-
Notifications
You must be signed in to change notification settings - Fork 44
224 lines (208 loc) · 7.64 KB
/
individual-image-scanner-quay.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
---
name: Fetch security scan results from quay
on:
push:
branches:
- main
workflow_dispatch:
workflow_run:
workflows:
- "Build and push images to quay"
branches:
- main
types:
- completed
permissions: read-all
env:
AUTH_BEARER_TOKEN: ${{ secrets.AUTH_BEARER_TOKEN }}
quay_url: "https://quay.io/api/v1/repository/redhat-pipeline-service"
jobs:
scans:
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' }}
outputs:
ci-runner-output: ${{ steps.ci-runner-scan.outputs.VULNERABILITIES_EXIST }}
dependencies-update-output: ${{ steps.dependencies-update-scan.outputs.VULNERABILITIES_EXIST }}
e2e-test-runner-output: ${{ steps.e2e-test-runner-scan.outputs.VULNERABILITIES_EXIST }}
devenv-output: ${{ steps.devenv-scan.outputs.VULNERABILITIES_EXIST }}
quay-upload-output: ${{ steps.quay-upload-scan.outputs.VULNERABILITIES_EXIST }}
static-checks-output: ${{ steps.static-checks-scan.outputs.VULNERABILITIES_EXIST }}
vulnerability-scan-output: ${{ steps.vulnerability-scan.outputs.VULNERABILITIES_EXIST }}
steps:
- uses: actions/checkout@v4
- uses: dorny/paths-filter@v2
id: filter
with:
filters: |
ci-runner:
- 'ci/images/ci-runner/**'
- 'shared/**'
dependencies-update:
- '.github/workflows/build-push-images.yaml'
- 'developer/images/dependencies/**'
- 'shared/**'
devenv:
- 'developer/images/devenv/**'
- 'shared/**'
e2e-test-runner:
- 'ci/images/e2e-test-runner/**'
- 'shared/**'
quay-upload:
- 'ci/quay-upload/**'
static-checks:
- 'ci/images/static-checks/**'
- 'shared/**'
vulnerability:
- 'ci/images/vulnerability-scan/**'
- name: ci-runner scan
continue-on-error: true
id: ci-runner-scan
if: steps.filter.outputs.ci-runner == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: ci-runner
- name: dependencies-update scan
continue-on-error: true
id: dependencies-update-scan
if: steps.filter.outputs.dependencies-update == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: dependencies-update
- name: devenv scan
continue-on-error: true
id: devenv-scan
if: steps.filter.outputs.devenv == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: devenv
- name: quay-upload scan
continue-on-error: true
id: quay-upload-scan
if: steps.filter.outputs.quay-upload == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: quay-upload
- name: static-checks scan
continue-on-error: true
id: static-checks-scan
if: steps.filter.outputs.static-checks == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: static-checks
- name: vulnerability scan
continue-on-error: true
id: vulnerability-scan
if: steps.filter.outputs.vulnerability == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: vulnerability-scan
- name: e2e-test-runner scan
continue-on-error: true
id: e2e-test-runner-scan
if: steps.filter.outputs.e2e-test-runner == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: e2e-test-runner
check-results:
runs-on: ubuntu-latest
needs: scans
if: always()
steps:
- name: Check ci-runner results
id: check-ci-runner-results
if: always()
run: |
res=${{ needs.scans.outputs.ci-runner-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with ci-runner image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi
- name: Check dependencies-update results
id: check-dependencies-update-results
if: always()
run: |
res=${{ needs.scans.outputs.dependencies-update-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with dependencies-update image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi
- name: Check devenv results
id: check-devenv-results
if: always()
run: |
res=${{ needs.scans.outputs.devenv-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with devenv image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi
- name: Check quay-upload results
id: check-quay-upload-results
if: always()
run: |
res=${{ needs.scans.outputs.quay-upload-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with quay-upload image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi
- name: Check static-checks results
id: check-static-checks-results
if: always()
run: |
res=${{ needs.scans.outputs.static-checks-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with static-checks image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi
- name: Check vulnerability-scan results
id: check-vulnerability-scan-results
if: always()
run: |
res=${{ needs.scans.outputs.vulnerability-scan-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with vulnerability-scan image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi
- name: Check e2e-test-runner results
id: check-e2e-test-runner-results
if: always()
run: |
res=${{ needs.scans.outputs.e2e-test-runner-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with e2e-test-runner image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi