Merge pull request #11 from jalcock501/patch-1

daisytimms2-nhs · web-flow · commit 289984b2f030 · 2026-03-06T14:23:37.000Z
Fix Trivy IaC threshold checks and count parsing
diff --git a/iac-scan/action.yml b/iac-scan/action.yml
@@ -3,36 +3,47 @@ description: Performs Trivy Infrastructure as Code scanning and reporting
 
 inputs:
   scan-ref:
-    description: 'Directory or file to scan'
+    description: "Directory or file to scan"
     required: false
-    default: './terraform'
+    default: "./terraform"
+
   severity:
-    description: 'Comma-separated list of severity levels to report'
+    description: "Comma-separated list of severity levels to report"
     required: false
-    default: 'HIGH,CRITICAL,MEDIUM,LOW,UNKNOWN'
+    default: "HIGH,CRITICAL,MEDIUM,LOW,UNKNOWN"
+
   trivy-config:
-    description: 'Path to Trivy configuration file'
+    description: "Path to Trivy configuration file"
+    required: false
+    default: "trivy.yaml"
+
+  trivy-version:
+    description: "Trivy version to install"
     required: false
-    default: 'trivy.yaml'
+    default: "v0.69.2"
+
   artifact-name:
-    description: 'Name for the uploaded artifact'
+    description: "Name for the uploaded artifact"
     required: false
-    default: 'trivy-iac-scan-results'
+    default: "trivy-iac-scan-results"
+
   fail-on-critical-high:
-    description: 'Whether to fail the action on critical/high findings'
+    description: "Whether to fail the action on critical/high findings"
     required: false
-    default: 'true'
+    default: "true"
 
 outputs:
   critical-count:
-    description: 'Number of critical severity findings'
+    description: "Number of critical severity findings"
     value: ${{ steps.report.outputs.crit }}
+
   high-count:
-    description: 'Number of high severity findings'
+    description: "Number of high severity findings"
     value: ${{ steps.report.outputs.high }}
+
   report-path:
-    description: 'Path to the generated markdown report'
-    value: 'trivy_report.md'
+    description: "Path to the generated markdown report"
+    value: "trivy_report.md"
 
 runs:
   using: "composite"
@@ -49,44 +60,62 @@ runs:
           echo "config-arg=" >> "$GITHUB_OUTPUT"
         fi
 
+    - name: Setup Trivy
+      uses: aquasecurity/setup-trivy@v0.2.5
+      with:
+        version: ${{ inputs.trivy-version }}
+        cache: true
+
+    - name: Verify Trivy install
+      shell: bash
+      run: |
+        set -euo pipefail
+        which trivy
+        trivy --version
+
     - name: Trivy IaC scan
-      uses: aquasecurity/trivy-action@0.33.0
+      uses: aquasecurity/trivy-action@0.34.2
+      env:
+        TRIVY_DEBUG: "true"
       with:
-        scan-type: 'config'
+        skip-setup-trivy: "true"
+        scan-type: "config"
         scan-ref: ${{ inputs.scan-ref }}
-        format: json
-        output: trivy-iac.json
+        format: "json"
+        output: "trivy-iac.json"
         severity: ${{ inputs.severity }}
-        exit-code: '0'    # don't block the upload step
+        exit-code: "0"
         hide-progress: true
         trivy-config: ${{ steps.trivy-config-check.outputs.config-arg }}
 
     - name: Upload Trivy IaC Scan Artifact
+      if: ${{ hashFiles('trivy-iac.json') != '' }}
       uses: actions/upload-artifact@v4
       with:
         name: ${{ inputs.artifact-name }}
         path: trivy-iac.json
 
     - name: Build summary & counts
       id: report
+      if: ${{ hashFiles('trivy-iac.json') != '' }}
       shell: bash
       run: |
+        set -euo pipefail
+
         jq -r '
         def clean: (.|tostring) | gsub("\\|"; "\\|") | gsub("\r?\n"; " ");
         def counts: reduce (.Results[]? | .Misconfigurations[]? | .Severity // empty) as $s
           ({CRITICAL:0,HIGH:0,MEDIUM:0,LOW:0,UNKNOWN:0}; .[$s]+=1);
 
         counts as $c
         |
-        # ---- TOP BANNER (only if High/Critical present) ----
         (
           if (($c.CRITICAL + $c.HIGH) > 0) then
             "🚫 **Trivy gate:** **\($c.CRITICAL) Critical**, **\($c.HIGH) High** issue(s) found.\n\n"
           else
             "✅ **Trivy gate:** no Critical/High issues.\n\n"
           end
         )
-        # ---- SUMMARY REPORT ----
         + "### Trivy IaC (Terraform) Summary\n\n"
         + "| Severity | Count |\n|---|---|\n"
         + (["CRITICAL","HIGH","MEDIUM","LOW","UNKNOWN"]
@@ -102,31 +131,58 @@ runs:
         + "\n\n</details>\n"
         ' trivy-iac.json > trivy_report.md
 
