Skip to content

Fetch security scan results from quay #761

Fetch security scan results from quay

Fetch security scan results from quay #761

---
name: Fetch security scan results from quay
on:
push:
branches:
- main
workflow_dispatch:
workflow_run:
workflows:
- "Build and push images to quay"
branches:
- main
types:
- completed
permissions: read-all
env:
AUTH_BEARER_TOKEN: ${{ secrets.AUTH_BEARER_TOKEN }}
quay_url: "https://quay.io/api/v1/repository/redhat-pipeline-service"
jobs:
scans:
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' }}
outputs:
access-setup-output: ${{ steps.access-setup-scan.outputs.VULNERABILITIES_EXIST }}
ci-runner-output: ${{ steps.ci-runner-scan.outputs.VULNERABILITIES_EXIST }}
cluster-setup-output: ${{ steps.cluster-setup-scan.outputs.VULNERABILITIES_EXIST }}
dependencies-update-output: ${{ steps.dependencies-update-scan.outputs.VULNERABILITIES_EXIST }}
e2e-test-runner-output: ${{ steps.e2e-test-runner-scan.outputs.VULNERABILITIES_EXIST }}
devenv-output: ${{ steps.devenv-scan.outputs.VULNERABILITIES_EXIST }}
quay-upload-output: ${{ steps.quay-upload-scan.outputs.VULNERABILITIES_EXIST }}
static-checks-output: ${{ steps.static-checks-scan.outputs.VULNERABILITIES_EXIST }}
update-pipeline-service-output: ${{ steps.update-pipeline-service-scan.outputs.VULNERABILITIES_EXIST }}
vulnerability-scan-output: ${{ steps.vulnerability-scan.outputs.VULNERABILITIES_EXIST }}
steps:
- uses: actions/checkout@v2
- uses: dorny/paths-filter@v2
id: filter
with:
filters: |
access-setup:
- 'operator/images/access-setup/**'
- 'shared/**'
ci-runner:
- 'ci/images/ci-runner/**'
- 'shared/**'
cluster-setup:
- 'operator/images/cluster-setup/**'
- 'shared/**'
dependencies-update:
- '.github/workflows/build-push-images.yaml'
- 'developer/images/dependencies/**'
- 'shared/**'
devenv:
- 'developer/images/devenv/**'
- 'shared/**'
e2e-test-runner:
- 'ci/images/e2e-test-runner/**'
- 'shared/**'
quay-upload:
- 'ci/quay-upload/**'
static-checks:
- 'ci/images/static-checks/**'
- 'shared/**'
update-pipeline-service:
- 'operator/images/update-pipeline-service/**'
- 'shared/**'
vulnerability:
- 'ci/images/vulnerability-scan/**'
- name: access-setup scan
continue-on-error: true
id: access-setup-scan
if: steps.filter.outputs.access-setup == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: access-setup
- name: ci-runner scan
continue-on-error: true
id: ci-runner-scan
if: steps.filter.outputs.ci-runner == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: ci-runner
- name: cluster-setup scan
continue-on-error: true
id: cluster-setup-scan
if: steps.filter.outputs.cluster-setup == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: cluster-setup
- name: dependencies-update scan
continue-on-error: true
id: dependencies-update-scan
if: steps.filter.outputs.dependencies-update == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: dependencies-update
- name: devenv scan
continue-on-error: true
id: devenv-scan
if: steps.filter.outputs.devenv == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: devenv
- name: quay-upload scan
continue-on-error: true
id: quay-upload-scan
if: steps.filter.outputs.quay-upload == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: quay-upload
- name: static-checks scan
continue-on-error: true
id: static-checks-scan
if: steps.filter.outputs.static-checks == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: static-checks
- name: update-pipeline-service scan
continue-on-error: true
id: update-pipeline-service-scan
if: steps.filter.outputs.update-pipeline-service == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: update-pipeline-service
- name: vulnerability scan
continue-on-error: true
id: vulnerability-scan
if: steps.filter.outputs.vulnerability == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: vulnerability-scan
- name: e2e-test-runner scan
continue-on-error: true
id: e2e-test-runner-scan
if: steps.filter.outputs.e2e-test-runner == 'true'
run: |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
env:
IMAGE_NAME: e2e-test-runner
check-results:
runs-on: ubuntu-latest
needs: scans
if: always()
steps:
- name: Check access-setup results
id: check-access-setup-results
if: always()
run: |
res=${{ needs.scans.outputs.access-setup-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with access-setup image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi
- name: Check ci-runner results
id: check-ci-runner-results
if: always()
run: |
res=${{ needs.scans.outputs.ci-runner-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with ci-runner image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi
- name: Check cluster-setup results
id: check-cluster-setup-results
if: always()
run: |
res=${{ needs.scans.outputs.cluster-setup-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with cluster-setup image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi
- name: Check dependencies-update results
id: check-dependencies-update-results
if: always()
run: |
res=${{ needs.scans.outputs.dependencies-update-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with dependencies-update image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi
- name: Check devenv results
id: check-devenv-results
if: always()
run: |
res=${{ needs.scans.outputs.devenv-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with devenv image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi
- name: Check quay-upload results
id: check-quay-upload-results
if: always()
run: |
res=${{ needs.scans.outputs.quay-upload-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with quay-upload image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi
- name: Check static-checks results
id: check-static-checks-results
if: always()
run: |
res=${{ needs.scans.outputs.static-checks-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with static-checks image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi
- name: Check update-pipeline-service results
id: check-update-pipeline-service-results
if: always()
run: |
res=${{ needs.scans.outputs.update-pipeline-service-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with update-pipeline-service image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi
- name: Check vulnerability-scan results
id: check-vulnerability-scan-results
if: always()
run: |
res=${{ needs.scans.outputs.vulnerability-scan-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with vulnerability-scan image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi
- name: Check e2e-test-runner results
id: check-e2e-test-runner-results
if: always()
run: |
res=${{ needs.scans.outputs.e2e-test-runner-output }}
res=${res:=0}
if [[ $res != 0 ]]; then
echo "Vulnerabilities found with e2e-test-runner image. Please check scans job for more details."
exit 1
else
echo "No vulnerabilities found"
fi