Guides

Setup CI/CD Integration

Suggest Edits

We support CI/CD integration via RESTful APIs and provide GitHub Actions for easy integration with GitHub repositories.

This guide will use GitHub as an example.

Add CI/CD for Docker Image Build

First, let's assume that the target repository has no CI/CD pipeline set up, and we'd like to add automatic Docker build and push to the pipeline. To do so, we create build.yml file under .github/workflows folder. 

name: Publish Docker image

on:
  release:
    types: [published]

jobs:
  push_to_registry:
    name: Push Docker image to Docker Hub
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
      attestations: write
      id-token: write
    steps:
      - name: Check out the repo
        uses: actions/checkout@v4

      - name: Log in to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: target/image

      - name: Build and push Docker image
        id: push
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
      
      
      - name: Generate artifact attestation
        uses: actions/attest-build-provenance@v1
        with:
          subject-name: index.docker.io/target/image
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true

The build script is very self-explanatory. It first clones the repository from GitHub, builds a Docker image, and pushes it to Docker Hub via the given username and password.

Add Deepbits Integration

To use the Deepbits platform to scan the build artifacts, we need to modify thebuild.yml slightly to a) save the Docker image to a local file, and b) send the image to the Deepbits platform. 

      - name: Build and push Docker image
        id: push
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          outputs: type=docker,dest=/tmp/image.tar

      - name: Deepbits SBOM Action
        uses: DeepBitsTechnology/[email protected]
        id: deepbits
        with:
          apiKey: ${{ secrets.API_KEY }}
          path: /tmp/image.tar
          project: project_id

The project_id is the id of the project you'd like to add to, and the API_KEY can be created from the Deepbits platform.

The link to the scan result will be added to the GitHub Actions summary page.

Updated 4 months ago