diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 00000000..db85134d --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,52 @@ +name: CI Docker Scout + +on: + push: + branches: + - main + - fix/attestation-docs + pull_request: + +jobs: + scout: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up Docker + uses: docker/setup-buildx-action@v3 + + # Login a Docker Hub + - name: Login to Docker Hub + run: echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin + + # Instalar Docker Scout + - name: Install Docker Scout + run: | + curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- + + # Verificar instalación + - name: Verify installation + run: docker scout version + + # Ejecutar análisis + - name: Run Docker Scout Quickview + run: docker scout quickview alpine + + - name: Run Docker Scout CVEs + run: docker scout cves alpine + + # ========================= + # PRUEBAS UNITARIAS + # ========================= + + - name: Install Python + run: sudo apt-get update && sudo apt-get install -y python3 python3-pip + + - name: Install pytest + run: pip3 install pytest + + - name: Run unit tests + run: pytest diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml deleted file mode 100644 index 5818871f..00000000 --- a/.github/workflows/release-branch.yml +++ /dev/null @@ -1,82 +0,0 @@ -name: Test and Release - -on: - pull_request: - types: - - opened - - reopened - - synchronize - workflow_dispatch: - -jobs: - test: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Hub Login - uses: docker/login-action@v2 - with: - username: ${{ secrets.DOCKER_USER }} - password: ${{ secrets.DOCKER_PAT }} - - name: Prepare scout binary - run: | - tar -xf dist/docker-scout_*_linux_amd64.tar.gz -C . - chmod +x docker-scout - - name: TEST docker scout version - run: ./docker-scout version - - name: TEST docker scout quickview - run: ./docker-scout quickview alpine:latest - - name: TEST docker scout cves - run: ./docker-scout cves docker/scout-demo-service:main - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Build - uses: docker/build-push-action@v5 - with: - context: https://github.com/docker/scout-demo-service.git#fix-all-cves - push: false - load: true - tags: docker/scout-demo-service:fix - - name: TEST docker scout compare - run: ./docker-scout compare registry://docker/scout-demo-service:main --to local://docker/scout-demo-service:fix - - release: - if: startsWith(github.head_ref, 'release/v') - permissions: - contents: write - outputs: - tag: ${{ steps.tagname.outputs.value }} - runs-on: ubuntu-latest - needs: test - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Tag name - uses: mad9000/actions-find-and-replace-string@2 - id: tagname - with: - source: ${{ github.head_ref }} - find: 'release/' - replace: '' - - name: Merge and Tag - run: | - git config --unset-all http.https://github.com/.extraheader - git config --global user.email "${GITHUB_ACTOR}@users.noreply.github.com" - git config --global user.name "${GITHUB_ACTOR}" - git merge --ff-only origin/${{ github.head_ref }} - git tag ${{ steps.tagname.outputs.value }} - git push https://${GITHUB_ACTOR}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git HEAD:main --tags - - create_release: - needs: - - release - uses: ./.github/workflows/release.yml - permissions: - contents: write - with: - tag: ${{ needs.release.outputs.tag }} \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 565fef61..00000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: release - -on: - push: - tags: - - 'v*.*.*' - workflow_dispatch: - workflow_call: - inputs: - tag: - required: true - type: string - description: "The tag to release" - -jobs: - release: - runs-on: ubuntu-latest - permissions: - contents: write - env: - RELEASE_REF: ${{ github.event_name == 'push' && github.ref_name || inputs.tag }} - steps: - - name: Check out code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - ref: ${{ env.RELEASE_REF }} - - name: Create Release - uses: softprops/action-gh-release@v1 - with: - draft: true - tag_name: ${{ env.RELEASE_REF }} - files: | - dist/docker-scout_* diff --git a/README.md b/README.md index 2bd0ee7f..e044683b 100644 --- a/README.md +++ b/README.md @@ -393,9 +393,33 @@ definitions: docker: memory: 2048 # Optional: Increase if needed ``` +## Attestation Commands + +The following attestation subcommands are available: + +### docker scout attest get +Retrieve attestation data for a specific image. + +Example: +docker scout attest get + +### docker scout attest list +List available attestations for an image. + +Example: +docker scout attest list + +### Additional Flags + +--predicate-type +Specifies the type of predicate for filtering attestations. + +--verify +Verifies the integrity and authenticity of the image. This example assumes two secrets to be available to authenticate against Docker Hub, called `DOCKER_HUB_USER` and `DOCKER_HUB_PAT`, also is necessary more two secrets called `CI_REGISTRY`, `CI_REGISTRY_IMAGE` about registry info. ## License The Docker Scout CLI is licensed under the Terms and Conditions of the [Docker Subscription Service Agreement](https://www.docker.com/legal/docker-subscription-service-agreement/). + diff --git a/test_scout.py b/test_scout.py new file mode 100644 index 00000000..9fba2d24 --- /dev/null +++ b/test_scout.py @@ -0,0 +1,18 @@ +import subprocess + +def test_docker_scout_installed(): + result = subprocess.run( + ["docker", "scout", "version"], + capture_output=True, + text=True + ) + assert result.returncode == 0 + + +def test_docker_scout_quickview(): + result = subprocess.run( + ["docker", "scout", "quickview", "alpine"], + capture_output=True, + text=True + ) + assert "Target" in result.stdout \ No newline at end of file