Fetch security scan results from quay #699

Workflow file for this run

.github/workflows/individual-image-scanner-quay.yaml at 0f225fb

	---
	name: Fetch security scan results from quay
	on:
	push:
	branches:
	- main
	workflow_dispatch:
	workflow_run:
	workflows:
	- "Build and push images to quay"
	branches:
	- main
	types:
	- completed
	permissions: read-all
	env:
	AUTH_BEARER_TOKEN: ${{ secrets.AUTH_BEARER_TOKEN }}
	quay_url: "https://quay.io/api/v1/repository/redhat-pipeline-service"

	jobs:
	scans:
	runs-on: ubuntu-latest
	if: ${{ github.event.workflow_run.conclusion == 'success' }}
	outputs:
	access-setup-output: ${{ steps.access-setup-scan.outputs.VULNERABILITIES_EXIST }}
	ci-runner-output: ${{ steps.ci-runner-scan.outputs.VULNERABILITIES_EXIST }}
	cluster-setup-output: ${{ steps.cluster-setup-scan.outputs.VULNERABILITIES_EXIST }}
	dependencies-update-output: ${{ steps.dependencies-update-scan.outputs.VULNERABILITIES_EXIST }}
	e2e-test-runner-output: ${{ steps.e2e-test-runner-scan.outputs.VULNERABILITIES_EXIST }}
	devenv-output: ${{ steps.devenv-scan.outputs.VULNERABILITIES_EXIST }}
	quay-upload-output: ${{ steps.quay-upload-scan.outputs.VULNERABILITIES_EXIST }}
	static-checks-output: ${{ steps.static-checks-scan.outputs.VULNERABILITIES_EXIST }}
	update-pipeline-service-output: ${{ steps.update-pipeline-service-scan.outputs.VULNERABILITIES_EXIST }}
	vulnerability-scan-output: ${{ steps.vulnerability-scan.outputs.VULNERABILITIES_EXIST }}
	steps:
	- uses: actions/checkout@v2

	- uses: dorny/paths-filter@v2
	id: filter
	with:
	filters: \|
	access-setup:
	- 'operator/images/access-setup/**'
	- 'shared/**'
	ci-runner:
	- 'ci/images/ci-runner/**'
	- 'shared/**'
	cluster-setup:
	- 'operator/images/cluster-setup/**'
	- 'shared/**'
	dependencies-update:
	- '.github/workflows/build-push-images.yaml'
	- 'developer/images/dependencies/**'
	- 'shared/**'
	devenv:
	- 'developer/images/devenv/**'
	- 'shared/**'
	e2e-test-runner:
	- 'ci/images/e2e-test-runner/**'
	- 'shared/**'
	quay-upload:
	- 'ci/quay-upload/**'
	static-checks:
	- 'ci/images/static-checks/**'
	- 'shared/**'
	update-pipeline-service:
	- 'operator/images/update-pipeline-service/**'
	- 'shared/**'
	vulnerability:
	- 'ci/images/vulnerability-scan/**'

	- name: access-setup scan
	continue-on-error: true
	id: access-setup-scan
	if: steps.filter.outputs.access-setup == 'true'
	run: \|
	./ci/images/vulnerability-scan/scan-image.sh \| tee /tmp/clair-scan.log
	echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
	env:
	IMAGE_NAME: access-setup

	- name: ci-runner scan
	continue-on-error: true
	id: ci-runner-scan
	if: steps.filter.outputs.ci-runner == 'true'
	run: \|
	./ci/images/vulnerability-scan/scan-image.sh \| tee /tmp/clair-scan.log
	echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
	env:
	IMAGE_NAME: ci-runner

	- name: cluster-setup scan
	continue-on-error: true
	id: cluster-setup-scan
	if: steps.filter.outputs.cluster-setup == 'true'
	run: \|
	./ci/images/vulnerability-scan/scan-image.sh \| tee /tmp/clair-scan.log
	echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
	env:
	IMAGE_NAME: cluster-setup

	- name: dependencies-update scan
	continue-on-error: true
	id: dependencies-update-scan
	if: steps.filter.outputs.dependencies-update == 'true'
	run: \|
	./ci/images/vulnerability-scan/scan-image.sh \| tee /tmp/clair-scan.log
	echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
	env:
	IMAGE_NAME: dependencies-update

	- name: devenv scan
	continue-on-error: true
	id: devenv-scan
	if: steps.filter.outputs.devenv == 'true'
	run: \|
	./ci/images/vulnerability-scan/scan-image.sh \| tee /tmp/clair-scan.log
	echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
	env:
	IMAGE_NAME: devenv

	- name: quay-upload scan
	continue-on-error: true
	id: quay-upload-scan
	if: steps.filter.outputs.quay-upload == 'true'
	run: \|
	./ci/images/vulnerability-scan/scan-image.sh \| tee /tmp/clair-scan.log
	echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
	env:
	IMAGE_NAME: quay-upload

	- name: static-checks scan
	continue-on-error: true
	id: static-checks-scan
	if: steps.filter.outputs.static-checks == 'true'
	run: \|
	./ci/images/vulnerability-scan/scan-image.sh \| tee /tmp/clair-scan.log
	echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
	env:
	IMAGE_NAME: static-checks

