feat(DATAGO-123600): Introduce fossa container scan and guard shareable workflow/actions (#65)

* feat: make SCA scan workflow flexible for Vault and GitHub Secrets

Add support for both Vault (private repos) and GitHub Secrets (public repos)
through conditional secret retrieval:

Key Changes:
- Add use_vault input flag (default: false) for secret source selection
- Add vault_url, vault_role, vault_secret_path inputs for Vault config
- Add FOSSA_API_KEY as workflow secret input for GitHub Secrets mode
- Remove hard-coded VAULT_ADDR environment variable
- Make Vault retrieval step conditional based on use_vault flag
- Add validation step to ensure API key from either source
- Update all FOSSA API key references to use unified output
- Update documentation with examples for both public and private repos

Benefits:
- Single workflow works for both public and private repos
- No hard-coded Vault URLs in public workflow
- Clear validation and error messages
- Backward compatible with migration path

Usage:
- Public repos: Pass FOSSA_API_KEY via secrets (default)
- Private repos: Set use_vault=true and provide vault_url

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* feat: add container scan and guard workflow with config support

- Added reusable container-scan-and-guard.yaml workflow
- Created workflow-config-loader action for centralized configuration
- Added container scanning actions (container-scan, fossa-scan, prisma-scan)
- Supports both Vault and GitHub Secrets for credential management
- Includes AWS ECR authentication for private registries
- Config-based approach reduces workflow inputs from 15+ to 6
- Added comprehensive documentation and architecture guides

* chore: ignore pilot-repos directory

* feat: use container image tag as FOSSA revision

- Extract image tag from container_image input
- Use tag as FOSSA revision instead of git ref
- For container scans, the image tag is more meaningful than git SHA
- Added image tag to workflow summary output

* refactor: remove git_ref input and second checkout

- Removed git_ref input parameter (no longer needed)
- Removed second checkout step that used git_ref
- Simplified context detection to PR vs Non-PR (instead of PR/Release/Manual)
- Container image tag is the FOSSA revision (from container_image input)
- Config file is loaded in first checkout, no second checkout needed
- Updated documentation and usage examples to remove git_ref references

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* feat: add FOSSA team and labels support for container scans

- Added team and labels fields to workflow-config.json schema
- Updated workflow-config-loader to parse and output fossa_team and fossa_labels
- Modified container-scan-and-guard to build scan params with team and labels
- Team and labels are now passed to FOSSA container analyze command
- Conditionally added only when configured in workflow-config.json

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* chore: remove unused load-workflow-config workflow and simplify prisma-scan

- Remove .github/workflows/load-workflow-config.yaml (unused, replaced by workflow-config-loader action)
- Simplify container/prisma-scan/action.yaml to testing placeholder
- Action approach provides better integration than separate workflow

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* docs: simplify prisma-scan README as placeholder

- Update README to clearly indicate placeholder status
- Remove detailed documentation for unimplemented features
- Add brief description of current behavior (dummy outputs)
- Reference related documentation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* docs: move container scan architecture to cicd-processes-docs

- Remove container-scan-config-architecture.md from this repo
- Document now maintained in SolaceDev/cicd-processes-docs
- Centralize design docs in dedicated documentation repository

Reference: https://github.com/SolaceDev/cicd-processes-docs/blob/main/processes/security-scanning/design/container-scan-config-architecture.md

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* docs: add comprehensive README for workflow-config-loader

- Add detailed documentation for workflow-config-loader action
- Include quick start examples for Vault and GitHub Secrets
- Document all inputs, outputs, and configuration schema
- Provide migration guide from workflow inputs to config file
- Add usage examples and error handling documentation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* docs: refine workflow-config-schema for end-users

- Move schema to workflow-config-loader directory
- Remove efficiency/implementation details
- Focus only on configuration fields users need
- Add team and labels configuration documentation
- Simplify examples to common use cases
- Remove Prisma references (not yet implemented)
- Update related documentation links

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* refactor: use environment variables in shell steps for security

Following GitHub Actions security best practices, refactored all inline
shell steps to use environment variables instead of direct GitHub
expression interpolation. This prevents script injection attacks by
storing expression values in memory as variables rather than allowing
them to interact with the script generation process.

