Fail on failing CVE scan

WyriHaximus · WyriHaximus · commit 817624537427 · 2021-02-20T23:42:38.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -204,7 +204,7 @@ jobs:
           path: ./tmp
       - run: docker load --input ./tmp/image*.tar
       - run: mkdir -p "./clair/${DOCKER_IMAGE}"
-      - run: make scan-vulnerability
+      - run: make ci-scan-vulnerability
   scan-vulnerability-http:
     name: Scan nginx ${{ matrix.nginx }} for vulnerabilities
     needs:
@@ -233,7 +233,7 @@ jobs:
         shell: bash
       - run: mkdir -p "./clair/${DOCKER_IMAGE}"
         shell: bash
-      - run: make scan-vulnerability
+      - run: make ci-scan-vulnerability
         shell: bash
   scan-vulnerability-prometheus-exporter-file:
     name: Scan HTTP prometheus-exporter-file for vulnerabilities
@@ -258,7 +258,7 @@ jobs:
           path: ./tmp
       - run: docker load --input ./tmp/image*.tar
       - run: mkdir -p "./clair/${DOCKER_IMAGE}"
-      - run: make scan-vulnerability
+      - run: make ci-scan-vulnerability
   test-php:
     name: Functionaly test PHP ${{ matrix.php }} for ${{ matrix.type }} on Alpine ${{ matrix.alpine }}
     needs:
diff --git a/Makefile b/Makefile
@@ -110,3 +110,9 @@ scan-vulnerability:
 	mkdir -p ./tmp/clair/usabillabv
 	cat ./tmp/build-*.tags | xargs -I % sh -c 'clair-scanner --ip 172.17.0.1 -r "./tmp/clair/%.json" -l ./tmp/clair/clair.log % || echo "% is vulnerable"'
 	docker-compose -f test/security/docker-compose.yml -p clair-ci down
+
+ci-scan-vulnerability:
+	docker-compose -f test/security/docker-compose.yml -p clair-ci up -d
+	RETRIES=0 && while ! wget -T 10 -q -O /dev/null http://localhost:6060/v1/namespaces ; do sleep 1 ; echo -n "." ; if [ $${RETRIES} -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; RETRIES=$$(($${RETRIES}+1)) ; done
+	mkdir -p ./tmp/clair/usabillabv
+	cat ./tmp/build-*.tags | xargs -I % sh -c 'clair-scanner --ip 172.17.0.1 -r "./tmp/clair/%.json" -l ./tmp/clair/clair.log %'
