Skip to content

Fetch security scan results from quay #1287

Fetch security scan results from quay

Fetch security scan results from quay #1287

---
name: Fetch security scan results from quay
on:
push:
branches:
- main
workflow_dispatch:
workflow_run:
workflows:
- "Build and push images to quay"
branches:
- main
types:
- completed
permissions: read-all
env:
AUTH_BEARER_TOKEN: ${{ secrets.AUTH_BEARER_TOKEN }}
quay_url: "https://quay.io/api/v1/repository/redhat-pipeline-service"
jobs:
scans:
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' }}
outputs:
ci-runner-output: ${{ steps.ci-runner-scan.outputs.VULNERABILITIES_EXIST }}
dependencies-update-output: ${{ steps.dependencies-update-scan.outputs.VULNERABILITIES_EXIST }}
e2e-test-runner-output: ${{ steps.e2e-test-runner-scan.outputs.VULNERABILITIES_EXIST }}
quay-upload-output: ${{ steps.quay-upload-scan.outputs.VULNERABILITIES_EXIST }}
static-checks-output: ${{ steps.static-checks-scan.outputs.VULNERABILITIES_EXIST }}
vulnerability-scan-output: ${{ steps.vulnerability-scan.outputs.VULNERABILITIES_EXIST }}
steps:
- uses: actions/checkout@v4
- uses: dorny/paths-filter@v2
id: filter
with:
filters: |
ci-runner:
- 'ci/images/ci-runner/**'
- 'shared/**'
dependencies-update:
- '.github/workflows/build-push-images.yaml'
- 'developer/images/dependencies/**'
- 'shared/**'
e2e-test-runner:
- 'ci/images/e2e-test-runner/**'
- 'shared/**'
quay-upload:
- 'ci/quay-upload/**'
static-checks:
- 'ci/images/static-checks/**'
- 'shared/**'
vulnerability:
- 'ci/images/vulnerability-scan/**'
- name: ci-runner scan
continue-on-error: true
id: ci-runner-scan
if: steps.filter.outputs.ci-runner == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: ci-runner
- name: dependencies-update scan
continue-on-error: true
id: dependencies-update-scan
if: steps.filter.outputs.dependencies-update == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: dependencies-update
- name: quay-upload scan
continue-on-error: true
id: quay-upload-scan
if: steps.filter.outputs.quay-upload == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: quay-upload
- name: static-checks scan
continue-on-error: true
id: static-checks-scan
if: steps.filter.outputs.static-checks == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: static-checks
- name: vulnerability scan
continue-on-error: true
id: vulnerability-scan
if: steps.filter.outputs.vulnerability == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: vulnerability-scan
- name: e2e-test-runner scan
continue-on-error: true
id: e2e-test-runner-scan
if: steps.filter.outputs.e2e-test-runner == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: e2e-test-runner
check-results:
runs-on: ubuntu-latest
needs: scans
if: always()
steps:
- name: Check ci-runner results
id: check-ci-runner-results
if: always()
run: |
res=${{ needs.scans.outputs.ci-runner-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with ci-runner image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi
- name: Check dependencies-update results
id: check-dependencies-update-results
if: always()
run: |
res=${{ needs.scans.outputs.dependencies-update-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with dependencies-update image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi
- name: Check quay-upload results
id: check-quay-upload-results
if: always()
run: |
res=${{ needs.scans.outputs.quay-upload-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with quay-upload image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi
- name: Check static-checks results
id: check-static-checks-results
if: always()
run: |
res=${{ needs.scans.outputs.static-checks-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with static-checks image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi
- name: Check vulnerability-scan results
id: check-vulnerability-scan-results
if: always()
run: |
res=${{ needs.scans.outputs.vulnerability-scan-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with vulnerability-scan image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi
- name: Check e2e-test-runner results
id: check-e2e-test-runner-results
if: always()
run: |
res=${{ needs.scans.outputs.e2e-test-runner-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with e2e-test-runner image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi