Feature/1234 voting app to Main

.github/workflows/build-scan.yaml

@@ -0,0 +1,112 @@
+name: Build & Scan with Sysdig (Docker Hub)
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+permissions:
+  contents: read
+
+jobs:
+  build-and-scan:
+    runs-on: ubuntu-latest
+
+    env:
+      REGISTRY: docker.io
+      REPO: ${{ secrets.REGISTRY_USER }}
+      SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }}
+      SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      # --- Build Containers ---
+      - name: Build vote image
+        run: docker build -t $REGISTRY/$REPO/vote:latest ./vote
+
+      - name: Build worker image
+        run: docker build -t $REGISTRY/$REPO/worker:latest ./worker
+
+      - name: Build result image
+        run: docker build -t $REGISTRY/$REPO/result:latest ./result
+
+
+      - name: Install Sysdig CLI Scanner
+        run: |
+          LATEST_VERSION=$(curl -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)
+          curl -Lo sysdig-cli-scanner "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${LATEST_VERSION}/linux/amd64/sysdig-cli-scanner"
+          chmod +x sysdig-cli-scanner
+          sudo mv sysdig-cli-scanner /usr/local/bin/
+          sysdig-cli-scanner --version
+
+
+      # --- Environment images ---
+      - name: Debug environment variables
+        env:
+          REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+          REPO: ${{ secrets.REGISTRY_USER }}
+          SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }}
+          SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}      
+        run: |
+          echo "REGISTRY_USER = $REGISTRY_USER"
+          echo "REGISTRY_TOKEN (masked) = $REGISTRY_TOKEN"
+          echo "REPO = $REPO"
+          echo "SYSDIG_SECURE_URL = $SYSDIG_SECURE_URL"
+          echo "SYSDIG_SECURE_TOKEN = $SYSDIG_SECURE_TOKEN"
+
+      - name: Scan vote image
+        # env:
+        #   SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }}
+        #   SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+        run: |
+          export SECURE_API_TOKEN=b7de0bae-8dfd-4bfc-b372-2fb2bdf05918 
+          sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/dockersamples/examplevotingapp_vote:before || true
+
+
+      # - name: Scan vote image
+      #   env:
+      #     SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }}
+      #     SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+      #   run: |
+      #     sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/$REPO/examplevotingapp_vote:before
+
+      - name: Scan worker image
+        env:
+          SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }}
+          SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+        run: |
+          sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/$REPO/examplevotingapp_worker:latest || true
+
+      - name: Scan result image
+        env:
+          SYSDIG_SECURE_URL: ${{ secrets.SYSDIG_SECURE_URL }}
+          SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+        run: |
+          sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/$REPO/examplevotingapp_result:latest || true
+
+      # # # --- Optional: Push images to Docker Hub (only if scans passed) ---
+      # - name: Push vote image
+      #   run: docker push docker.io/cloudcode510/examplevotingapp_vote:latest
+      # #   run: docker push $REGISTRY/$REPO/examplevotingapp_vote:latest
+
+      # - name: Push worker image
+      #   run: docker push docker.io/cloudcode510/examplevotingapp_worker:latest
+
+      # - name: Push result image
+      #   run: docker push docker.io/cloudcode510/examplevotingapp_result:latest
+
+      # # - name: Push result image
+      # #   run: docker push $REGISTRY/$REPO/examplevotingapp_result:latest

.github/workflows/iac-scan.yaml

@@ -0,0 +1,26 @@
+name: IaC Scan
+
+on:
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  iac-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Sysdig CLI Scanner
+        run: |
+          LATEST_VERSION=$(curl -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)
+          curl -Lo sysdig-cli-scanner "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${LATEST_VERSION}/linux/amd64/sysdig-cli-scanner"
+          chmod +x sysdig-cli-scanner
+          sudo mv sysdig-cli-scanner /usr/local/bin/
+          sysdig-cli-scanner --version
+
+      - name: IaC scan
+        env:
+          SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+        run: |
+          sysdig-cli-scanner --iac -r -f H --apiurl ${{ secrets.SYSDIG_SECURE_URL }} .

