.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'owasp/zap2docker-stable'
target: 'http://localhost:8080/v2/'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a -j'
allow_issue_writing: false
fail_action: true