-        # Extract counts for gating/other steps
-        read CRIT HIGH < <(jq -r '
+        COUNTS_TSV="$(jq -r '
           reduce (.Results[]? | .Misconfigurations[]? | .Severity // empty) as $s
             ({CRITICAL:0,HIGH:0,MEDIUM:0,LOW:0,UNKNOWN:0}; .[$s]+=1)
-          | "\(.CRITICAL) \(.HIGH)"
-        ' trivy-iac.json)
-        echo "crit=$CRIT" >> "$GITHUB_OUTPUT"
-        echo "high=$HIGH" >> "$GITHUB_OUTPUT"
+          | [.CRITICAL, .HIGH] | @tsv
+        ' trivy-iac.json)"
+
+        IFS=$'\t' read -r CRIT HIGH <<< "$COUNTS_TSV"
+
+        CRIT="${CRIT//[^0-9]/}"
+        HIGH="${HIGH//[^0-9]/}"
+
+        echo "crit=${CRIT:-0}" >> "$GITHUB_OUTPUT"
+        echo "high=${HIGH:-0}" >> "$GITHUB_OUTPUT"
+
+    - name: Default counts when no report exists
+      id: report-defaults
+      if: ${{ hashFiles('trivy-iac.json') == '' }}
+      shell: bash
+      run: |
+        echo "crit=0" >> "$GITHUB_OUTPUT"
+        echo "high=0" >> "$GITHUB_OUTPUT"
 
     - name: Publish Trivy Summary
-      if: always()
+      if: ${{ always() && hashFiles('trivy_report.md') != '' }}
       shell: bash
       run: cat trivy_report.md >> "$GITHUB_STEP_SUMMARY"
 
     - name: Update Trivy PR comment
-      if: ${{ github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork }}
+      if: ${{ github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork && hashFiles('trivy_report.md') != '' }}
       uses: marocchino/sticky-pull-request-comment@v2
       with:
         header: trivy-iac-scan
         path: trivy_report.md
 
     - name: Check Trivy Issue Thresholds
-      if: ${{ inputs.fail-on-critical-high == 'true' && (steps.report.outputs.crit != '0' || steps.report.outputs.high != '0') }}
+      if: ${{ inputs.fail-on-critical-high == 'true' && hashFiles('trivy-iac.json') != '' }}
       shell: bash
       run: |
-        echo "Critical findings detected: ${{ steps.report.outputs.crit }}"
-        echo "High findings detected: ${{ steps.report.outputs.high }}"
-        exit 1
+        set -euo pipefail
+
+        CRIT_RAW='${{ steps.report.outputs.crit }}'
+        HIGH_RAW='${{ steps.report.outputs.high }}'
+
+        CRIT="${CRIT_RAW//[^0-9]/}"
+        HIGH="${HIGH_RAW//[^0-9]/}"
+
+        CRIT="${CRIT:-0}"
+        HIGH="${HIGH:-0}"
+
+        echo "Critical findings detected: ${CRIT}"
+        echo "High findings detected: ${HIGH}"
+
+        if (( CRIT > 0 || HIGH > 0 )); then
+          exit 1
+        fi
diff --git a/image-scan/action.yml b/image-scan/action.yml
@@ -53,7 +53,7 @@ runs:
         fi
 
     - name: Trivy image scan
-      uses: aquasecurity/trivy-action@0.28.0
+      uses: aquasecurity/trivy-action@0.34.2
       with:
         scan-type: 'image'
         image-ref: ${{ inputs.image-ref }}
@@ -140,4 +140,4 @@ runs:
       run: |
         echo "Critical vulnerabilities detected: ${{ steps.report.outputs.crit }}"
         echo "High vulnerabilities detected: ${{ steps.report.outputs.high }}"
-        exit 1
+        exit 1