	- name: update-pipeline-service scan
	continue-on-error: true
	id: update-pipeline-service-scan
	if: steps.filter.outputs.update-pipeline-service == 'true'
	run: \|
	./ci/images/vulnerability-scan/scan-image.sh \| tee /tmp/clair-scan.log
	echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
	env:
	IMAGE_NAME: update-pipeline-service

	- name: vulnerability scan
	continue-on-error: true
	id: vulnerability-scan
	if: steps.filter.outputs.vulnerability == 'true'
	run: \|
	./ci/images/vulnerability-scan/scan-image.sh \| tee /tmp/clair-scan.log
	echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
	env:
	IMAGE_NAME: vulnerability-scan

	- name: e2e-test-runner scan
	continue-on-error: true
	id: e2e-test-runner-scan
	if: steps.filter.outputs.e2e-test-runner == 'true'
	run: \|
	./ci/images/vulnerability-scan/scan-image.sh \| tee /tmp/clair-scan.log
	echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
	env:
	IMAGE_NAME: e2e-test-runner

	check-results:
	runs-on: ubuntu-latest
	needs: scans
	if: always()
	steps:
	- name: Check access-setup results
	id: check-access-setup-results
	if: always()
	run: \|
	res=${{ needs.scans.outputs.access-setup-output }}
	res=${res:=0}
	if [[ $res != 0 ]]; then
	echo "Vulnerabilities found with access-setup image. Please check scans job for more details."
	exit 1
	else
	echo "No vulnerabilities found"
	fi

	- name: Check ci-runner results
	id: check-ci-runner-results
	if: always()
	run: \|
	res=${{ needs.scans.outputs.ci-runner-output }}
	res=${res:=0}
	if [[ $res != 0 ]]; then
	echo "Vulnerabilities found with ci-runner image. Please check scans job for more details."
	exit 1
	else
	echo "No vulnerabilities found"
	fi

	- name: Check cluster-setup results
	id: check-cluster-setup-results
	if: always()
	run: \|
	res=${{ needs.scans.outputs.cluster-setup-output }}
	res=${res:=0}
	if [[ $res != 0 ]]; then
	echo "Vulnerabilities found with cluster-setup image. Please check scans job for more details."
	exit 1
	else
	echo "No vulnerabilities found"
	fi

	- name: Check dependencies-update results
	id: check-dependencies-update-results
	if: always()
	run: \|
	res=${{ needs.scans.outputs.dependencies-update-output }}
	res=${res:=0}
	if [[ $res != 0 ]]; then
	echo "Vulnerabilities found with dependencies-update image. Please check scans job for more details."
	exit 1
	else
	echo "No vulnerabilities found"
	fi

	- name: Check devenv results
	id: check-devenv-results
	if: always()
	run: \|
	res=${{ needs.scans.outputs.devenv-output }}
	res=${res:=0}
	if [[ $res != 0 ]]; then
	echo "Vulnerabilities found with devenv image. Please check scans job for more details."
	exit 1
	else
	echo "No vulnerabilities found"
	fi

	- name: Check quay-upload results
	id: check-quay-upload-results
	if: always()
	run: \|
	res=${{ needs.scans.outputs.quay-upload-output }}
	res=${res:=0}
	if [[ $res != 0 ]]; then
	echo "Vulnerabilities found with quay-upload image. Please check scans job for more details."
	exit 1
	else
	echo "No vulnerabilities found"
	fi

	- name: Check static-checks results
	id: check-static-checks-results
	if: always()
	run: \|
	res=${{ needs.scans.outputs.static-checks-output }}
	res=${res:=0}
	if [[ $res != 0 ]]; then
	echo "Vulnerabilities found with static-checks image. Please check scans job for more details."
	exit 1
	else
	echo "No vulnerabilities found"
	fi

	- name: Check update-pipeline-service results
	id: check-update-pipeline-service-results
	if: always()
	run: \|
	res=${{ needs.scans.outputs.update-pipeline-service-output }}
	res=${res:=0}
	if [[ $res != 0 ]]; then
	echo "Vulnerabilities found with update-pipeline-service image. Please check scans job for more details."
	exit 1
	else
	echo "No vulnerabilities found"
	fi

	- name: Check vulnerability-scan results
	id: check-vulnerability-scan-results
	if: always()
	run: \|
	res=${{ needs.scans.outputs.vulnerability-scan-output }}
	res=${res:=0}
	if [[ $res != 0 ]]; then
	echo "Vulnerabilities found with vulnerability-scan image. Please check scans job for more details."
	exit 1
	else
	echo "No vulnerabilities found"
	fi

	- name: Check e2e-test-runner results
	id: check-e2e-test-runner-results
	if: always()
	run: \|
	res=${{ needs.scans.outputs.e2e-test-runner-output }}
	res=${res:=0}
	if [[ $res != 0 ]]; then
	echo "Vulnerabilities found with e2e-test-runner image. Please check scans job for more details."
	exit 1
	else
	echo "No vulnerabilities found"
	fi

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fetch security scan results from quay #699

Workflow file

Fetch security scan results from quay #699

Jobs

Run details

Workflow file for this run