Changes:
- Added env blocks to all shell steps with GitHub expressions
- Replaced inline ${{ ... }} with environment variable references
- Applied double-quoting to all variable references for word splitting safety

Steps updated:
- Validate Container Image Input
- Merge Configuration and Inputs
- Determine scan context
- Determine Vault AWS Role
- Validate FOSSA API Key
- Determine FOSSA Project ID
- Build FOSSA Scan Parameters
- Report Container Scan Results
- Block on FOSSA Vulnerability Failures
- Log Emergency Bypass

References:
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* clean up

* change references to main branch after testing

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: johnvincentcorpuz

.github/workflows/container-scan-and-guard.yaml

@@ -161,3 +161,4 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
+pilot-repos/

.gitignore

@@ -0,0 +1,347 @@
+# Container Scan Action
+
+Unified orchestrator for container image security and compliance scanning. Supports multiple scanning tools including FOSSA and Prisma Cloud.
+
+## Overview
+
+This action provides a single interface to run container image scans using various security tools. It:
+- Orchestrates multiple container scanners
+- Provides a consistent parameter interface
+- Allows flexible scanner selection
+- Supports scanner-specific configuration
+
+## Supported Scanners
+
+| Scanner | Purpose | Documentation |
+|---------|---------|---------------|
+| `fossa` | License compliance and vulnerability detection | [fossa-scan README](../fossa-scan/README.md) |
+| `prisma` | Container security scanning with Prisma Cloud | [prisma-scan README](../prisma-scan/README.md) |
+
+## Usage
+
+### Basic Scan with FOSSA
+
+```yaml
+- name: Scan Container Image
+  uses: SolaceDev/solace-public-workflows/container/container-scan@main
+  with:
+    scanners: "fossa"
+    additional_scan_params: |
+      fossa.image=ghcr.io/solacedev/my-app:v1.0.0
+    fossa_api_key: ${{ secrets.FOSSA_API_KEY }}
+```
+
+### Scan with Multiple Scanners
+
+```yaml
+- name: Scan Container Image
+  uses: SolaceDev/solace-public-workflows/container/container-scan@main
+  with:
+    scanners: "fossa,prisma"
+    additional_scan_params: |
+      fossa.image=ghcr.io/solacedev/my-app:v1.0.0
+      fossa.project=MyOrg_my-app
+      prisma.image_registry=ghcr.io
+      prisma.image_repo=solacedev/my-app
+      prisma.image_tag=v1.0.0
+    fossa_api_key: ${{ secrets.FOSSA_API_KEY }}
+    prisma_console_url: ${{ secrets.PRISMA_CONSOLE_URL }}
+    prisma_user: ${{ secrets.PRISMA_USER }}
+    prisma_pass: ${{ secrets.PRISMA_PASS }}
+```
+
+### Complete Workflow Example
+
+```yaml
+name: Container Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build Container Image
+        run: |
+          docker build -t ghcr.io/solacedev/my-app:${{ github.sha }} .
+          docker push ghcr.io/solacedev/my-app:${{ github.sha }}
+
+      - name: Scan Container
+        uses: SolaceDev/solace-public-workflows/container/container-scan@main
+        with:
+          scanners: "fossa"
+          additional_scan_params: |
+            fossa.image=ghcr.io/solacedev/my-app:${{ github.sha }}
+            fossa.project=MyOrg_my-app
+            fossa.branch=${{ github.ref_name }}
+            fossa.revision=${{ github.sha }}
+          fossa_api_key: ${{ secrets.FOSSA_API_KEY }}
+```
+
+## Inputs
+
+### Required Inputs (Scanner-Dependent)
+
+The required inputs depend on which scanners you're using. See individual scanner documentation for details.
+
+### Common Inputs
+
+| Input | Description | Default | Required |
+|-------|-------------|---------|----------|
