diff --git a/.github/workflows/shared-vulnerability-scan-failure-notify.yaml b/.github/workflows/shared-vulnerability-scan-failure-notify.yaml new file mode 100644 index 00000000..241c8693 --- /dev/null +++ b/.github/workflows/shared-vulnerability-scan-failure-notify.yaml @@ -0,0 +1,115 @@ +name: Vulnerability Scan Failure Notification +on: + workflow_call: + inputs: + java_version: + description: The version of Java to use to compile the JAR. Defaults to 11 + type: string + default: '11' + vulnerability_severity: + description: The severity that will cause the action to fail if a vulnerability at that level is detected. UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL + default: CRITICAL,HIGH + type: string + publish_vulnerabilities: + description: If true, will attempt to publish the results to the GitHub security tab + default: 'false' + type: string + scan_type: + description: The scan-type for aquasecurity/trivy-action action. Default to a fs scan. + default: fs + type: string + platform: + description: The OS runner to execute the vulnerability scan (e.g., ubuntu-latest, macos-latest, windows-latest). + default: 'ubuntu-latest' + type: string + skip_tests: + description: If true, will skip tests when packaging JAR. Defaults to false. Set to true for test-only repos. + type: boolean + default: false + working_dir: + description: The path to the pom.xml and Dockerfile. + type: string + default: '.' + secrets: + SLACK_WEBHOOK: + required: false + +jobs: + vulnerability_scan: + runs-on: ${{ inputs.platform }} + + steps: + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Checkout uid2-shared-actions repo + uses: actions/checkout@v4 + with: + ref: v3 + repository: IABTechLab/uid2-shared-actions + path: uid2-shared-actions + + - name: Set up JDK + if: inputs.scan_type == 'image' + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: ${{ inputs.java_version }} + + - name: Package JAR + if: inputs.scan_type == 'image' + id: package + run: | + pushd ${{ inputs.working_dir }} + if [[ "${{ inputs.skip_tests }}" == "false" ]]; then + mvn -B package -P default + else + mvn -B package -P default -DskipTests + fi + echo "jar_version=$(mvn help:evaluate -Dexpression=project.version | grep -e '^[1-9][^\[]')" >> $GITHUB_OUTPUT + echo "git_commit=$(git show --format="%h" --no-patch)" >> $GITHUB_OUTPUT + popd + + - name: Extract metadata for Docker + if: inputs.scan_type == 'image' + id: meta + run: echo "tags=${{ steps.package.outputs.jar_version }}-${{ steps.package.outputs.git_commit }}" >> $GITHUB_OUTPUT + + - name: Build Docker image + if: inputs.scan_type == 'image' + uses: docker/build-push-action@v5 + with: + context: ${{inputs.working_dir}} + load: true + tags: ${{ steps.meta.outputs.tags }} + build-args: | + JAR_VERSION=${{ steps.package.outputs.jar_version }} + IMAGE_VERSION=${{ steps.package.outputs.jar_version }}-${{ steps.package.outputs.git_commit }} + + - name: Vulnerability Scan + id: vulnerability-scan + uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v3 + with: + scan_severity: ${{ inputs.vulnerability_severity }} + failure_severity: ${{ inputs.vulnerability_severity }} + publish_vulnerabilities: ${{ inputs.publish_vulnerabilities }} + image_ref: ${{ steps.meta.outputs.tags }} + scan_type: ${{ inputs.scan_type }} + continue-on-error: true + + - name: Notify Slack on Vulnerability Scan Failure + if: ${{ steps.vulnerability-scan.outcome == 'failure' }} + env: + SLACK_COLOR: danger + SLACK_MESSAGE: ':x: Vulnerability scan failed. Please review details: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}. Check past alerts before acting and log new actions to avoid duplicate efforts.' + SLACK_TITLE: Vulnerability Scan Failure + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + uses: rtCamp/action-slack-notify@v2 + + - name: Fail Workflow if Vulnerability Scan step Fails + if: ${{ steps.vulnerability-scan.outcome == 'failure' }} + shell: bash + run: | + echo "Failing the workflow due to vulnerability scan failure" + exit 1 +