Fetch security scan results from quay #761
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Fetch security scan results from quay | |
on: | |
push: | |
branches: | |
- main | |
workflow_dispatch: | |
workflow_run: | |
workflows: | |
- "Build and push images to quay" | |
branches: | |
- main | |
types: | |
- completed | |
permissions: read-all | |
env: | |
AUTH_BEARER_TOKEN: ${{ secrets.AUTH_BEARER_TOKEN }} | |
quay_url: "https://quay.io/api/v1/repository/redhat-pipeline-service" | |
jobs: | |
scans: | |
runs-on: ubuntu-latest | |
if: ${{ github.event.workflow_run.conclusion == 'success' }} | |
outputs: | |
access-setup-output: ${{ steps.access-setup-scan.outputs.VULNERABILITIES_EXIST }} | |
ci-runner-output: ${{ steps.ci-runner-scan.outputs.VULNERABILITIES_EXIST }} | |
cluster-setup-output: ${{ steps.cluster-setup-scan.outputs.VULNERABILITIES_EXIST }} | |
dependencies-update-output: ${{ steps.dependencies-update-scan.outputs.VULNERABILITIES_EXIST }} | |
e2e-test-runner-output: ${{ steps.e2e-test-runner-scan.outputs.VULNERABILITIES_EXIST }} | |
devenv-output: ${{ steps.devenv-scan.outputs.VULNERABILITIES_EXIST }} | |
quay-upload-output: ${{ steps.quay-upload-scan.outputs.VULNERABILITIES_EXIST }} | |
static-checks-output: ${{ steps.static-checks-scan.outputs.VULNERABILITIES_EXIST }} | |
update-pipeline-service-output: ${{ steps.update-pipeline-service-scan.outputs.VULNERABILITIES_EXIST }} | |
vulnerability-scan-output: ${{ steps.vulnerability-scan.outputs.VULNERABILITIES_EXIST }} | |
steps: | |
- uses: actions/checkout@v2 | |
- uses: dorny/paths-filter@v2 | |
id: filter | |
with: | |
filters: | | |
access-setup: | |
- 'operator/images/access-setup/**' | |
- 'shared/**' | |
ci-runner: | |
- 'ci/images/ci-runner/**' | |
- 'shared/**' | |
cluster-setup: | |
- 'operator/images/cluster-setup/**' | |
- 'shared/**' | |
dependencies-update: | |
- '.github/workflows/build-push-images.yaml' | |
- 'developer/images/dependencies/**' | |
- 'shared/**' | |
devenv: | |
- 'developer/images/devenv/**' | |
- 'shared/**' | |
e2e-test-runner: | |
- 'ci/images/e2e-test-runner/**' | |
- 'shared/**' | |
quay-upload: | |
- 'ci/quay-upload/**' | |
static-checks: | |
- 'ci/images/static-checks/**' | |
- 'shared/**' | |
update-pipeline-service: | |
- 'operator/images/update-pipeline-service/**' | |
- 'shared/**' | |
vulnerability: | |
- 'ci/images/vulnerability-scan/**' | |
- name: access-setup scan | |
continue-on-error: true | |
id: access-setup-scan | |
if: steps.filter.outputs.access-setup == 'true' | |
run: | | |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log | |
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT | |
env: | |
IMAGE_NAME: access-setup | |
- name: ci-runner scan | |
continue-on-error: true | |
id: ci-runner-scan | |
if: steps.filter.outputs.ci-runner == 'true' | |
run: | | |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log | |
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT | |
env: | |
IMAGE_NAME: ci-runner | |
- name: cluster-setup scan | |
continue-on-error: true | |
id: cluster-setup-scan | |
if: steps.filter.outputs.cluster-setup == 'true' | |
run: | | |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log | |
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT | |
env: | |
IMAGE_NAME: cluster-setup | |
- name: dependencies-update scan | |
continue-on-error: true | |
id: dependencies-update-scan | |
if: steps.filter.outputs.dependencies-update == 'true' | |
run: | | |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log | |
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT | |
env: | |
IMAGE_NAME: dependencies-update | |
- name: devenv scan | |
continue-on-error: true | |
id: devenv-scan | |
if: steps.filter.outputs.devenv == 'true' | |
run: | | |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log | |
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT | |
env: | |
IMAGE_NAME: devenv | |
- name: quay-upload scan | |
continue-on-error: true | |
id: quay-upload-scan | |
if: steps.filter.outputs.quay-upload == 'true' | |
run: | | |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log | |
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT | |
env: | |
IMAGE_NAME: quay-upload | |
- name: static-checks scan | |
continue-on-error: true | |
id: static-checks-scan | |
if: steps.filter.outputs.static-checks == 'true' | |
run: | | |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log | |
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT | |
env: | |
IMAGE_NAME: static-checks | |
- name: update-pipeline-service scan | |
continue-on-error: true | |
id: update-pipeline-service-scan | |
if: steps.filter.outputs.update-pipeline-service == 'true' | |