+| `scanners` | Comma-separated list of scanners | `"fossa"` | No |
+| `additional_scan_params` | Scanner-specific parameters (see below) | `""` | No |
+
+### FOSSA Inputs
+
+| Input | Description | Required |
+|-------|-------------|----------|
+| `fossa_api_key` | FOSSA API key | Yes (if using fossa) |
+
+### Prisma Cloud Inputs
+
+| Input | Description | Required |
+|-------|-------------|----------|
+| `prisma_console_url` | Prisma Cloud Console URL | Yes (if using prisma) |
+| `prisma_user` | Prisma Cloud Access Key | Yes (if using prisma) |
+| `prisma_pass` | Prisma Cloud Secret Key | Yes (if using prisma) |
+
+## Parameter System
+
+The `additional_scan_params` input uses a flexible key-value format:
+
+```yaml
+additional_scan_params: |
+  scanner.parameter=value
+  scanner.another_param=value
+```
+
+Parameters are automatically converted to environment variables:
+- `fossa.image=ghcr.io/repo:tag` → `CONTAINER_FOSSA_IMAGE=ghcr.io/repo:tag`
+- `prisma.image_registry=ghcr.io` → `CONTAINER_PRISMA_IMAGE_REGISTRY=ghcr.io`
+
+### FOSSA Parameters
+
+| Parameter | Description | Example |
+|-----------|-------------|---------|
+| `fossa.image` | Container image to scan (REQUIRED) | `ghcr.io/solacedev/my-app:v1.0.0` |
+| `fossa.project` | Project name override | `MyOrg_my-app` |
+| `fossa.branch` | Branch name | `main` |
+| `fossa.revision` | Git commit SHA | `abc123` |
+| `fossa.skip_test` | Skip policy test | `true` |
+| `fossa.debug` | Enable debug logging | `true` |
+
+See [fossa-scan README](../fossa-scan/README.md) for complete parameter list.
+
+### Prisma Cloud Parameters
+
+| Parameter | Description | Example |
+|-----------|-------------|---------|
+| `prisma.image_registry` | Container registry | `ghcr.io` |
+| `prisma.image_repo` | Repository name | `solacedev/my-app` |
+| `prisma.image_tag` | Image tag | `v1.0.0` |
+
+See [prisma-scan README](../prisma-scan/README.md) for complete parameter list.
+
+## Examples
+
+### Scan Docker Hub Image
+
+```yaml
+- uses: SolaceDev/solace-public-workflows/container/container-scan@main
+  with:
+    scanners: "fossa"
+    additional_scan_params: |
+      fossa.image=solace/pubsubplus:latest
+    fossa_api_key: ${{ secrets.FOSSA_API_KEY }}
+```
+
+### Scan GHCR Image with Custom Project Name
+
+```yaml
+- uses: SolaceDev/solace-public-workflows/container/container-scan@main
+  with:
+    scanners: "fossa"
+    additional_scan_params: |
+      fossa.image=ghcr.io/solacedev/my-app:v1.0.0
+      fossa.project=MyOrg_my-app-container
+      fossa.team=Platform Team
+    fossa_api_key: ${{ secrets.FOSSA_API_KEY }}
+```
+
+### Scan AWS ECR Image
+
+```yaml
+- name: Login to ECR
+  uses: aws-actions/amazon-ecr-login@v2
+
+- uses: SolaceDev/solace-public-workflows/container/container-scan@main
+  with:
+    scanners: "fossa"
+    additional_scan_params: |
+      fossa.image=123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:v1.0.0
+    fossa_api_key: ${{ secrets.FOSSA_API_KEY }}
+```
+
+### Debug Mode
+
+```yaml
+- uses: SolaceDev/solace-public-workflows/container/container-scan@main
+  with:
+    scanners: "fossa"
+    additional_scan_params: |
+      fossa.image=ghcr.io/solacedev/my-app:v1.0.0
+      fossa.debug=true
+    fossa_api_key: ${{ secrets.FOSSA_API_KEY }}
+```
+
+### Skip Policy Test
+
+```yaml
+- uses: SolaceDev/solace-public-workflows/container/container-scan@main
+  with:
+    scanners: "fossa"
+    additional_scan_params: |
+      fossa.image=ghcr.io/solacedev/my-app:v1.0.0
+      fossa.skip_test=true
+    fossa_api_key: ${{ secrets.FOSSA_API_KEY }}
+```
+
+## Registry Authentication
+
+Most container registries require authentication. Ensure you authenticate before scanning:
