ci: run scan on pr (#55)

tembleking · web-flow · commit f9727e9120f2 · 2024-07-29T13:26:06.000+02:00
* ci: run scan on pr

* ci: remove job execution on macos

We don't expect people running the GH Action on MacOS machines.
Even the concept of creating an OCI image exclusively for MacOS
doesn't make so much sense, the OCI images running on the Apple's OS
are mostly Linux images.
diff --git a/.github/workflows/ci-scan.yaml b/.github/workflows/ci-scan.yaml
@@ -0,0 +1,117 @@
+name: Scan Image on PR
+
+on:
+  pull_request:
+
+jobs:
+  scan-from-registry:
+    runs-on: ubuntu-latest
+
+    steps:
+      # This step checks out a copy of your repository.
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Scan dummy-vuln-app from registry
+        id: scan
+        uses: ./
+        continue-on-error: true
+        with:
+          # Tag of the image to analyse
+          image-tag: sysdiglabs/dummy-vuln-app:latest
+          # API token for Sysdig Scanning auth
+          sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
+          stop-on-failed-policy-eval: true
+          stop-on-processing-error: true
+          severity-at-least: medium
+
+      - name: Upload SARIF file
+        if: success() || failure() # Upload results regardless previous step fails
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ github.workspace }}/sarif.json
+
+      - name: Check that the scan has failed
+        run: |
+          if [ "${{ steps.scan.outcome }}" == "success" ]; then
+            echo "Scan succeeded but the step should fail."
+            exit 1
+          else
+            echo "Scan failed as expected."
+          fi
+
+  filtered-scan-from-registry:
+    runs-on: ubuntu-latest
+
+    steps:
+      # This step checks out a copy of your repository.
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Scan dummy-vuln-app from registry
+        id: scan
+        uses: ./
+        continue-on-error: true
+        with:
+          # Tag of the image to analyse
+          image-tag: sysdiglabs/dummy-vuln-app:latest
+          # API token for Sysdig Scanning auth
+          sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
+          stop-on-failed-policy-eval: true
+          stop-on-processing-error: true
+          severity-at-least: medium
+          group-by-package: true
+
+      - name: Upload SARIF file
+        if: success() || failure() # Upload results regardless previous step fails
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ github.workspace }}/sarif.json
+
+      - name: Check that the scan has failed
+        run: |
+          if [ "${{ steps.scan.outcome }}" == "success" ]; then
+            echo "Scan succeeded but the step should fail."
+            exit 1
+          else
+            echo "Scan failed as expected."
+          fi
+
+  standalone-scan-from-registry:
+    runs-on: ubuntu-latest
+
+    steps:
+      # This step checks out a copy of your repository.
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Donate MainDB from scan
+        id: donnor-scan
+        uses: ./
+        with:
+          # Tag of the image to analyse
+          image-tag: sysdiglabs/dummy-vuln-app:latest
+          # API token for Sysdig Scanning auth
+          sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
+          stop-on-failed-policy-eval: false
+          stop-on-processing-error: true
+          skip-summary: true
+
+      - name: Scan dummy-vuln-app from registry
+        id: scan
+        uses: ./
+        with:
+          # Tag of the image to analyse
+          image-tag: sysdiglabs/dummy-vuln-app:latest
+          # API token for Sysdig Scanning auth
+          #sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
+          stop-on-failed-policy-eval: true
+          stop-on-processing-error: true
+          standalone: true
+
+      - name: Upload SARIF file
+        if: success() || failure() # Upload results regardless previous step fails
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ github.workspace }}/sarif.json
+
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
@@ -57,32 +57,6 @@ jobs:
         with:
           sarif_file: ${{ github.workspace }}/sarif.json
 
-  macos-scan-from-registry:
-    runs-on: macos-latest
-
-    steps:
-      # This step checks out a copy of your repository.
-      - name: Check out repository
-        uses: actions/checkout@v4
-
-      - name: Scan dummy-vuln-app from registry
-        id: scan
-        uses: ./
-        with:
-          # Tag of the image to analyse
-          image-tag: sysdiglabs/dummy-vuln-app:latest
-          # API token for Sysdig Scanning auth
-          sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
-          stop-on-failed-policy-eval: true
-          stop-on-processing-error: true
-
-      - name: Upload SARIF file
-        if: success() || failure() # Upload results regardless previous step fails
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: ${{ github.workspace }}/sarif.json
-
-
   standalone-scan-from-registry:
     runs-on: ubuntu-latest
 
@@ -119,4 +93,4 @@ jobs:
         if: success() || failure() # Upload results regardless previous step fails
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: ${{ github.workspace }}/sarif.json
+          sarif_file: ${{ github.workspace }}/sarif.json
