fix schedules scan failure

Author: corneliusludmann

.github/workflows/build.yml

@@ -168,6 +168,8 @@ jobs:
     name: Build Gitpod
     needs: [ configuration, create-runner ]
     runs-on: ${{ needs.create-runner.outputs.label }}
+    outputs:
+      affected_packages: ${{ steps.check_vulnerabilities.outputs.affected_packages }}
     concurrency:
       group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-build-gitpod
       cancel-in-progress: ${{ needs.configuration.outputs.is_main_branch == 'false' }}
@@ -323,11 +325,6 @@ jobs:
           GITHUB_USER: roboquat
           GITHUB_EMAIL: [email protected]
           VERSION: ${{ needs.configuration.outputs.version }}
-      - name: Add failOn to workspace config (when scheduled)
-        if: needs.configuration.outputs.is_scheduled_run == 'true'
-        run: |
-          # Add failOn: ["critical"] to the sbom block in WORKSPACE.yaml
-          sed -i '/sbom:/,/^[a-z]/ s/enabled: true/enabled: true\n  failOn: ["critical"]/' WORKSPACE.yaml
       - name: Scan for Vulnerabilities
         id: scan
         shell: bash
@@ -388,6 +385,25 @@ jobs:
           cat "$scans_dir/vulnerability-summary.md" >> $GITHUB_STEP_SUMMARY
 
           exit $RESULT
+      - name: Check for Critical Vulnerabilities
+        if: needs.configuration.outputs.is_scheduled_run == 'true'
+        id: check_vulnerabilities
+        shell: bash
+        run: |
+          # Parse vulnerability-stats.json from the scans directory
+          CRITICAL_PACKAGES=$(jq -r '.[] | select(.critical > 0) | "\(.name): \(.critical) critical vulnerabilities"' "${{ steps.scan.outputs.leeway_vulnerability_reports_dir }}/vulnerability-stats.json")
+
+          # If there are critical packages, list them and fail the build
+          if [ -n "$CRITICAL_PACKAGES" ]; then
+            echo "::error::Critical vulnerabilities found in the following packages:"
+            echo "$CRITICAL_PACKAGES" | tee -a $GITHUB_STEP_SUMMARY
+            echo "affected_packages<<EOF" >> $GITHUB_OUTPUT
+            echo "$CRITICAL_PACKAGES" >> $GITHUB_OUTPUT
+            echo "EOF" >> $GITHUB_OUTPUT
+            exit 1
+          else
+            echo "No critical vulnerabilities found."
+          fi
       - name: Upload SBOMs
         uses: actions/upload-artifact@v4
         with:
@@ -592,11 +608,11 @@ jobs:
       - name: Slack Notification
         uses: rtCamp/action-slack-notify@v2
         env:
-          SLACK_WEBHOOK: ${{ secrets.ENTERPRISE_JOBS_SLACK_WEBHOOK }}
+          SLACK_WEBHOOK: ${{ secrets.WORKSPACE_SLACK_WEBHOOK }}
           SLACK_ICON_EMOJI: ":x:"
           SLACK_USERNAME: "Scheduled Build"
           SLACK_COLOR: "danger"
-          SLACK_MESSAGE: "⚠️ Security Alert: Daily vulnerability scan triggered action! Either critical vulnerabilities were detected or the scan process failed. Please check the vulnerability reports to assess security impact and take appropriate action."
+          SLACK_MESSAGE: "⚠️ Security Alert: Daily vulnerability scan detected critical vulnerabilities in the following packages:\n${{ needs.build-gitpod.outputs.affected_packages }}"
           SLACK_FOOTER: "<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Workflow Logs>"
 
   delete-runner: