From 1a96b41205baec0a0c7c42db6d8df9e11b76c499 Mon Sep 17 00:00:00 2001 From: danielafoggiattonpu Date: Thu, 30 Oct 2025 11:40:06 -0300 Subject: [PATCH 1/8] adicionando workflow desafio 3 --- .github/workflows/03-build-containers.yml | 45 ++++++++++++++++++++--- 1 file changed, 40 insertions(+), 5 deletions(-) diff --git a/.github/workflows/03-build-containers.yml b/.github/workflows/03-build-containers.yml index cbddc24..871e33a 100644 --- a/.github/workflows/03-build-containers.yml +++ b/.github/workflows/03-build-containers.yml @@ -1,9 +1,9 @@ name: "Nível 3: Containers e Segurança" on: - pull_request: - types: [closed] - branches: [ desafio-nivel-3 ] + push: + branches: + - desafio-nivel-3 # Roda no push direto da branch do fork permissions: contents: read @@ -13,15 +13,50 @@ env: CHALLENGE_LEVEL: 3 CHALLENGE_NAME: "containers-e-seguranca" REGISTRY: ghcr.io + IMAGE_NAME: "nivel-3-app" # Nome da imagem Docker + TAG: "latest" jobs: build-scan-and-push: name: "Build, Lint, Trivy Scan e Push no GHCR" - if: #???? runs-on: ubuntu-latest steps: - # AQUI VAI O CÓDIGO DO DESAFIO :) + - name: "Checkout do código" + uses: actions/checkout@v4 + + - name: "Instalar Docker e Trivy" + run: | + sudo apt update + sudo apt install -y docker.io + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh + + - name: "Build da imagem Docker" + run: | + docker build -t $IMAGE_NAME:$TAG . + + - name: "Lint do Dockerfile com Hadolint" + run: | + sudo wget -O /usr/local/bin/hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 + sudo chmod +x /usr/local/bin/hadolint + hadolint Dockerfile + + + - name: "Scan de vulnerabilidades com Trivy" + run: | + trivy image --exit-code 1 --severity CRITICAL $IMAGE_NAME:$TAG + + - name: "Login no GitHub Container Registry" + uses: docker/login-action@v2 + with: + registry: $REGISTRY + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: "Push da imagem no GHCR" + run: | + docker tag $IMAGE_NAME:$TAG $REGISTRY/${{ github.repository }}:$TAG + docker push $REGISTRY/${{ github.repository }}:$TAG generate-certificate: # DAQUI PARA BAIXO, NÃO ALTERAR name: "Desafio Nível 3 - Certificado" From f3ad959f97f1362998ab356a08c51f3d3a7605b3 Mon Sep 17 00:00:00 2001 From: danielafoggiattonpu Date: Thu, 30 Oct 2025 11:42:50 -0300 Subject: [PATCH 2/8] agora sim --- .github/workflows/03-build-containers.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/03-build-containers.yml b/.github/workflows/03-build-containers.yml index 871e33a..475a3b0 100644 --- a/.github/workflows/03-build-containers.yml +++ b/.github/workflows/03-build-containers.yml @@ -25,11 +25,12 @@ jobs: - name: "Checkout do código" uses: actions/checkout@v4 - - name: "Instalar Docker e Trivy" + - name: "Instalar Trivy e Hadolint" run: | - sudo apt update - sudo apt install -y docker.io curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh + sudo wget -O /usr/local/bin/hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 + sudo chmod +x /usr/local/bin/hadolint + - name: "Build da imagem Docker" run: | From 1e311fb4ec59ae87c68572c588e757edf4ee5406 Mon Sep 17 00:00:00 2001 From: danielafoggiattonpu Date: Thu, 30 Oct 2025 11:45:11 -0300 Subject: [PATCH 3/8] dani --- .github/workflows/03-build-containers.