.github/workflows/redis-docker.yml

name: Build and Push Redis Image

on:
  push:
    branches:
      - redis
      - redis-tests

permissions:
  contents: read
  security-events: write
  packages: write

jobs:
  security-checks:
    name: Security Checks
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Run GitGuardian scan
        uses: GitGuardian/ggshield-action@master
        env:
          GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
          GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
          GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
          GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}

      - name: Run Hadolint
        uses: hadolint/hadolint-action@v3.1.0
        with:
          dockerfile: ./Dockerfile
          format: sarif
          output-file: hadolint-results.sarif
          no-fail: true

      - name: Upload Hadolint results
        uses: github/codeql-action/upload-sarif@v2
        if: success() || failure()
        with:
          sarif_file: hadolint-results.sarif
          category: hadolint

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v2
        with:
          languages: python

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2

  build-and-scan:
    runs-on: ubuntu-latest
    needs: security-checks
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Build and export
        uses: docker/build-push-action@v5
        with:
          context: .
          load: true
          tags: pbdco/aws-spotter:redis
          cache-from: type=registry,ref=pbdco/aws-spotter:redis
          cache-to: type=inline
          outputs: type=docker,dest=/tmp/redis-image.tar

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: pbdco/aws-spotter:redis
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
          timeout: '10m0s'

      - name: Upload Trivy scan results
        uses: github/codeql-action/upload-sarif@v2
        if: success() || failure()
        with:
          sarif_file: trivy-results.sarif
          category: trivy

      - name: Run Docker Scout
        if: success()
        uses: docker/scout-action@v1
        with:
          command: quickview,cves
          image: pbdco/aws-spotter:redis
          only-severities: critical,high
          exit-code: true

      - name: Push image
        uses: docker/build-push-action@v5
        if: success()
        with:
          context: .
          push: true
          tags: pbdco/aws-spotter:redis
          cache-from: type=registry,ref=pbdco/aws-spotter:redis
          cache-to: type=inline