Fetch security scan results from quay #1081
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Fetch security scan results from quay | |
on: | |
push: | |
branches: | |
- main | |
workflow_dispatch: | |
workflow_run: | |
workflows: | |
- "Build and push images to quay" | |
branches: | |
- main | |
types: | |
- completed | |
permissions: read-all | |
env: | |
AUTH_BEARER_TOKEN: ${{ secrets.AUTH_BEARER_TOKEN }} | |
quay_url: "https://quay.io/api/v1/repository/redhat-pipeline-service" | |
jobs: | |
scans: | |
runs-on: ubuntu-latest | |
if: ${{ github.event.workflow_run.conclusion == 'success' }} | |
outputs: | |
ci-runner-output: ${{ steps.ci-runner-scan.outputs.VULNERABILITIES_EXIST }} | |
dependencies-update-output: ${{ steps.dependencies-update-scan.outputs.VULNERABILITIES_EXIST }} | |
e2e-test-runner-output: ${{ steps.e2e-test-runner-scan.outputs.VULNERABILITIES_EXIST }} | |
devenv-output: ${{ steps.devenv-scan.outputs.VULNERABILITIES_EXIST }} | |
quay-upload-output: ${{ steps.quay-upload-scan.outputs.VULNERABILITIES_EXIST }} | |
static-checks-output: ${{ steps.static-checks-scan.outputs.VULNERABILITIES_EXIST }} | |
vulnerability-scan-output: ${{ steps.vulnerability-scan.outputs.VULNERABILITIES_EXIST }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: dorny/paths-filter@v2 | |
id: filter | |
with: | |
filters: | | |
ci-runner: | |
- 'ci/images/ci-runner/**' | |
- 'shared/**' | |
dependencies-update: | |
- '.github/workflows/build-push-images.yaml' | |
- 'developer/images/dependencies/**' | |
- 'shared/**' | |
devenv: | |
- 'developer/images/devenv/**' | |
- 'shared/**' | |
e2e-test-runner: | |
- 'ci/images/e2e-test-runner/**' | |
- 'shared/**' | |
quay-upload: | |
- 'ci/quay-upload/**' | |
static-checks: | |
- 'ci/images/static-checks/**' | |
- 'shared/**' | |
vulnerability: | |
- 'ci/images/vulnerability-scan/**' | |
- name: ci-runner scan | |
continue-on-error: true | |
id: ci-runner-scan | |
if: steps.filter.outputs.ci-runner == 'true' | |
run: | | |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log | |
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT | |
env: | |
IMAGE_NAME: ci-runner | |
- name: dependencies-update scan | |
continue-on-error: true | |
id: dependencies-update-scan | |
if: steps.filter.outputs.dependencies-update == 'true' | |
run: | | |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log | |
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT | |
env: | |
IMAGE_NAME: dependencies-update | |
- name: devenv scan | |
continue-on-error: true | |
id: devenv-scan | |
if: steps.filter.outputs.devenv == 'true' | |
run: | | |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log | |
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT | |
env: | |
IMAGE_NAME: devenv | |
- name: quay-upload scan | |
continue-on-error: true | |
id: quay-upload-scan | |
if: steps.filter.outputs.quay-upload == 'true' | |
run: | | |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log | |
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT | |
env: | |
IMAGE_NAME: quay-upload | |
- name: static-checks scan | |
continue-on-error: true | |
id: static-checks-scan | |
if: steps.filter.outputs.static-checks == 'true' | |
run: | | |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log | |
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT | |
env: | |
IMAGE_NAME: static-checks | |
- name: vulnerability scan | |
continue-on-error: true | |
id: vulnerability-scan | |
if: steps.filter.outputs.vulnerability == 'true' | |
run: | | |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log | |
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT | |
env: | |
IMAGE_NAME: vulnerability-scan | |
- name: e2e-test-runner scan | |
continue-on-error: true | |
id: e2e-test-runner-scan | |
if: steps.filter.outputs.e2e-test-runner == 'true' | |
run: | | |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log | |
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT | |
env: | |
IMAGE_NAME: e2e-test-runner | |
check-results: | |
runs-on: ubuntu-latest | |
needs: scans | |
if: always() | |
steps: | |
- name: Check ci-runner results | |
id: check-ci-runner-results | |
if: always() | |
run: | | |
res=${{ needs.scans.outputs.ci-runner-output }} | |
res=${res:=0} | |
if [[ $res != 0 ]]; then | |
echo "Vulnerabilities found with ci-runner image. Please check scans job for more details." | |
exit 1 | |
else | |
echo "No vulnerabilities found" | |
fi | |
- name: Check dependencies-update results | |
id: check-dependencies-update-results | |
if: always() | |
run: | | |
res=${{ needs.scans.outputs.dependencies-update-output }} | |
res=${res:=0} | |
if [[ $res != 0 ]]; then | |
echo "Vulnerabilities found with dependencies-update image. Please check scans job for more details." | |
exit 1 | |
else | |
echo "No vulnerabilities found" | |
fi | |
- name: Check devenv results | |
id: check-devenv-results | |
if: always() | |
run: | | |
res=${{ needs.scans.outputs.devenv-output }} | |
res=${res:=0} | |
if [[ $res != 0 ]]; then | |
echo "Vulnerabilities found with devenv image. Please check scans job for more details." | |
exit 1 | |
else | |
echo "No vulnerabilities found" | |
fi | |
- name: Check quay-upload results | |
id: check-quay-upload-results | |
if: always() | |
run: | | |
res=${{ needs.scans.outputs.quay-upload-output }} | |
res=${res:=0} | |
if [[ $res != 0 ]]; then | |
echo "Vulnerabilities found with quay-upload image. Please check scans job for more details." | |
exit 1 | |
else | |
echo "No vulnerabilities found" | |
fi | |
- name: Check static-checks results | |
id: check-static-checks-results | |
if: always() | |
run: | | |
res=${{ needs.scans.outputs.static-checks-output }} | |
res=${res:=0} | |
if [[ $res != 0 ]]; then | |
echo "Vulnerabilities found with static-checks image. Please check scans job for more details." | |
exit 1 | |
else | |
echo "No vulnerabilities found" | |
fi | |
- name: Check vulnerability-scan results | |
id: check-vulnerability-scan-results | |
if: always() | |
run: | | |
res=${{ needs.scans.outputs.vulnerability-scan-output }} | |
res=${res:=0} | |
if [[ $res != 0 ]]; then | |
echo "Vulnerabilities found with vulnerability-scan image. Please check scans job for more details." | |
exit 1 | |
else | |
echo "No vulnerabilities found" | |
fi | |
- name: Check e2e-test-runner results | |
id: check-e2e-test-runner-results | |
if: always() | |
run: | | |
res=${{ needs.scans.outputs.e2e-test-runner-output }} | |
res=${res:=0} | |
if [[ $res != 0 ]]; then | |
echo "Vulnerabilities found with e2e-test-runner image. Please check scans job for more details." | |
exit 1 | |
else | |
echo "No vulnerabilities found" | |
fi |