Setup CI/CD Integration
We support CI/CD integration via RESTful APIs and provide GitHub Actions for easy integration with GitHub repositories.
This guide will use GitHub as an example.
Add CI/CD for Docker Image Build
First, let's assume that the target repository has no CI/CD pipeline set up, and we'd like to add automatic Docker build and push to the pipeline. To do so, we create build.yml
file under .github/workflows
folder.
name: Publish Docker image
on:
release:
types: [published]
jobs:
push_to_registry:
name: Push Docker image to Docker Hub
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
attestations: write
id-token: write
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: target/image
- name: Build and push Docker image
id: push
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Generate artifact attestation
uses: actions/attest-build-provenance@v1
with:
subject-name: index.docker.io/target/image
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true
The build script is very self-explanatory. It first clones the repository from GitHub, builds a Docker image, and pushes it to Docker Hub via the given username and password.
Add Deepbits Integration
To use the Deepbits platform to scan the build artifacts, we need to modify thebuild.yml
slightly to a) save the Docker image to a local file, and b) send the image to the Deepbits platform.
- name: Build and push Docker image
id: push
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
outputs: type=docker,dest=/tmp/image.tar
- name: Deepbits SBOM Action
uses: DeepBitsTechnology/[email protected]
id: deepbits
with:
apiKey: ${{ secrets.API_KEY }}
path: /tmp/image.tar
project: project_id
The project_id
is the id of the project you'd like to add to, and the API_KEY
can be created from the Deepbits platform.
The link to the scan result will be added to the GitHub Actions summary page.
Updated 5 months ago