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/03-build-containers.yml b/.github/workflows/03-build-containers.yml index 475a3b0..0d0ce8e 100644 --- a/.github/workflows/03-build-containers.yml +++ b/.github/workflows/03-build-containers.yml @@ -25,12 +25,10 @@ jobs: - name: "Checkout do código" uses: actions/checkout@v4 - - name: "Instalar Trivy e Hadolint" + - name: "Instalar Trivy" run: | curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh - sudo wget -O /usr/local/bin/hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 - sudo chmod +x /usr/local/bin/hadolint - + sudo mv trivy /usr/local/bin/ - name: "Build da imagem Docker" run: | From 7100900be38f5ac78119fe42e0eee7de8d17adfd Mon Sep 17 00:00:00 2001 From: danielafoggiattonpu Date: Thu, 30 Oct 2025 11:47:49 -0300 Subject: [PATCH 4/8] agora vaiiii --- .github/workflows/03-build-containers.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/03-build-containers.yml b/.github/workflows/03-build-containers.yml index 0d0ce8e..2499985 100644 --- a/.github/workflows/03-build-containers.yml +++ b/.github/workflows/03-build-containers.yml @@ -25,8 +25,13 @@ jobs: - name: "Checkout do código" uses: actions/checkout@v4 - - name: "Instalar Trivy" + - name: "Instalar Hadolint e Trivy" run: | + # Hadolint + sudo wget -O /usr/local/bin/hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 + sudo chmod +x /usr/local/bin/hadolint + + # Trivy curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh sudo mv trivy /usr/local/bin/ @@ -34,13 +39,10 @@ jobs: run: | docker build -t $IMAGE_NAME:$TAG . - - name: "Lint do Dockerfile com Hadolint" + - name: "Lint do Dockerfile" run: | - sudo wget -O /usr/local/bin/hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 - sudo chmod +x /usr/local/bin/hadolint hadolint Dockerfile - - name: "Scan de vulnerabilidades com Trivy" run: | trivy image --exit-code 1 --severity CRITICAL $IMAGE_NAME:$TAG From 60f6268546dbeee81a319acf63b625e09ca0d79e Mon Sep 17 00:00:00 2001 From: danielafoggiattonpu Date: Thu, 30 Oct 2025 11:49:57 -0300 Subject: [PATCH 5/8] sim --- .github/workflows/03-build-containers.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/workflows/03-build-containers.yml b/.github/workflows/03-build-containers.yml index 2499985..685a558 100644 --- a/.github/workflows/03-build-containers.yml +++ b/.github/workflows/03-build-containers.yml @@ -25,15 +25,13 @@ jobs: - name: "Checkout do código" uses: actions/checkout@v4 - - name: "Instalar Hadolint e Trivy" + - name: "Instalar Trivy" run: | - # Hadolint - sudo wget -O /usr/local/bin/hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 - sudo chmod +x /usr/local/bin/hadolint - - # Trivy - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh + curl -L -o trivy.tar.gz https://github.com/aquasecurity/trivy/releases/download/v0.46.1/trivy_0.46.1_Linux-64bit.tar.gz + tar zxvf trivy.tar.gz sudo mv trivy /usr/local/bin/ + trivy --version + - name: "Build da imagem Docker" run: | From e13c547b7ba197c63620f32d0f95d537f7c612ac Mon Sep 17 00:00:00 2001 From: danielafoggiattonpu Date: Thu, 30 Oct 2025 11:52:40 -0300 Subject: [PATCH 6/8] nova atual --- .github/workflows/03-build-containers.