My Workflow

Docker is currently one of the main tools in the DevOps domain. You may be dealing with multiple Docker Images every day. Certainly.
In the past, I used to create and publish Docker Images manually on my own PC, Now with Github Actions, my affairs are very fast and easy and I leave everything to Github.

For example look at my repository (Memcached-Admin). It's a Dockerized PHP web application to manage Memcached server(s). I should pass these steps to use this project :

Build Image
Check and scan security vulnerabilities
Push to Dockerhub
Push to Other Docker registries

Doing these things normally will waste my time, also after planning the necessary things to build the image, it's necessary to ensure their security and the absence of security bugs. Here we have one of the best tools ... Trivy 💪. A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI.

Thanks to Github Action, now we can have all things together.

I wrote simple workflows to handle the whole process.

hatamiarash7 / Memcached-Admin

Memcached admin for docker

Memcached Admin

This program allows to see in real-time (top-like) or from the start of the server, stats for get, set, delete, increment, decrement, evictions, reclaimed, cas command, as well as server stats (network, items, server version) with google charts and server internal configuration

You can go further to see each server slabs, occupation, memory wasted and items (key & value).

Another part can execute commands to any memcached server : get, set, delete, flush_all, as well as execute any commands (like stats) with telnet

Statistics

Stats for each or all memcached servers, items, evicted, reclaimed ...
Stats for every command : set, get, delete, incr, decr, cas ...
Slabs stats (Memory, pages, memory wasted, items)
Items stats (View items in slabs, then data for each key)
Network stats (Traffic, bandwidth)

Commands

Execute commands : get, set, delete, flush_all on servers to administrate or debug it
Get…

View on GitHub

Submission Category:

Maintainer Must-Haves

Yaml File or Link to Code

name: Docker Image CI

on:
  push:
    branches: [master]
  pull_request:
    branches: [master]

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Build the Docker image
        run: docker build -t memcached-admin:${{ github.sha }} .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: "memcached-admin:${{ github.sha }}"
          exit-code: "1"
          ignore-unfixed: true
          vuln-type: "os,library"
          severity: "CRITICAL,HIGH"
          format: "template"
          template: "@/contrib/sarif.tpl"
          output: "trivy-results.sarif"

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: "trivy-results.sarif"

This workflow has 4 simple step:

Checkout my code
Build Docker image
Scan using Trivy
Upload results to GitHub Code scanning

I can see results in Security tab of my project:

Now i can push my image to Dockerhub using another workflow:

name: Publish Dockerhub

on:
  schedule:
    - cron: "0 2 * * *"
  push:
    branches: [master]
  pull_request:
    branches: [master]

env:
  REGISTRY: docker.io
  IMAGE_NAME: hatamiarash7/memcached-admin

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Log into registry ${{ env.REGISTRY }}
        if: github.event_name != 'pull_request'
        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

      - name: Build and push Docker image
        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

Another amazing feature about Github Action is that I can schedule to run my workflow. For example push image at 02:00 every day:

...

on:
  schedule:
    - cron: "0 2 * * *"

...

Now everything will be done automatically and I just need to push the changes to the repository 😍

Additional Resources / Info

I used this action: aquasecurity/trivy-action

Blog

Scan Docker images using Trivy

Arash Hatami