|
| 1 | +name: Vulnerability Scan Failure Notification |
| 2 | +on: |
| 3 | + workflow_call: |
| 4 | + inputs: |
| 5 | + java_version: |
| 6 | + description: The version of Java to use to compile the JAR. Defaults to 11 |
| 7 | + type: string |
| 8 | + default: '11' |
| 9 | + vulnerability_severity: |
| 10 | + description: The severity that will cause the action to fail if a vulnerability at that level is detected. UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL |
| 11 | + default: CRITICAL,HIGH |
| 12 | + type: string |
| 13 | + publish_vulnerabilities: |
| 14 | + description: If true, will attempt to publish the results to the GitHub security tab |
| 15 | + default: 'false' |
| 16 | + type: string |
| 17 | + scan_type: |
| 18 | + description: The scan-type for aquasecurity/trivy-action action. Default to a fs scan. |
| 19 | + default: fs |
| 20 | + type: string |
| 21 | + platform: |
| 22 | + description: The OS runner to execute the vulnerability scan (e.g., ubuntu-latest, macos-latest, windows-latest). |
| 23 | + default: 'ubuntu-latest' |
| 24 | + type: string |
| 25 | + skip_tests: |
| 26 | + description: If true, will skip tests when packaging JAR. Defaults to false. Set to true for test-only repos. |
| 27 | + type: boolean |
| 28 | + default: false |
| 29 | + working_dir: |
| 30 | + description: The path to the pom.xml and Dockerfile. |
| 31 | + type: string |
| 32 | + default: '.' |
| 33 | + secrets: |
| 34 | + SLACK_WEBHOOK: |
| 35 | + required: false |
| 36 | + |
| 37 | +jobs: |
| 38 | + vulnerability_scan: |
| 39 | + runs-on: ${{ inputs.platform }} |
| 40 | + |
| 41 | + steps: |
| 42 | + - name: Checkout repo |
| 43 | + uses: actions/checkout@v4 |
| 44 | + |
| 45 | + - name: Checkout uid2-shared-actions repo |
| 46 | + uses: actions/checkout@v4 |
| 47 | + with: |
| 48 | + ref: v3 |
| 49 | + repository: IABTechLab/uid2-shared-actions |
| 50 | + path: uid2-shared-actions |
| 51 | + |
| 52 | + - name: Set up JDK |
| 53 | + if: inputs.scan_type == 'image' |
| 54 | + uses: actions/setup-java@v4 |
| 55 | + with: |
| 56 | + distribution: 'temurin' |
| 57 | + java-version: ${{ inputs.java_version }} |
| 58 | + |
| 59 | + - name: Package JAR |
| 60 | + if: inputs.scan_type == 'image' |
| 61 | + id: package |
| 62 | + run: | |
| 63 | + pushd ${{ inputs.working_dir }} |
| 64 | + if [[ "${{ inputs.skip_tests }}" == "false" ]]; then |
| 65 | + mvn -B package -P default |
| 66 | + else |
| 67 | + mvn -B package -P default -DskipTests |
| 68 | + fi |
| 69 | + echo "jar_version=$(mvn help:evaluate -Dexpression=project.version | grep -e '^[1-9][^\[]')" >> $GITHUB_OUTPUT |
| 70 | + echo "git_commit=$(git show --format="%h" --no-patch)" >> $GITHUB_OUTPUT |
| 71 | + popd |
| 72 | +
|
| 73 | + - name: Extract metadata for Docker |
| 74 | + if: inputs.scan_type == 'image' |
| 75 | + id: meta |
| 76 | + run: echo "tags=${{ steps.package.outputs.jar_version }}-${{ steps.package.outputs.git_commit }}" >> $GITHUB_OUTPUT |
| 77 | + |
| 78 | + - name: Build Docker image |
| 79 | + if: inputs.scan_type == 'image' |
| 80 | + uses: docker/build-push-action@v5 |
| 81 | + with: |
| 82 | + context: ${{inputs.working_dir}} |
| 83 | + load: true |
| 84 | + tags: ${{ steps.meta.outputs.tags }} |
| 85 | + build-args: | |
| 86 | + JAR_VERSION=${{ steps.package.outputs.jar_version }} |
| 87 | + IMAGE_VERSION=${{ steps.package.outputs.jar_version }}-${{ steps.package.outputs.git_commit }} |
| 88 | +
|
| 89 | + - name: Vulnerability Scan |
| 90 | + id: vulnerability-scan |
| 91 | + uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v3 |
| 92 | + with: |
| 93 | + scan_severity: ${{ inputs.vulnerability_severity }} |
| 94 | + failure_severity: ${{ inputs.vulnerability_severity }} |
| 95 | + publish_vulnerabilities: ${{ inputs.publish_vulnerabilities }} |
| 96 | + image_ref: ${{ steps.meta.outputs.tags }} |
| 97 | + scan_type: ${{ inputs.scan_type }} |
| 98 | + continue-on-error: true |
| 99 | + |
| 100 | + - name: Notify Slack on Vulnerability Scan Failure |
| 101 | + if: ${{ steps.vulnerability-scan.outcome == 'failure' }} |
| 102 | + env: |
| 103 | + SLACK_COLOR: danger |
| 104 | + SLACK_MESSAGE: ':x: Vulnerability scan failed. Please review details: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}. Check past alerts before acting and log new actions to avoid duplicate efforts.' |
| 105 | + SLACK_TITLE: Vulnerability Scan Failure |
| 106 | + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} |
| 107 | + uses: rtCamp/action-slack-notify@v2 |
| 108 | + |
| 109 | + - name: Fail Workflow if Vulnerability Scan step Fails |
| 110 | + if: ${{ steps.vulnerability-scan.outcome == 'failure' }} |
| 111 | + shell: bash |
| 112 | + run: | |
| 113 | + echo "Failing the workflow due to vulnerability scan failure" |
| 114 | + exit 1 |
| 115 | +
|
0 commit comments