.github/workflows/individual-image-scanner-quay.yaml

---
name: Fetch security scan results from quay
on:
  push:
    branches:
      - main
  workflow_dispatch:
  workflow_run:
    workflows:
      - "Build and push images to quay"
    branches:
      - main
    types:
      - completed
permissions: read-all
env:
  AUTH_BEARER_TOKEN: ${{ secrets.AUTH_BEARER_TOKEN }}
  quay_url: "https://quay.io/api/v1/repository/redhat-pipeline-service"

jobs:
  scans:
    runs-on: ubuntu-latest
    if: ${{ github.event.workflow_run.conclusion == 'success' }}
    outputs:
      access-setup-output: ${{ steps.access-setup-scan.outputs.VULNERABILITIES_EXIST }}
      ci-runner-output: ${{ steps.ci-runner-scan.outputs.VULNERABILITIES_EXIST }}
      cluster-setup-output: ${{ steps.cluster-setup-scan.outputs.VULNERABILITIES_EXIST }}
      dependencies-update-output: ${{ steps.dependencies-update-scan.outputs.VULNERABILITIES_EXIST }}
      e2e-test-runner-output: ${{ steps.e2e-test-runner-scan.outputs.VULNERABILITIES_EXIST }}
      devenv-output: ${{ steps.devenv-scan.outputs.VULNERABILITIES_EXIST }}
      quay-upload-output: ${{ steps.quay-upload-scan.outputs.VULNERABILITIES_EXIST }}
      static-checks-output: ${{ steps.static-checks-scan.outputs.VULNERABILITIES_EXIST }}
      vulnerability-scan-output: ${{ steps.vulnerability-scan.outputs.VULNERABILITIES_EXIST }}
    steps:
      - uses: actions/checkout@v2

      - uses: dorny/paths-filter@v2
        id: filter
        with:
          filters: |
            access-setup:
              - 'operator/images/access-setup/**'
              - 'shared/**'
            ci-runner:
              - 'ci/images/ci-runner/**'
              - 'shared/**'
            cluster-setup:
              - 'operator/images/cluster-setup/**'
              - 'shared/**'
            dependencies-update:
              - '.github/workflows/build-push-images.yaml'
              - 'developer/images/dependencies/**'
              - 'shared/**'
            devenv:
              - 'developer/images/devenv/**'
              - 'shared/**'
            e2e-test-runner:
              - 'ci/images/e2e-test-runner/**'
              - 'shared/**'
            quay-upload:
              - 'ci/quay-upload/**'
            static-checks:
              - 'ci/images/static-checks/**'
              - 'shared/**'
            vulnerability:
              - 'ci/images/vulnerability-scan/**'

      - name: access-setup scan
        continue-on-error: true
        id: access-setup-scan
        if: steps.filter.outputs.access-setup == 'true'
        run: |
          ./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
          echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
        env:
          IMAGE_NAME: access-setup

      - name: ci-runner scan
        continue-on-error: true
        id: ci-runner-scan
        if: steps.filter.outputs.ci-runner == 'true'
        run: |
          ./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
          echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
        env:
          IMAGE_NAME: ci-runner

      - name: cluster-setup scan
        continue-on-error: true
        id: cluster-setup-scan
        if: steps.filter.outputs.cluster-setup == 'true'
        run: |
          ./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
          echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
        env:
          IMAGE_NAME: cluster-setup

      - name: dependencies-update scan
        continue-on-error: true
        id: dependencies-update-scan
        if: steps.filter.outputs.dependencies-update == 'true'
        run: |
          ./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
          echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
        env:
          IMAGE_NAME: dependencies-update

      - name: devenv scan
        continue-on-error: true
        id: devenv-scan
        if: steps.filter.outputs.devenv == 'true'
        run: |
          ./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
          echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
        env:
          IMAGE_NAME: devenv

      - name: quay-upload scan
        continue-on-error: true
        id: quay-upload-scan
        if: steps.filter.outputs.quay-upload == 'true'
        run: |
          ./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
          echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
        env:
          IMAGE_NAME: quay-upload