run: | | |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log | |
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT | |
env: | |
IMAGE_NAME: update-pipeline-service | |
- name: vulnerability scan | |
continue-on-error: true | |
id: vulnerability-scan | |
if: steps.filter.outputs.vulnerability == 'true' | |
run: | | |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log | |
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT | |
env: | |
IMAGE_NAME: vulnerability-scan | |
- name: e2e-test-runner scan | |
continue-on-error: true | |
id: e2e-test-runner-scan | |
if: steps.filter.outputs.e2e-test-runner == 'true' | |
run: | | |
./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log | |
echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT | |
env: | |
IMAGE_NAME: e2e-test-runner | |
check-results: | |
runs-on: ubuntu-latest | |
needs: scans | |
if: always() | |
steps: | |
- name: Check access-setup results | |
id: check-access-setup-results | |
if: always() | |
run: | | |
res=${{ needs.scans.outputs.access-setup-output }} | |
res=${res:=0} | |
if [[ $res != 0 ]]; then | |
echo "Vulnerabilities found with access-setup image. Please check scans job for more details." | |
exit 1 | |
else | |
echo "No vulnerabilities found" | |
fi | |
- name: Check ci-runner results | |
id: check-ci-runner-results | |
if: always() | |
run: | | |
res=${{ needs.scans.outputs.ci-runner-output }} | |
res=${res:=0} | |
if [[ $res != 0 ]]; then | |
echo "Vulnerabilities found with ci-runner image. Please check scans job for more details." | |
exit 1 | |
else | |
echo "No vulnerabilities found" | |
fi | |
- name: Check cluster-setup results | |
id: check-cluster-setup-results | |
if: always() | |
run: | | |
res=${{ needs.scans.outputs.cluster-setup-output }} | |
res=${res:=0} | |
if [[ $res != 0 ]]; then | |
echo "Vulnerabilities found with cluster-setup image. Please check scans job for more details." | |
exit 1 | |
else | |
echo "No vulnerabilities found" | |
fi | |
- name: Check dependencies-update results | |
id: check-dependencies-update-results | |
if: always() | |
run: | | |
res=${{ needs.scans.outputs.dependencies-update-output }} | |
res=${res:=0} | |
if [[ $res != 0 ]]; then | |
echo "Vulnerabilities found with dependencies-update image. Please check scans job for more details." | |
exit 1 | |
else | |
echo "No vulnerabilities found" | |
fi | |
- name: Check devenv results | |
id: check-devenv-results | |
if: always() | |
run: | | |
res=${{ needs.scans.outputs.devenv-output }} | |
res=${res:=0} | |
if [[ $res != 0 ]]; then | |
echo "Vulnerabilities found with devenv image. Please check scans job for more details." | |
exit 1 | |
else | |
echo "No vulnerabilities found" | |
fi | |
- name: Check quay-upload results | |
id: check-quay-upload-results | |
if: always() | |
run: | | |
res=${{ needs.scans.outputs.quay-upload-output }} | |
res=${res:=0} | |
if [[ $res != 0 ]]; then | |
echo "Vulnerabilities found with quay-upload image. Please check scans job for more details." | |
exit 1 | |
else | |
echo "No vulnerabilities found" | |
fi | |
- name: Check static-checks results | |
id: check-static-checks-results | |
if: always() | |
run: | | |
res=${{ needs.scans.outputs.static-checks-output }} | |
res=${res:=0} | |
if [[ $res != 0 ]]; then | |
echo "Vulnerabilities found with static-checks image. Please check scans job for more details." | |
exit 1 | |
else | |
echo "No vulnerabilities found" | |
fi | |
- name: Check update-pipeline-service results | |
id: check-update-pipeline-service-results | |
if: always() | |
run: | | |
res=${{ needs.scans.outputs.update-pipeline-service-output }} | |
res=${res:=0} | |
if [[ $res != 0 ]]; then | |
echo "Vulnerabilities found with update-pipeline-service image. Please check scans job for more details." | |
exit 1 | |
else | |
echo "No vulnerabilities found" | |
fi | |
- name: Check vulnerability-scan results | |
id: check-vulnerability-scan-results | |
if: always() | |
run: | | |
res=${{ needs.scans.outputs.vulnerability-scan-output }} | |
res=${res:=0} | |
if [[ $res != 0 ]]; then | |
echo "Vulnerabilities found with vulnerability-scan image. Please check scans job for more details." | |
exit 1 | |
else | |
echo "No vulnerabilities found" | |
fi | |
- name: Check e2e-test-runner results | |
id: check-e2e-test-runner-results | |
if: always() | |
run: | | |
res=${{ needs.scans.outputs.e2e-test-runner-output }} | |
res=${res:=0} | |
if [[ $res != 0 ]]; then | |
echo "Vulnerabilities found with e2e-test-runner image. Please check scans job for more details." | |
exit 1 | |
else | |
echo "No vulnerabilities found" | |
fi |