IABTechLab · caroline-ttd · Mar 11, 2025 · Feb 24, 2025 · Feb 25, 2025 · Feb 25, 2025
diff --git a/.github/workflows/shared-vulnerability-scan-failure-notify.yaml b/.github/workflows/shared-vulnerability-scan-failure-notify.yaml
@@ -0,0 +1,115 @@
+name: Vulnerability Scan Failure Notification
+on:
+  workflow_call:
+    inputs:
+      java_version:
+        description: The version of Java to use to compile the JAR. Defaults to 11
+        type: string
+        default: '11'
+      vulnerability_severity:
+        description: The severity that will cause the action to fail if a vulnerability at that level is detected. UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+        default: CRITICAL,HIGH
+        type: string
+      publish_vulnerabilities:
+        description: If true, will attempt to publish the results to the GitHub security tab
+        default: 'false'
+        type: string
+      scan_type:
+        description: The scan-type for aquasecurity/trivy-action action. Default to a fs scan.
+        default: fs
+        type: string
+      platform:
+        description: The OS runner to execute the vulnerability scan (e.g., ubuntu-latest, macos-latest, windows-latest).
+        default: 'ubuntu-latest'
+        type: string
+      skip_tests:
+        description: If true, will skip tests when packaging JAR. Defaults to false. Set to true for test-only repos.
+        type: boolean
+        default: false
+      working_dir:
+        description: The path to the pom.xml and Dockerfile.
+        type: string
+        default: '.'
+    secrets:
+      SLACK_WEBHOOK:
+        required: false
+
+jobs:
+  vulnerability_scan:
+    runs-on:  ${{ inputs.platform }}
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Checkout uid2-shared-actions repo
+        uses: actions/checkout@v4
+        with:
+          ref: v3
+          repository: IABTechLab/uid2-shared-actions
+          path: uid2-shared-actions
+
+      - name: Set up JDK
+        if: inputs.scan_type == 'image'
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: ${{ inputs.java_version }}
+
+      - name: Package JAR
+        if: inputs.scan_type == 'image'
+        id: package
+        run: |
+          pushd ${{ inputs.working_dir }}
+          if [[ "${{ inputs.skip_tests }}" == "false" ]]; then
+            mvn -B package -P default
+          else
+            mvn -B package -P default -DskipTests
+          fi
+          echo "jar_version=$(mvn help:evaluate -Dexpression=project.version | grep -e '^[1-9][^\[]')" >> $GITHUB_OUTPUT
+          echo "git_commit=$(git show --format="%h" --no-patch)" >> $GITHUB_OUTPUT
+          popd
+
+      - name: Extract metadata for Docker
+        if: inputs.scan_type == 'image'
+        id: meta
+        run: echo "tags=${{ steps.package.outputs.jar_version }}-${{ steps.package.outputs.git_commit }}" >> $GITHUB_OUTPUT
+
+      - name: Build Docker image
+        if: inputs.scan_type == 'image'
+        uses: docker/build-push-action@v5
+        with:
+          context: ${{inputs.working_dir}}
+          load: true
+          tags: ${{ steps.meta.outputs.tags }}
+          build-args: |
+            JAR_VERSION=${{ steps.package.outputs.jar_version }}
+            IMAGE_VERSION=${{ steps.package.outputs.jar_version }}-${{ steps.package.outputs.git_commit }}
+
+      - name: Vulnerability Scan
+        id: vulnerability-scan
+        uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v3
+        with:
+          scan_severity: ${{ inputs.vulnerability_severity }}
+          failure_severity: ${{ inputs.vulnerability_severity }}
+          publish_vulnerabilities: ${{ inputs.publish_vulnerabilities }}
+          image_ref: ${{ steps.meta.outputs.tags }}
+          scan_type: ${{ inputs.scan_type }}
+        continue-on-error: true
+
+      - name: Notify Slack on Vulnerability Scan Failure
+        if: ${{ steps.vulnerability-scan.outcome == 'failure' }}
+        env:
+          SLACK_COLOR: danger
+          SLACK_MESSAGE: ':x: Vulnerability scan failed. Please review details: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}. Check past alerts before acting and log new actions to avoid duplicate efforts.'
+          SLACK_TITLE: Vulnerability Scan Failure
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+        uses: rtCamp/action-slack-notify@v2
+
+      - name: Fail Workflow if Vulnerability Scan step Fails
+        if: ${{ steps.vulnerability-scan.outcome == 'failure' }}
+        shell: bash
+        run: |
+          echo "Failing the workflow due to vulnerability scan failure"
+          exit 1
+