limit scanning to 10 images to check CI

Author: DenKoren

actions/docker/scan-repo/action.yaml

@@ -93,6 +93,14 @@ runs:
         echo "trivy=${trivy_bin}" >> "${GITHUB_OUTPUT}"
         echo "report-file=${_report_file}" >> "${GITHUB_OUTPUT}"
 
+    - name: Post save report
+      uses: milaboratory/github-ci/actions/post/artifact@v4-beta
+      with:
+        name: trivy-report
+        archive: true
+        path: |
+          ${{ steps.init.outputs.report-file }}
+
     - name: Scan images
       id: scan-images
       shell: bash
@@ -110,4 +118,4 @@ runs:
         REPORT_FORMAT: ${{ inputs.report-format }}
         REPORT_FILE: ${{ steps.init.outputs.report-file }}
       run: |
-        "${ACTION_PATH}/scan-images.sh" "${REGISTRY}" "${REPOSITORY}" "${TAG}"
+        SCAN_IMAGES_LIMIT=10 "${ACTION_PATH}/scan-images.sh" "${REGISTRY}" "${REPOSITORY}" "${TAG}"

actions/docker/scan-repo/scan-images.sh

@@ -9,6 +9,7 @@ tag="${3:-}"
 
 : "${DEBUG:=false}"
 : "${TRIVY_BIN:=trivy}"
+: "${SCAN_IMAGES_LIMIT:=}" # stop sanning after this amount of images
 
 : "${PKG_TYPES:=os,library}"
 : "${SCANNERS:=vuln,secret,misconfig}"
@@ -106,12 +107,20 @@ scan_image() {
 }
 
 scan_images() {
+    local _limit="${1:-}"
     local _success=true
 
+    local _items_count=0
     while read -r tag; do
         if ! scan_image "${tag}"; then
             _success=false
         fi
+
+        _items_count=$((_items_count + 1))
+        if [ -n "${_limit}" ] && [ "${_items_count}" -ge "${_limit}" ]; then
+            log "  reached scan limit of ${_limit} images"
+            break
+        fi
     done
 
     if [ "${_success}" != "true" ]; then
@@ -137,10 +146,11 @@ if [ -n "${tag}" ]; then
 else
     log "Scanning images in ${registry}/${repository}..."
     list_images "${registry}" "${repository}" |
-        scan_images || success=false
+        scan_images "${SCAN_IMAGES_LIMIT}" || success=false
 fi
 
 if [ "${success}" == "true" ]; then
+    log "Scan completed successfully, no CVEs found"
     exit 0
 fi