ehlxr/docker_practice
1
0
Fork 0
mirror of https://github.com/yeasy/docker_practice.git synced 2026-03-11 20:31:18 +00:00
Code Issues Projects Releases Wiki Activity

Upgrade GitHub Actions and Cosign in security docs

Browse Source
This commit is contained in:
yeasy
2026-03-09 18:02:17 -07:00
parent 53f20dede7
commit 83ba6b7b47
1 changed files with 9 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
18_security/18.6_image_security.md
View File

@@ -300,7 +300,7 @@ FROM ubuntu:latest
RUN apt-get update && apt-get install -y curl RUN apt-get update && apt-get install -y curl
# ✓ 推荐:固定基础镜像版本和摘要 # ✓ 推荐:固定基础镜像版本和摘要
FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e6... FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e6e0e14...(完整 64 位哈希)
RUN apt-get update && apt-get install -y curl=7.68.0-1ubuntu1 RUN apt-get update && apt-get install -y curl=7.68.0-1ubuntu1
``` ```
@@ -320,7 +320,7 @@ RUN apk add --no-cache curl && \
RUN go build -o app . RUN go build -o app .
FROM alpine:3.17@sha256:abcd... FROM alpine:3.17@sha256:abcd1234...(请替换为实际完整的 64 位摘要哈希)
COPY --from=builder /app/app /app COPY --from=builder /app/app /app
``` ```
@@ -405,13 +405,13 @@ jobs:
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v3 uses: actions/checkout@v4
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2 uses: docker/setup-buildx-action@v3
- name: Build Docker image - name: Build Docker image
uses: docker/build-push-action@v4 uses: docker/build-push-action@v6
with: with:
context: . context: .
push: false push: false
@@ -427,7 +427,7 @@ jobs:
severity: 'HIGH,CRITICAL' severity: 'HIGH,CRITICAL'
- name: Upload Trivy results to GitHub Security tab - name: Upload Trivy results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2 uses: github/codeql-action/upload-sarif@v3
with: with:
sarif_file: 'trivy-results.sarif' sarif_file: 'trivy-results.sarif'
@@ -439,28 +439,26 @@ jobs:
output-file: sbom-cyclonedx.json output-file: sbom-cyclonedx.json
- name: Upload SBOM - name: Upload SBOM
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v4
with: with:
name: sbom name: sbom
path: sbom-cyclonedx.json path: sbom-cyclonedx.json
- name: Sign image with Cosign - name: Sign image with Cosign
if: github.event_name == 'push' if: github.event_name == 'push'
env:
COSIGN_EXPERIMENTAL: 1
run: | run: |
cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
- name: Login to Registry and Push - name: Login to Registry and Push
if: github.event_name == 'push' if: github.event_name == 'push'
uses: docker/login-action@v2 uses: docker/login-action@v3
with: with:
registry: ${{ env.REGISTRY }} registry: ${{ env.REGISTRY }}
username: ${{ github.actor }} username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- name: Push image - name: Push image
uses: docker/build-push-action@v4 uses: docker/build-push-action@v6
with: with:
context: . context: .
push: true push: true