scan-logs

@@ -0,0 +1,10 @@
+{"level":"info","version":"1.23.0","commit":"92edf73","time":"2025-11-04T18:07:45-05:00","message":"Starting analysis with Sysdig scanner"}
+{"level":"info","time":"2025-11-04T18:07:45-05:00","message":"Using path for the cache: /Users/owner/Library/Caches/inlineScannerCache.db"}
+{"level":"info","time":"2025-11-04T18:07:45-05:00","message":"Using local MainDB (skipping DB update)"}
+{"level":"info","time":"2025-11-04T18:07:45-05:00","message":"Using cached DB file on path /usr/local/bin/main.db/sysdig-db-data"}
+{"level":"info","time":"2025-11-04T18:07:45-05:00","message":"Offline mode enabled for file analyzers"}
+{"level":"info","time":"2025-11-04T18:07:45-05:00","message":"standalone mode, we won't perform calls to backend"}
+{"level":"info","time":"2025-11-04T18:07:45-05:00","message":"Loading MainDB V3 from: /usr/local/bin/main.db/sysdig-db-data"}
+{"level":"info","time":"2025-11-04T18:07:45-05:00","message":"Done: MainDB V3 loaded"}
+{"level":"info","imgName":"scan","time":"2025-11-04T18:07:45-05:00","message":"Retrieving image"}
+{"level":"error","error":"Unable to get image: image not found from loader","time":"2025-11-04T18:07:57-05:00","message":"Exiting now"}

