ci: run scan on pr (#55)

* ci: run scan on pr * ci: remove job execution on macos We don't expect people running the GH Action on MacOS machines. Even the concept of creating an OCI image exclusively for MacOS doesn't make so much sense, the OCI images running on the Apple's OS are mostly Linux images.
sysdiglabs · Jul 29, 2024 · f9727e9 · f9727e9
1 parent 1338596
commit f9727e9
Show file tree

Hide file tree

Showing 2 changed files with 118 additions and 27 deletions.
diff --git a/.github/workflows/ci-scan.yaml b/.github/workflows/ci-scan.yaml
@@ -0,0 +1,117 @@
+name: Scan Image on PR
+
+on:
+  pull_request:
+
+jobs:
+  scan-from-registry:
+    runs-on: ubuntu-latest
+
+    steps:
+      # This step checks out a copy of your repository.
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Scan dummy-vuln-app from registry
+        id: scan
+        uses: ./
+        continue-on-error: true
+        with:
+          # Tag of the image to analyse
+          image-tag: sysdiglabs/dummy-vuln-app:latest
+          # API token for Sysdig Scanning auth
+          sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
+          stop-on-failed-policy-eval: true
+          stop-on-processing-error: true
+          severity-at-least: medium
+
+      - name: Upload SARIF file
+        if: success() || failure() # Upload results regardless previous step fails
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ github.workspace }}/sarif.json
+
+      - name: Check that the scan has failed
+        run: |
+          if [ "${{ steps.scan.outcome }}" == "success" ]; then
+            echo "Scan succeeded but the step should fail."
+            exit 1
+          else
+            echo "Scan failed as expected."
+          fi
+
+  filtered-scan-from-registry:
+    runs-on: ubuntu-latest
+
+    steps:
+      # This step checks out a copy of your repository.
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Scan dummy-vuln-app from registry
+        id: scan
+        uses: ./
+        continue-on-error: true
+        with:
+          # Tag of the image to analyse
+          image-tag: sysdiglabs/dummy-vuln-app:latest
+          # API token for Sysdig Scanning auth
+          sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
+          stop-on-failed-policy-eval: true
+          stop-on-processing-error: true
+          severity-at-least: medium
+          group-by-package: true
+
+      - name: Upload SARIF file
+        if: success() || failure() # Upload results regardless previous step fails
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ github.workspace }}/sarif.json
+
+      - name: Check that the scan has failed
+        run: |
+          if [ "${{ steps.scan.outcome }}" == "success" ]; then
+            echo "Scan succeeded but the step should fail."
+            exit 1
+          else
+            echo "Scan failed as expected."
+          fi
+
+  standalone-scan-from-registry:
+    runs-on: ubuntu-latest
+
+    steps:
+      # This step checks out a copy of your repository.
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Donate MainDB from scan
+        id: donnor-scan
+        uses: ./
+        with:
+          # Tag of the image to analyse
+          image-tag: sysdiglabs/dummy-vuln-app:latest
+          # API token for Sysdig Scanning auth
+          sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
+          stop-on-failed-policy-eval: false
+          stop-on-processing-error: true
+          skip-summary: true
+
+      - name: Scan dummy-vuln-app from registry
+        id: scan
+        uses: ./
+        with:
+          # Tag of the image to analyse
+          image-tag: sysdiglabs/dummy-vuln-app:latest
+          # API token for Sysdig Scanning auth
+          #sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
+          stop-on-failed-policy-eval: true
+          stop-on-processing-error: true
+          standalone: true
+
+      - name: Upload SARIF file
+        if: success() || failure() # Upload results regardless previous step fails
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ github.workspace }}/sarif.json
+
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
@@ -57,32 +57,6 @@ jobs:
         with:
           sarif_file: ${{ github.workspace }}/sarif.json
 
-  macos-scan-from-registry:
-    runs-on: macos-latest
-
-    steps:
-      # This step checks out a copy of your repository.
-      - name: Check out repository
-        uses: actions/checkout@v4
-
-      - name: Scan dummy-vuln-app from registry
-        id: scan
-        uses: ./
-        with:
-          # Tag of the image to analyse
-          image-tag: sysdiglabs/dummy-vuln-app:latest
-          # API token for Sysdig Scanning auth
-          sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
-          stop-on-failed-policy-eval: true
-          stop-on-processing-error: true
-
-      - name: Upload SARIF file
-        if: success() || failure() # Upload results regardless previous step fails
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: ${{ github.workspace }}/sarif.json
-
-
   standalone-scan-from-registry:
     runs-on: ubuntu-latest
 
@@ -119,4 +93,4 @@ jobs:
         if: success() || failure() # Upload results regardless previous step fails
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: ${{ github.workspace }}/sarif.json
+          sarif_file: ${{ github.workspace }}/sarif.json