Netcracker · nookyo · Dec 2, 2025 · Dec 2, 2025 · Dec 2, 2025 · Dec 2, 2025
@@ -155,25 +155,25 @@ secutiry_scan_for_atp:
   bot_branch_name: broadcast-security-scan
   commit_message: |
     feat(ci): add security-scan workflow to scan for vulnerabilities in dependencies
-    Related issue: https://github.com/Netcracker/qubership-workflow-hub/issues/466
+    Related issue: https://github.com/Netcracker/qubership-workflow-hub/issues/466, https://github.com/Netcracker/.github/issues/223
 secutiry_scan_for_atp_playwright:
   patterns_to_include: workflow-templates/security-scan.yml
   destination: .github/workflows
   bot_branch_name: broadcast-security-scan
   commit_message: |
     feat(ci): add security-scan workflow to scan for vulnerabilities in dependencies for ATP playwright
-    Related issue: https://github.com/Netcracker/.github/issues/211
+    Related issue: https://github.com/Netcracker/.github/issues/211, https://github.com/Netcracker/.github/issues/223
 secutiry_scan_for_apihub:
   patterns_to_include: workflow-templates/security-scan.yml
   destination: .github/workflows
   bot_branch_name: broadcast-security-scan
   commit_message: |
     feat(ci): add security-scan workflow to scan for vulnerabilities in dependencies for APIHUB
-    Related issue: https://github.com/Netcracker/.github/issues/209
+    Related issue: https://github.com/Netcracker/.github/issues/209, https://github.com/Netcracker/.github/issues/223
 secutiry_scan_for_nifi:
   patterns_to_include: workflow-templates/security-scan.yml
   destination: .github/workflows
   bot_branch_name: broadcast-security-scan
   commit_message: |
     feat(ci): add security-scan workflow to scan for vulnerabilities in dependencies for NiFi
-    Related issue: https://github.com/Netcracker/.github/issues/213
+    Related issue: https://github.com/Netcracker/.github/issues/213, https://github.com/Netcracker/.github/issues/223
@@ -0,0 +1,99 @@
+name: Security Scan Docker Packages
+run-name: >
+  Security Scan #${{ github.run_number }} for ${{ inputs.image != '' && inputs.image != null && inputs.image || 'all repository docker images' }}
+on:
+  workflow_dispatch:
+    inputs:
+      target:
+        description: "Target type for the scan (docker, etc.)"
+        required: false
+        type: choice
+        options:
+          - docker
+          - source
+      image:
+        description: "Docker image (for docker). By default ghcr.io/<owner>/<repo>:latest"
+        required: false
+        default: ""
+        type: string
+      tag:
+        description: "Tag of the image to scan. By default 'latest'"
+        required: false
+        default: "latest"
+        type: string
+      only-high-critical:
+        description: "Scope only HIGH + CRITICAL"
+        required: false
+        default: true
+        type: boolean
+      trivy-scan:
+        description: "Trivy scan"
+        required: false
+        default: true
+        type: boolean
+      grype-scan:
+        description: "Grype scan"
+        required: false
+        default: true
+        type: boolean
+      continue-on-error:
+        description: "Continue on error"
+        required: false
+        default: true
+        type: boolean
+      only-fixed:
+        description: "Ignore unfixed vulnerabilities"
+        required: false
+        default: true
+        type: boolean
+  schedule:
+    - cron: "0 3 * * 0" # every Sunday at 03:00 UTC
+
+jobs:
+  debug-packages:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: read
+    outputs:
+      packages: ${{ steps.ghcr.outputs.packages }}
+      has-packages: ${{ steps.ghcr.outputs.has-packages }}
+    steps:
+      - name: List GHCR packages for this repo
+        id: ghcr
+        uses: Netcracker/qubership-workflow-hub/actions/ghcr-discover-repo-packages@v2.0.3
+        env:
+          GH_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }}
+
+      - name: Print packages
+        run: echo '${{ steps.ghcr.outputs.packages }}' | jq '.'
+
+      - name: Continue only if repo has GHCR packages
+        if: ${{ steps.ghcr.outputs.has-packages == 'true' }}
+        run: echo "Packages found!"
+
+  security-scan-matrix:
+    needs: debug-packages
+    if: ${{ inputs.image == '' || inputs.image == null }}
+    strategy:
+      matrix:
+        package: ${{ fromJson(needs.debug-packages.outputs.packages) }}
+
+    name: "Run Security Scan (matrix)"
+    uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@v2.0.3
+    with:
+      target: ${{ inputs.target || 'docker' }}
+      image: ${{ format('{0}:{1}', matrix.package.path, inputs.tag || 'dev') }}
+
+  security-scan-single:
+    needs: debug-packages
+    if: ${{ inputs.image != '' && inputs.image != null }}
+    name: "Run Security Scan (single image)"
+    uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@v2.0.3
+    with:
+      target: ${{ inputs.target || 'docker' }}
+      image: ${{ inputs.image }}
+      only-high-critical: ${{ inputs.only-high-critical || true }}
+      trivy-scan: ${{ inputs.trivy-scan || true }}
+      grype-scan: ${{ inputs.grype-scan || true }}
+      only-fixed: ${{ inputs.only-fixed || true }}
+      continue-on-error: ${{ inputs.continue-on-error || true }}
@@ -16,6 +16,11 @@ on:
         required: false
         default: ""
         type: string
+      tag:
+        description: "Tag of the image to scan. By default 'latest'"
+        required: false
+        default: "latest"
+        type: string
       only-high-critical:
         description: "Scope only HIGH + CRITICAL"
         required: false
@@ -50,51 +55,40 @@ jobs:
     permissions:
       packages: read
     outputs:
-      ghcr-packages: ${{ steps.pkgs.outputs.ghcr-packages }}
+      packages: ${{ steps.ghcr.outputs.packages }}
+      has-packages: ${{ steps.ghcr.outputs.has-packages }}
     steps:
-      - name: Show raw GHCR response
-        id: pkgs
+      - name: List GHCR packages for this repo
+        id: ghcr
+        uses: Netcracker/qubership-workflow-hub/actions/ghcr-discover-repo-packages@v2.0.3
         env:
-          GH_TOKEN: ${{ secrets.GH_PAT_PACKAGES }}
-          OWNER: ${{ github.repository_owner }}
-        run: |
-          api_url="https://api.github.com/users/${OWNER}/packages?package_type=container"
-          echo "Request: $api_url"
-
-          response=$(curl -sS \
-            -H "Authorization: Bearer $GH_TOKEN" \
-            -H "Accept: application/vnd.github+json" \
-            "$api_url")
+          GH_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }}
 