votingapp_scan.logs

@@ -0,0 +1,129 @@
+{"level":"info","version":"1.23.0","commit":"92edf73","time":"2025-11-04T17:47:03-05:00","message":"Starting analysis with Sysdig scanner"}
+{"level":"info","time":"2025-11-04T17:47:03-05:00","message":"Using path for the cache: /Users/owner/Library/Caches/inlineScannerCache.db"}
+{"level":"info","dbVersion":"V3","time":"2025-11-04T17:47:04-05:00","message":"Vuln DB version detected"}
+{"level":"info","time":"2025-11-04T17:47:04-05:00","message":"Retrieving MainDB"}
+{"level":"info","time":"2025-11-04T17:47:04-05:00","message":"Using local MainDB located at /usr/local/bin/main.db/sysdig-db-data since it is already up to date"}
+{"level":"info","time":"2025-11-04T17:47:04-05:00","message":"Using cached DB file on path /usr/local/bin/main.db/sysdig-db-data"}
+{"level":"info","error":"failed parsing OnPrem version : Malformed version: ","time":"2025-11-04T17:47:04-05:00","message":"unable to get onPrem version, will assume SaaS environment"}
+{"level":"info","time":"2025-11-04T17:47:04-05:00","message":"Loading MainDB V3 from: /usr/local/bin/main.db/sysdig-db-data"}
+{"level":"info","time":"2025-11-04T17:47:04-05:00","message":"Done: MainDB V3 loaded"}
+{"level":"info","imgName":"pull://nginx:latest","time":"2025-11-04T17:47:04-05:00","message":"Retrieving image"}
+{"level":"info","time":"2025-11-04T17:47:05-05:00","message":"first platform available in manifest is (linux/amd64), will use it"}
+{"level":"info","imgName":"pull://nginx:latest","time":"2025-11-04T17:47:06-05:00","message":"Done: image retrieved"}
+{"level":"info","time":"2025-11-04T17:47:06-05:00","message":"Start analyzing image"}
+{"level":"info","url":"https://app.us4.sysdig.com/api/scanning/sbom/v2/base-images/search","layersDigest":["sha256:36d06fe0cbc654e5f67d58c960ed33e53127e4a3288d8ce6f6a60a9c311794d4","sha256:6e19587ac5416790488e2e259fbb4e14ea409908bff5a4aab5e01760fc63c15a","sha256:8feb164cd673e978e6287e249339b5fa20d7aa46ebd09923092ae74dec88419a","sha256:2ced4cd78a7bdbb622141c41c9e83772f7f81dedd43527ec2df07c8fa6632f08","sha256:99cd1b1b6a4397c3835be9a48d6c04fdd8997bb15f29d0cb2cfcbaf3844b0d24","sha256:d81df94f8d07136711ea4ff25d1f14b8a9aad1e6816ab46ce25c840ddc8f326e","sha256:d7217c60dca400c2c3e6367dd67b30cf429e1d21a0f258ec37c0abb7a446ffbe"],"time":"2025-11-04T17:47:09-05:00","message":"base images resolved"}
+{"level":"info","assetID":"sha256:d261fd19cb63238535ab80d4e1be1d9e7f6c8b5a28a820188968dd3e6f06072d","pullstring":"nginx:latest","analyzerInfo":{"version":"v0.0.0-20251013122706-5c1e12a97f07"},"time":"2025-11-04T17:47:09-05:00","message":"{\"shouldExtract\":true}\n"}
+{"level":"info","time":"2025-11-04T17:47:09-05:00","message":"Start matching vulnerabilities"}
+{"level":"info","time":"2025-11-04T17:47:09-05:00","message":"Matched 150 packages"}
+{"level":"info","time":"2025-11-04T17:47:09-05:00","message":"attempting to use the latest policy model"}
+{"level":"warn","rep":"failed evaluating policies: failed to retrieve policies: failed to get policies: failed to unmarshal response body: proto: syntax error (line 1:1): invalid value <","time":"2025-11-04T17:47:10-05:00","message":"failed to evaluate with the new policy model, using the older version"}
+{"level":"info","time":"2025-11-04T17:47:10-05:00","message":"using the legacy policy model"}
+{"level":"info","time":"2025-11-04T17:47:10-05:00","message":"Start policies evaluation"}
+{"level":"info","result":"passed","time":"2025-11-04T17:47:10-05:00","message":"End policies evaluation"}
+{"level":"info","time":"2025-11-04T17:47:10-05:00","message":"Start risks acceptance evaluation"}
+{"level":"info","time":"2025-11-04T17:47:10-05:00","message":"Scan Result upload in progress"}
+{"level":"info","scan-result-id":"1874ef443ac59748faee8c01a82e2360","scan-result-url":"https://app.us4.sysdig.com/secure/#/vulnerabilities/results/1874ef443ac59748faee8c01a82e2360/overview","time":"2025-11-04T17:47:11-05:00","message":"Scan Result uploaded"}
+{"level":"info","duration":"7.103251714s","time":"2025-11-04T17:47:11-05:00","message":"Done"}
+
+
+
+sysdig-cli-scanner scan /tmp/examplevotingapp_vote.tar --standalone
+
+2025-11-04T17:43:33-05:00 Starting analysis with Sysdig scanner version 1.23.0
+2025-11-04T17:43:33-05:00 Using local MainDB (skipping DB update)...
+2025-11-04T17:43:33-05:00 Done, using cached DB
+2025-11-04T17:43:33-05:00 Loading MainDB V3...
+2025-11-04T17:43:33-05:00 Done
+2025-11-04T17:43:33-05:00 Retrieving image...
+2025-11-04T17:43:44-05:00 Unable to get image, for additional information see the logs here: /Users/owner/Documents/Sysdig/example-voting-app/scan-logs. Exiting now
+owner@Owners-MacBook-Pro example-voting-app % 
+owner@Owners-MacBook-Pro example-voting-app % 
+owner@Owners-MacBook-Pro example-voting-app % ./sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://nginx:latest
+zsh: no such file or directory: ./sysdig-cli-scanner