      - name: static-checks scan
        continue-on-error: true
        id: static-checks-scan
        if: steps.filter.outputs.static-checks == 'true'
        run: |
          ./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
          echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
        env:
          IMAGE_NAME: static-checks

      - name: vulnerability scan
        continue-on-error: true
        id: vulnerability-scan
        if: steps.filter.outputs.vulnerability == 'true'
        run: |
          ./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
          echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
        env:
          IMAGE_NAME: vulnerability-scan

      - name: e2e-test-runner scan
        continue-on-error: true
        id: e2e-test-runner-scan
        if: steps.filter.outputs.e2e-test-runner == 'true'
        run: |
          ./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
          echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
        env:
          IMAGE_NAME: e2e-test-runner

  check-results:
    runs-on: ubuntu-latest
    needs: scans
    if: always()
    steps:
      - name: Check access-setup results
        id: check-access-setup-results
        if: always()
        run: |
          res=${{ needs.scans.outputs.access-setup-output }}
          res=${res:=0}
          if [[ $res != 0 ]]; then
            echo "Vulnerabilities found with access-setup image. Please check scans job for more details."
            exit 1
          else
            echo "No vulnerabilities found"
          fi

      - name: Check ci-runner results
        id: check-ci-runner-results
        if: always()
        run: |
          res=${{ needs.scans.outputs.ci-runner-output }}
          res=${res:=0}
          if [[ $res != 0 ]]; then
            echo "Vulnerabilities found with ci-runner image. Please check scans job for more details."
            exit 1
          else
            echo "No vulnerabilities found"
          fi

      - name: Check cluster-setup results
        id: check-cluster-setup-results
        if: always()
        run: |
          res=${{ needs.scans.outputs.cluster-setup-output }}
          res=${res:=0}
          if [[ $res != 0 ]]; then
            echo "Vulnerabilities found with cluster-setup image. Please check scans job for more details."
            exit 1
          else
            echo "No vulnerabilities found"
          fi

      - name: Check dependencies-update results
        id: check-dependencies-update-results
        if: always()
        run: |
          res=${{ needs.scans.outputs.dependencies-update-output }}
          res=${res:=0}
          if [[ $res != 0 ]]; then
            echo "Vulnerabilities found with dependencies-update image. Please check scans job for more details."
            exit 1
          else
            echo "No vulnerabilities found"
          fi

      - name: Check devenv results
        id: check-devenv-results
        if: always()
        run: |
          res=${{ needs.scans.outputs.devenv-output }}
          res=${res:=0}
          if [[ $res != 0 ]]; then
            echo "Vulnerabilities found with devenv image. Please check scans job for more details."
            exit 1
          else
            echo "No vulnerabilities found"
          fi

      - name: Check quay-upload results
        id: check-quay-upload-results
        if: always()
        run: |
          res=${{ needs.scans.outputs.quay-upload-output }}
          res=${res:=0}
          if [[ $res != 0 ]]; then
            echo "Vulnerabilities found with quay-upload image. Please check scans job for more details."
            exit 1
          else
            echo "No vulnerabilities found"
          fi

      - name: Check static-checks results
        id: check-static-checks-results
        if: always()
        run: |
          res=${{ needs.scans.outputs.static-checks-output }}
          res=${res:=0}
          if [[ $res != 0 ]]; then
            echo "Vulnerabilities found with static-checks image. Please check scans job for more details."
            exit 1
          else
            echo "No vulnerabilities found"
          fi

      - name: Check vulnerability-scan results
        id: check-vulnerability-scan-results
        if: always()
        run: |
          res=${{ needs.scans.outputs.vulnerability-scan-output }}
          res=${res:=0}
          if [[ $res != 0 ]]; then
            echo "Vulnerabilities found with vulnerability-scan image. Please check scans job for more details."
            exit 1
          else
            echo "No vulnerabilities found"
          fi

      - name: Check e2e-test-runner results
        id: check-e2e-test-runner-results
        if: always()
        run: |
          res=${{ needs.scans.outputs.e2e-test-runner-output }}
          res=${res:=0}
          if [[ $res != 0 ]]; then
            echo "Vulnerabilities found with e2e-test-runner image. Please check scans job for more details."
            exit 1
          else
            echo "No vulnerabilities found"
          fi