-          packages=$(echo "$response" | jq -c --arg owner "$OWNER" '
-            [.[]
-            | select(.repository.full_name == "nookyo/qubership-monitoring-operator")
-            | { name: .name, repository: .repository.name, full_name: .repository.full_name, path: "ghcr.io/\($owner)/\(.name)" }
-            ]
-          ')
+      - name: Print packages
+        run: echo '${{ steps.ghcr.outputs.packages }}' | jq '.'
 
-          echo "ghcr-packages=$packages" >> "$GITHUB_OUTPUT"
-          echo "Raw response:"
-          echo "$packages"
+      - name: Continue only if repo has GHCR packages
+        if: ${{ steps.ghcr.outputs.has-packages == 'true' }}
+        run: echo "Packages found!"
 
   security-scan-matrix:
     needs: debug-packages
     if: ${{ inputs.image == '' || inputs.image == null }}
     strategy:
       matrix:
-        package: ${{ fromJson(needs.debug-packages.outputs.ghcr-packages) }}
+        package: ${{ fromJson(needs.debug-packages.outputs.packages) }}
 
     name: "Run Security Scan (matrix)"
-    uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@main
+    uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@v2.0.3
     with:
       target: ${{ inputs.target || 'docker' }}
-      image: ${{ format('{0}:main', matrix.package.path) }}
+      image: ${{ format('{0}:{1}', matrix.package.path, inputs.tag || 'latest') }}
 
   security-scan-single:
     needs: debug-packages
     if: ${{ inputs.image != '' && inputs.image != null }}
     name: "Run Security Scan (single image)"
-    uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@main
+    uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@v2.0.3
     with:
       target: ${{ inputs.target || 'docker' }}
       image: ${{ inputs.image }}