Cr 969 (#198)

Author: alex-codefresh

venona/build/ci.yaml

@@ -3,6 +3,8 @@ mode: parallel
 stages:
 - Test
 - Build Artifacts
+- Security scan
+- Push
 steps:
 
   main_clone:
@@ -96,17 +98,6 @@ steps:
     commands:
       - cd venona && make gocyclo
 
-  image-security-scan:
-    <<: *common
-    title: Scan Docker Image
-    commands:
-      - cd venona && make docker-security-scan TAG=${{CF_BRANCH_TAG_NORMALIZED}}
-    when:
-      steps:
-      - name: push
-        on:
-        - success 
-
   upload-codecov:
     <<: *common
     title: Upload Code Coverage
@@ -150,17 +141,78 @@ steps:
     tag: ${{CF_BRANCH_TAG_NORMALIZED}}
     dockerfile: Dockerfile
     working_directory: ${{main_clone}}/venona
-    image_name: codefresh/venona
+    image_name: ${{IMAGE_NAME}}
     when:
       steps:
       - name: compile
         on:
         - success
 
+  security_scan:
+    stage: Security scan
+    type: parallel
+    when:
+      steps:
+        - name: build_image
+          on:
+          - success
+    success_criteria:
+      condition:
+        any:
+         secScanStep: security_scan_1.result == 'success'
+         secScanFail: '"${{IGNORE_SEC_SCAN}}" == "true"'
+    steps:
+      security_scan_1:
+        image: aquasec/trivy:latest
+        title: "Scanning image for security vulnerablities"
+        commands:
+          - '! rm ${{SEC_SCAN_REPORT_FILE}} 2>/dev/null'
+          - |-
+            set -o pipefail
+            trivy \
+              --quiet \
+              ${{IMAGE_NAME}}:${{CF_BRANCH_TAG_NORMALIZED_LOWER_CASE}} &> ${{SEC_SCAN_REPORT_FILE}}
+            trivy \
+              --quiet \
+              --skip-update \
+              --ignorefile /tmp/.trivy/trivyignore \
+              --ignore-unfixed \
+              --exit-code 1 \
+              --severity ${{SEC_SCAN_SEVERITY_THRESHOLD}} \
+              ${{IMAGE_NAME}}:${{CF_BRANCH_TAG_NORMALIZED_LOWER_CASE}}
+        on_success:
+          metadata:
+            set:
+              - '${{build_image.imageId}}':
+                  - SECURITY_CHECK_PASS: true
+
+  upload_sec_scan_report:
+    stage: Security scan
+    image: mesosphere/aws-cli
+    fail_fast: false
+    when:
+      steps:
+        - name: security_scan
+          on:
+          - success
+        - name: export_version
+          on:
+          - success
+      branch:
+        only: [ "${{RELEASE_BRANCH_NAME}}" ]
+    environment:
+      - AWS_ACCESS_KEY_ID=${{SEC_SCAN_AWS_KEY_ID}}
+      - AWS_SECRET_ACCESS_KEY=${{SEC_SCAN_AWS_SECRET_KEY}}
+    commands:
+      - |-
+        aws s3 cp \
+        ${{SEC_SCAN_REPORT_FILE}} \
+        s3://${{SEC_SCAN_S3_BUCKET}}/${{IMAGE_NAME}}/${{CF_REPO_NAME}}:${{VERSION}}.txt
+
   push:
     type: push
     title: Push candidate
-    stage: Build Artifacts
+    stage: Push
     candidate: ${{build_image}}
     tags:
     - ${{VERSION}}-${{CF_BRANCH_TAG_NORMALIZED}}