Update CI vulnerability scans to work with multiple apps (#454)

navapbc · Sep 20, 2023 · 7bcfb4a · 7bcfb4a
1 parent ef73a09
commit 7bcfb4a
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 32 deletions.
diff --git a/.github/workflows/cd-app.yml b/.github/workflows/cd-app.yml
@@ -14,10 +14,6 @@ on:
   #     - "infra/**"
   workflow_dispatch:
     inputs:
-      app_name:
-        description: "name of application folder under infra directory"
-        required: true
-        type: string
       environment:
         description: "target environment"
         required: true
@@ -32,5 +28,5 @@ jobs:
     name: Deploy
     uses: ./.github/workflows/deploy.yml
     with:
-      app_name: ${{ inputs.app_name || 'app' }}
+      app_name: "app"
       environment: ${{ inputs.environment || 'dev' }}
diff --git a/.github/workflows/ci-app-vulnerability-scans.yml.yml b/.github/workflows/ci-app-vulnerability-scans.yml.yml
@@ -0,0 +1,26 @@
+name: CI Vulnerability Scans
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - app/**
+      - .grype.yml
+      - .hadolint.yaml
+      - .trivyignore
+      - .github/workflows/ci-vulnerability-scans.yml
+  pull_request:
+    paths:
+      - app/**
+      - .grype.yml
+      - .hadolint.yaml
+      - .trivyignore
+      - .github/workflows/ci-vulnerability-scans.yml
+
+jobs:
+  vulnerability-scans:
+    name: Vulnerability Scans
+    uses: ./.github/workflows/vulnerability-scans.yml
+    with:
+      app_name: "app"
diff --git a/.github/workflows/ci-vulnerability-scans.yml → .github/workflows/vulnerability-scans.yml b/.github/workflows/ci-vulnerability-scans.yml → .github/workflows/vulnerability-scans.yml
@@ -3,28 +3,15 @@
 
 # NOTE: The workflow isn't able to pass the docker image between jobs, so each builds the image.
 #       A future PR will pass the image between the scans to reduce overhead and increase speed
-name: CI Vulnerability Scans
+name: Vulnerability Scans
 
 on:
-  push:
-    branches:
-      - main
-    paths:
-      - app/**
-      - .grype.yml
-      - .hadolint.yaml
-      - .trivyignore
-      - .github/workflows/ci-vulnerability-scans.yml
-  pull_request:
-    paths:
-      - app/**
-      - .grype.yml
-      - .hadolint.yaml
-      - .trivyignore
-      - .github/workflows/ci-vulnerability-scans.yml
-
-env:
-  APP_NAME: app
+  workflow_call:
+    inputs:
+      app_name:
+        description: "name of application folder under infra directory"
+        required: true
+        type: string
 
 jobs:
   hadolint-scan:
@@ -37,7 +24,7 @@ jobs:
       - name: Scan Dockerfile by hadolint
         uses: hadolint/[email protected]
         with:
-          dockerfile: ${{ env.APP_NAME }}/Dockerfile
+          dockerfile: ${{ inputs.app_name }}/Dockerfile
           format: tty
           failure-threshold: warning
           output-file: hadolint-results.txt
@@ -55,8 +42,8 @@ jobs:
       - name: Build and tag Docker image for scanning
         id: build-image
         run: |
-          make APP_NAME=${{ env.APP_NAME }} release-build
-          IMAGE_NAME=$(make APP_NAME=${{ env.APP_NAME }} release-image-name)
+          make APP_NAME=${{ inputs.app_name }} release-build
+          IMAGE_NAME=$(make APP_NAME=${{ inputs.app_name }} release-image-name)
           IMAGE_TAG=$(make release-image-tag)
           echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT"
 
@@ -85,8 +72,8 @@ jobs:
       - name: Build and tag Docker image for scanning
         id: build-image
         run: |
-          make APP_NAME=${{ env.APP_NAME }} release-build
-          IMAGE_NAME=$(make APP_NAME=${{ env.APP_NAME }} release-image-name)
+          make APP_NAME=${{ inputs.app_name }} release-build
+          IMAGE_NAME=$(make APP_NAME=${{ inputs.app_name }} release-image-name)
           IMAGE_TAG=$(make release-image-tag)
           echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT"
 
@@ -109,8 +96,8 @@ jobs:
       - name: Build and tag Docker image for scanning
         id: build-image
         run: |
-          make APP_NAME=${{ env.APP_NAME }} release-build
-          IMAGE_NAME=$(make APP_NAME=${{ env.APP_NAME }} release-image-name)
+          make APP_NAME=${{ inputs.app_name }} release-build
+          IMAGE_NAME=$(make APP_NAME=${{ inputs.app_name }} release-image-name)
           IMAGE_TAG=$(make release-image-tag)
           echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT"
 

diff --git a/.grype.yml b/.grype.yml
@@ -16,3 +16,5 @@ ignore:
   - fix-state: not-fixed
   - fix-state: wont-fix
   - fix-state: unknown
+  # https://github.com/anchore/grype/issues/1172
+  - vulnerability: GHSA-xqr8-7jwr-rhp7