+owner@Owners-MacBook-Pro example-voting-app % sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://nginx:latest 
+Environment variable `SECURE_API_TOKEN` is required when standalone mode is not active. For usage help, please run with `--help`
+Cannot parse command line options
+owner@Owners-MacBook-Pro example-voting-app % 
+owner@Owners-MacBook-Pro example-voting-app % 
+owner@Owners-MacBook-Pro example-voting-app % export SECURE_API_TOKEN=b7de0bae-8dfd-4bfc-b372-2fb2bdf05918            
+owner@Owners-MacBook-Pro example-voting-app % sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://nginx:latest
+2025-11-04T17:47:03-05:00 Starting analysis with Sysdig scanner version 1.23.0
+2025-11-04T17:47:04-05:00 Retrieving MainDB...
+2025-11-04T17:47:04-05:00 Done, using cached DB
+2025-11-04T17:47:04-05:00 Loading MainDB V3...
+2025-11-04T17:47:04-05:00 Done
+2025-11-04T17:47:04-05:00 Retrieving image...
+2025-11-04T17:47:06-05:00 Done
+2025-11-04T17:47:06-05:00 Scan started...
+2025-11-04T17:47:10-05:00 Uploading image sbom to backend...
+2025-11-04T17:47:10-05:00 Uploading scanresult with sbom to backend...
+2025-11-04T17:47:11-05:00 Done
+2025-11-04T17:47:11-05:00 Total execution time 7.103295234s
+
+Type: dockerImage
+ImageID: sha256:d261fd19cb63238535ab80d4e1be1d9e7f6c8b5a28a820188968dd3e6f06072d
+Digest: sha256:1beed3ca46acebe9d3fb62e9067f03d05d5bfa97a00f30938a0a3580563272ad
+BaseOS: debian 13.1
+PullString: nginx:latest
+
+92 vulnerabilities found
+2 Critical (0 fixable)
+12 High (0 fixable)
+3 Medium (0 fixable)
+5 Low (0 fixable)
+70 Negligible (0 fixable)
+
+                            POLICIES EVALUATION
+    Policy: Sysdig Best Practices PASSED (0 failures - 0 risks accepted)
+
+Policies evaluation PASSED at 2025-11-04T17:47:11-05:00
+Full image results here: https://app.us4.sysdig.com/secure/#/vulnerabilities/results/1874ef443ac59748faee8c01a82e2360/overview (id 1874ef443ac59748faee8c01a82e2360)
+Execution logs written to: /Users/owner/Documents/Sysdig/example-voting-app/scan-logs
+
+
+sysdig-cli-scanner -a https://app.us4.sysdig.com/secure pull://docker.io/dockersamples/examplevotingapp_vote:latest
+2025-11-04T17:49:47-05:00 Starting analysis with Sysdig scanner version 1.23.0
+2025-11-04T17:49:47-05:00 Retrieving MainDB...
+2025-11-04T17:49:47-05:00 Done, using cached DB
+2025-11-04T17:49:48-05:00 Loading MainDB V3...
+2025-11-04T17:49:48-05:00 Done
+2025-11-04T17:49:48-05:00 Retrieving image...
+2025-11-04T17:49:49-05:00 Done
+2025-11-04T17:49:49-05:00 Scan started...
+2025-11-04T17:49:52-05:00 Uploading image sbom to backend...
+2025-11-04T17:49:52-05:00 Uploading scanresult with sbom to backend...
+2025-11-04T17:49:53-05:00 Done
+2025-11-04T17:49:53-05:00 Total execution time 5.795543946s
+
+Type: dockerImage
+ImageID: sha256:50482f268ba1f32ac1d4ff623cf76ad4d44a946d3d106db2a1fedbe8467abf7a
+Digest: sha256:7102d3b952ec84e3541ee12e7217e320c52aed60b13501c3158f46376a907466
+BaseOS: debian 12.7
+PullString: docker.io/dockersamples/examplevotingapp_vote:latest
+
+181 vulnerabilities found
+8 Critical (5 fixable)
+41 High (27 fixable)
+49 Medium (33 fixable)
+10 Low (5 fixable)
+73 Negligible (0 fixable)
+
+
+    PACKAGE      TYPE       VERSION        SUGGESTED FIX    CRITICAL  HIGH  MEDIUM  LOW  NEGLIGIBLE  EXPLOIT  
+  libsqlite3-0    os        3.40.1-2      3.40.1-2+deb12u2     3       1      0      0       3          0     
+  libssl3         os    3.0.14-1~deb12u2  3.0.17-1~deb12u3     1       3      1      0       1          0     
+  openssl         os    3.0.14-1~deb12u2  3.0.17-1~deb12u3     1       3      1      0       1          0     
+  perl-base       os    5.36.0-7+deb12u1  5.36.0-7+deb12u2     1       2      0      0       2          0     
+  setuptools    python       65.5.1            70.0.0          1       1      0      0       0          0     
+  libgnutls30     os    3.7.9-2+deb12u3   3.7.9-2+deb12u5      0       4      1      0       1          0     
+  libexpat1       os    2.5.0-1+deb12u1   2.5.0-1+deb12u2      0       4      0      0       2          0     
+  Jinja2        python       3.1.4             3.1.5           0       3      0      0       0          0     
+  libc-bin        os     2.36-9+deb12u8   2.36-9+deb12u10      0       2      1      0       7          0     
+  libc6           os     2.36-9+deb12u8   2.36-9+deb12u10      0       2      1      0       7          0     
+
+                                                                POLICIES EVALUATION
+    Policy: Sysdig Best Practices FAILED (55 failures - 0 risks accepted)
+
+Policies evaluation FAILED at 2025-11-04T17:49:53-05:00
+Full image results here: https://app.us4.sysdig.com/secure/#/vulnerabilities/results/1874ef69f37af240c36eb62e30f4a0d0/overview (id 1874ef69f37af240c36eb62e30f4a0d0)
+Execution logs written to: /Users/owner/Documents/Sysdig/example-voting-app/scan-logs