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/03-build-containers.yml b/.github/workflows/03-build-containers.yml index 685a558..af9d7ea 100644 --- a/.github/workflows/03-build-containers.yml +++ b/.github/workflows/03-build-containers.yml @@ -25,14 +25,24 @@ jobs: - name: "Checkout do código" uses: actions/checkout@v4 - - name: "Instalar Trivy" + - name: "Instalar Hadolint e Trivy" run: | + # Hadolint + wget -O hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 + chmod +x hadolint + sudo mv hadolint /usr/local/bin/ + + # Trivy curl -L -o trivy.tar.gz https://github.com/aquasecurity/trivy/releases/download/v0.46.1/trivy_0.46.1_Linux-64bit.tar.gz tar zxvf trivy.tar.gz sudo mv trivy /usr/local/bin/ + + # Verificar versões + hadolint --version trivy --version + - name: "Build da imagem Docker" run: | docker build -t $IMAGE_NAME:$TAG . From ec97bf45999e1da769fdcfd372c091700cf836fa Mon Sep 17 00:00:00 2001 From: danielafoggiattonpu Date: Thu, 30 Oct 2025 11:56:46 -0300 Subject: [PATCH 7/8] =?UTF-8?q?Adiciona=20workflow=20N=C3=ADvel=203:=20Con?= =?UTF-8?q?tainers=20e=20Seguran=C3=A7a?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/03-build-containers.yml | 40 +++++------------------ 1 file changed, 9 insertions(+), 31 deletions(-) diff --git a/.github/workflows/03-build-containers.yml b/.github/workflows/03-build-containers.yml index af9d7ea..bbd5c23 100644 --- a/.github/workflows/03-build-containers.yml +++ b/.github/workflows/03-build-containers.yml @@ -1,48 +1,38 @@ name: "Nível 3: Containers e Segurança" on: - push: - branches: - - desafio-nivel-3 # Roda no push direto da branch do fork - -permissions: - contents: read - packages: write + pull_request: + branches: [ desafio-nivel-3 ] env: CHALLENGE_LEVEL: 3 CHALLENGE_NAME: "containers-e-seguranca" - REGISTRY: ghcr.io - IMAGE_NAME: "nivel-3-app" # Nome da imagem Docker - TAG: "latest" + IMAGE_NAME: nivel-3-app + TAG: latest jobs: - build-scan-and-push: - name: "Build, Lint, Trivy Scan e Push no GHCR" + build-lint-scan: + name: "Build, Lint e Scan da imagem" runs-on: ubuntu-latest steps: - name: "Checkout do código" uses: actions/checkout@v4 - - name: "Instalar Hadolint e Trivy" + - name: "Instalar Docker, Hadolint e Trivy" run: | # Hadolint wget -O hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 chmod +x hadolint sudo mv hadolint /usr/local/bin/ + hadolint --version # Trivy curl -L -o trivy.tar.gz https://github.com/aquasecurity/trivy/releases/download/v0.46.1/trivy_0.46.1_Linux-64bit.tar.gz tar zxvf trivy.tar.gz sudo mv trivy /usr/local/bin/ - - # Verificar versões - hadolint --version trivy --version - - - name: "Build da imagem Docker" run: | docker build -t $IMAGE_NAME:$TAG . @@ -55,21 +45,9 @@ jobs: run: | trivy image --exit-code 1 --severity CRITICAL $IMAGE_NAME:$TAG - - name: "Login no GitHub Container Registry" - uses: docker/login-action@v2 - with: - registry: $REGISTRY - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: "Push da imagem no GHCR" - run: | - docker tag $IMAGE_NAME:$TAG $REGISTRY/${{ github.repository }}:$TAG - docker push $REGISTRY/${{ github.repository }}:$TAG - generate-certificate: # DAQUI PARA BAIXO, NÃO ALTERAR name: "Desafio Nível 3 - Certificado" - needs: build-scan-and-push + needs: build-lint-scan if: success() runs-on: ubuntu-latest steps: From a129462dd12cd160a1e6235ecb6fff272a093c72 Mon Sep 17 00:00:00 2001 From: danielafoggiattonpu Date: Thu, 30 Oct 2025 12:14:08 -0300 Subject: [PATCH 8/8] Update 03-build-containers.yml --- .github/workflows/03-build-containers.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/03-build-containers.yml b/.github/workflows/03-build-containers.yml index bbd5c23..aff2bf7 100644 --- a/.github/workflows/03-build-containers.yml +++ b/.github/workflows/03-build-containers.yml @@ -4,6 +4,7 @@ on: pull_request: branches: [ desafio-nivel-3 ] + env: CHALLENGE_LEVEL: 3 CHALLENGE_NAME: "containers-e-seguranca"