Fail acs-image-check task when image check fails

tnevrlka · tnevrlka · commit 0b25e96faa62 · 2025-03-03T18:40:05.000+01:00
Failure during roxctl-image-check currently does not cause the
acs-image-check script to fail, resulting in a false negative.

Signed-off-by: Tomáš Nevrlka &lt;tnevrlka@redhat.com&gt;

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
diff --git a/rhtap/acs-image-check.sh b/rhtap/acs-image-check.sh
@@ -1,14 +1,12 @@
 #!/bin/bash
+set -euo pipefail
+
 SCRIPTDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)"
 
 # acs-image-check
 source $SCRIPTDIR/common.sh
 
 function rox-image-check() {
-    echo "Running $TASK_NAME:rox-image-check"
-    #!/usr/bin/env bash
-    set +x
-
     if [ "$DISABLE_ACS" == "true" ]; then
         echo "DISABLE_ACS is set. No scans will be produced"
         exit_with_success_result
@@ -32,13 +30,9 @@ function rox-image-check() {
         "https://${ROX_CENTRAL_ENDPOINT}/api/cli/download/roxctl-linux" \
         --output ./roxctl \
         > /dev/null
-    if [ $? -ne 0 ]; then
-        echo 'Failed to download roxctl'
-        exit_with_fail_result
-    fi
     received_filesize=$(stat -c%s ./roxctl)
     if (($received_filesize < 10000)); then
-        # Responce from ACS server is not a binary but error message
+        # Response from ACS server is not a binary but error message
         cat ./roxctl
         echo 'Failed to download roxctl'
         exit 2
@@ -47,19 +41,39 @@ function rox-image-check() {
 
     echo "roxctl image check"
     IMAGE=${PARAM_IMAGE}@${PARAM_IMAGE_DIGEST}
+    ROXCTL_CHECK_STATUS=0
     ./roxctl image check \
         $([ "${INSECURE_SKIP_TLS_VERIFY}" = "true" ] &&
             echo -n "--insecure-skip-tls-verify") \
         -e "${ROX_CENTRAL_ENDPOINT}" --image "$IMAGE" --output json --force \
-        > roxctl_image_check_output.json
-    cp roxctl_image_check_output.json acs-image-check.json
+        > roxctl_image_check_output.json ||
+        ROXCTL_CHECK_STATUS=$?
+
+    if [ "$ROXCTL_CHECK_STATUS" -eq 0 ]; then
+        exit
+    fi
+
+    # Number of policy violations with Critical and High severity parsed from the report
+    severe_violations=$(
+        jq '.summary |
+        with_entries(
+          select(.key | IN("CRITICAL", "HIGH"))
+        ) |
+        add' \
+            roxctl_image_check_output.json
+    )
+
+    # If roxctl image check exited with non-zero code and it is not because of policy violations, report error
+    if [ "$severe_violations" -eq 0 ]; then
+        exit "$ROXCTL_CHECK_STATUS"
+    fi
 }
 
 function report() {
     echo "Running $TASK_NAME:report"
     #!/usr/bin/env bash
     echo "ACS_IMAGE_CHECK_EYECATCHER_BEGIN"
-    cat acs-image-check.json
+    cat roxctl_image_check_output.json
     echo "ACS_IMAGE_CHECK_EYECATCHER_END"
 }
 
