|
1 | | -name: Security Scan |
| 1 | +name: Security Scan Docker Packages |
| 2 | +run-name: > |
| 3 | + Security Scan #${{ github.run_number }} for ${{ inputs.image != '' && inputs.image != null && inputs.image || 'all repository docker images' }} |
2 | 4 | on: |
3 | 5 | workflow_dispatch: |
4 | 6 | inputs: |
5 | 7 | target: |
6 | | - description: "Scan part" |
7 | | - required: true |
8 | | - default: "docker" |
| 8 | + description: "Target type for the scan (docker, etc.)" |
| 9 | + required: false |
9 | 10 | type: choice |
10 | 11 | options: |
11 | 12 | - docker |
12 | 13 | - source |
13 | 14 | image: |
14 | | - description: "Docker image (for 'docker' target). By default ghcr.io/<owner>/<repo>:latest" |
| 15 | + description: "Docker image (for docker). By default ghcr.io/<owner>/<repo>:latest" |
15 | 16 | required: false |
16 | 17 | default: "" |
| 18 | + type: string |
17 | 19 | only-high-critical: |
18 | | - description: "Scan only HIGH + CRITICAL" |
| 20 | + description: "Scope only HIGH + CRITICAL" |
19 | 21 | required: false |
20 | 22 | default: true |
21 | 23 | type: boolean |
22 | 24 | trivy-scan: |
23 | | - description: "Run Trivy scan" |
| 25 | + description: "Trivy scan" |
24 | 26 | required: false |
25 | 27 | default: true |
26 | 28 | type: boolean |
27 | 29 | grype-scan: |
28 | | - description: "Run Grype scan" |
| 30 | + description: "Grype scan" |
29 | 31 | required: false |
30 | 32 | default: true |
31 | 33 | type: boolean |
|
35 | 37 | default: true |
36 | 38 | type: boolean |
37 | 39 | only-fixed: |
38 | | - description: "Show only fixable vulnerabilities" |
| 40 | + description: "Ignore unfixed vulnerabilities" |
39 | 41 | required: false |
40 | 42 | default: true |
41 | 43 | type: boolean |
42 | | - |
43 | 44 | schedule: |
44 | 45 | - cron: "0 3 * * 0" # every Sunday at 03:00 UTC |
45 | 46 |
|
46 | | -permissions: |
47 | | - contents: read |
48 | | - security-events: write |
49 | | - actions: read |
50 | | - packages: read |
51 | | - |
52 | 47 | jobs: |
53 | | - security-scan: |
54 | | - name: "Run Security Scan" |
| 48 | + debug-packages: |
| 49 | + runs-on: ubuntu-latest |
| 50 | + permissions: |
| 51 | + packages: read |
| 52 | + outputs: |
| 53 | + ghcr-packages: ${{ steps.pkgs.outputs.ghcr-packages }} |
| 54 | + steps: |
| 55 | + - name: Show raw GHCR response |
| 56 | + id: pkgs |
| 57 | + env: |
| 58 | + GH_TOKEN: ${{ secrets.GH_PAT_PACKAGES }} |
| 59 | + OWNER: ${{ github.repository_owner }} |
| 60 | + run: | |
| 61 | + api_url="https://api.github.com/users/${OWNER}/packages?package_type=container" |
| 62 | + echo "Request: $api_url" |
| 63 | +
|
| 64 | + response=$(curl -sS \ |
| 65 | + -H "Authorization: Bearer $GH_TOKEN" \ |
| 66 | + -H "Accept: application/vnd.github+json" \ |
| 67 | + "$api_url") |
| 68 | +
|
| 69 | + packages=$(echo "$response" | jq -c --arg owner "$OWNER" ' |
| 70 | + [.[] |
| 71 | + | select(.repository.full_name == "nookyo/qubership-monitoring-operator") |
| 72 | + | { name: .name, repository: .repository.name, full_name: .repository.full_name, path: "ghcr.io/\($owner)/\(.name)" } |
| 73 | + ] |
| 74 | + ') |
| 75 | +
|
| 76 | + echo "ghcr-packages=$packages" >> "$GITHUB_OUTPUT" |
| 77 | + echo "Raw response:" |
| 78 | + echo "$packages" |
| 79 | +
|
| 80 | + security-scan-matrix: |
| 81 | + needs: debug-packages |
| 82 | + if: ${{ inputs.image == '' || inputs.image == null }} |
| 83 | + strategy: |
| 84 | + matrix: |
| 85 | + package: ${{ fromJson(needs.debug-packages.outputs.ghcr-packages) }} |
| 86 | + |
| 87 | + name: "Run Security Scan (matrix)" |
| 88 | + uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@main |
| 89 | + with: |
| 90 | + target: ${{ inputs.target || 'docker' }} |
| 91 | + image: ${{ format('{0}:main', matrix.package.path) }} |
| 92 | + |
| 93 | + security-scan-single: |
| 94 | + needs: debug-packages |
| 95 | + if: ${{ inputs.image != '' && inputs.image != null }} |
| 96 | + name: "Run Security Scan (single image)" |
55 | 97 | uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@main |
56 | 98 | with: |
57 | | - target: ${{ github.event.inputs.target || 'docker' }} |
58 | | - image: ${{ github.event.inputs.image || format('ghcr.io/{0}:latest', github.repository) }} |
59 | | - only-high-critical: ${{ github.event.inputs.only-high-critical || true }} |
60 | | - trivy-scan: ${{ github.event.inputs.trivy-scan || true }} |
61 | | - grype-scan: ${{ github.event.inputs.grype-scan || true }} |
62 | | - only-fixed: ${{ github.event.inputs.only-fixed || true }} |
63 | | - continue-on-error: ${{ github.event.inputs.continue-on-error || true }} |
| 99 | + target: ${{ inputs.target || 'docker' }} |
| 100 | + image: ${{ inputs.image }} |
| 101 | + only-high-critical: ${{ inputs.only-high-critical || true }} |
| 102 | + trivy-scan: ${{ inputs.trivy-scan || true }} |
| 103 | + grype-scan: ${{ inputs.grype-scan || true }} |
| 104 | + only-fixed: ${{ inputs.only-fixed || true }} |
| 105 | + continue-on-error: ${{ inputs.continue-on-error || true }} |
0 commit comments