+
+### GitHub Container Registry (GHCR)
+
+```yaml
+- uses: docker/login-action@v3
+  with:
+    registry: ghcr.io
+    username: ${{ github.actor }}
+    password: ${{ secrets.GITHUB_TOKEN }}
+```
+
+### AWS ECR
+
+```yaml
+- uses: aws-actions/amazon-ecr-login@v2
+```
+
+### Docker Hub
+
+```yaml
+- uses: docker/login-action@v3
+  with:
+    username: ${{ secrets.DOCKERHUB_USERNAME }}
+    password: ${{ secrets.DOCKERHUB_TOKEN }}
+```
+
+## How It Works
+
+1. **Parameter Parsing**: Converts `additional_scan_params` into environment variables with `CONTAINER_*` prefix
+2. **Scanner Execution**: Runs requested scanners conditionally based on `scanners` input
+3. **Results**: Each scanner reports results independently
+
+### Parameter Conversion Flow
+
+```
+Input:
+  additional_scan_params: |
+    fossa.image=ghcr.io/solacedev/my-app:v1.0.0
+    fossa.project=MyOrg_my-app
+
+Conversion:
+  CONTAINER_FOSSA_IMAGE=ghcr.io/solacedev/my-app:v1.0.0
+  CONTAINER_FOSSA_PROJECT=MyOrg_my-app
+
+Usage by Scanner:
+  fossa-scan action reads CONTAINER_FOSSA_* variables
+  Builds CLI: fossa container analyze ghcr.io/solacedev/my-app:v1.0.0 --project MyOrg_my-app
+```
+
+## Architecture
+
+```
+container-scan (orchestrator)
+├── Parses additional_scan_params
+├── Converts to CONTAINER_* env vars
+├── Conditionally calls:
+│   ├── fossa-scan (if 'fossa' in scanners)
+│   └── prisma-scan (if 'prisma' in scanners)
+```
+
+Each scanner action:
+1. Reads `CONTAINER_SCANNER_*` environment variables
+2. Converts them to scanner-specific CLI arguments
+3. Executes the scanner
+4. Reports results
+
+## Relationship to Other Actions
+
+| Action | Purpose |
+|--------|---------|
+| [container/fossa-scan](../fossa-scan/README.md) | FOSSA container scanning (called by this action) |
+| [container/prisma-scan](../prisma-scan/README.md) | Prisma Cloud scanning (called by this action) |
+| [.github/actions/sca/sca-scan](../../.github/actions/sca/sca-scan/README.md) | Source code dependency scanning |
+
+## Troubleshooting
+
+### "Invalid additional_scan_params line"
+Ensure each line follows `key=value` format with no spaces around the `=`:
+```yaml
+# Good
+fossa.image=ghcr.io/repo:tag
+
+# Bad
+fossa.image = ghcr.io/repo:tag
+```
+
+### "Permission denied" accessing image
+Authenticate to the registry before scanning (see [Registry Authentication](#registry-authentication))
+
+### Scanner not running
+Check that the scanner name is spelled correctly in the `scanners` input:
+```yaml
+scanners: "fossa"  # Correct
+scanners: "FOSSA"  # Wrong - case sensitive
+```
+
+### Missing required parameters
+Each scanner has required parameters. For FOSSA:
+```yaml
+additional_scan_params: |
+  fossa.image=ghcr.io/repo:tag  # REQUIRED
+```
+
+## Best Practices
+
+1. **Always specify the full image path** including registry, repository, and tag
+2. **Use dynamic tags** in CI/CD (commit SHA, PR number) for traceability
+3. **Authenticate to registries** before scanning private images
+4. **Use secrets** for API keys and credentials
+5. **Set project metadata** (project, branch, revision) for better tracking in scanner dashboards
+
+## Related Documentation
+
+- [FOSSA Container Scan](../fossa-scan/README.md)
+- [Prisma Cloud Scan](../prisma-scan/README.md)
+- [SCA Scan](../../.github/actions/sca/sca-scan/README.md)
+
+## Support
+
+For issues or questions:
+- FOSSA scanning: See [FOSSA CLI documentation](https://github.com/fossas/fossa-cli)
+- Prisma scanning: See [Prisma Cloud documentation](https://docs.paloaltonetworks.com/prisma/prisma-cloud)
+- Action issues: Open an issue in the repository