Support per-app vulnerability scan configs

Application templates can provide overrides in their own directories, with the scanning falling back to the top-level project configs otherwise.
navapbc · Jan 2, 2025 · de1e80f · de1e80f
1 parent 3240260
commit de1e80f
Show file tree

Hide file tree

Showing 2 changed files with 99 additions and 2 deletions.
diff --git a/.github/actions/first-file/action.yml b/.github/actions/first-file/action.yml
@@ -0,0 +1,58 @@
+name: "Return first file that exists"
+description: "Check given list of files in order and return first one that exists."
+
+inputs:
+  files:
+    required: true
+    type: string
+    description: |
+      The list of files to check, in the order to check for them.
+
+      File names should be properly quoted\escaped and either space or newline
+      separated.
+
+      Either:
+      ```yaml
+      files: my_file.txt some_other_file.txt
+      ```
+
+      Or:
+      ```yaml
+      files: |-
+        my_file.txt
+        some_other_file.txt
+      ```
+
+outputs:
+  found_file:
+    description: "Path of first file found."
+    value: ${{ steps.find-file.outputs.found_file }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Get file list
+      id: file-list
+      shell: bash
+      run: |
+        # Get file list
+        # https://github.com/actions/runner/issues/1877
+        files=$(printf %s "${{ inputs.files }}" | tr '\n' ' ')
+        echo "File list: ${files}"
+        echo "files=${files}" >> "$GITHUB_OUTPUT"
+
+    - name: Check file list
+      id: find-file
+      shell: bash
+      run: |
+        # Check file list
+        # https://github.com/actions/runner/issues/1877
+        for f in ${{ steps.file-list.outputs.files }}; do
+          if [[ -e "${f}" ]]; then
+            found_file="${f}"
+            break
+          fi
+        done
+
+        echo "found_file=${found_file}"
+        echo "found_file=${found_file}" >> "$GITHUB_OUTPUT"
diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml
@@ -20,6 +20,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - uses: ./.github/actions/first-file
+        id: hadolint-config
+        with:
+          files: |-
+            ${{ inputs.app_name }}/.hadolint.yaml
+            .hadolint.yaml
+
       # Scans Dockerfile for any bad practices or issues
       - name: Scan Dockerfile by hadolint
         uses: hadolint/[email protected]
@@ -28,6 +35,7 @@ jobs:
           format: tty
           failure-threshold: warning
           output-file: hadolint-results.txt
+          config: ${{ steps.hadolint-config.outputs.found_file }}
 
       - name: Save output to workflow summary
         if: always() # Runs even if there is a failure
@@ -39,6 +47,18 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - uses: ./.github/actions/first-file
+        id: trivy-ignore
+        with:
+          files: |-
+            ${{ inputs.app_name }}/.trivyignore
+            .trivyignore
+
+      - uses: ./.github/actions/first-file
+        id: trivy-secret
+        with:
+          files: ${{ inputs.app_name }}/trivy-secret.yaml .trivy-secret.yaml
+
       - name: Build and tag Docker image for scanning
         id: build-image
         run: |
@@ -57,6 +77,9 @@ jobs:
           ignore-unfixed: true
           vuln-type: os
           scanners: vuln,secret
+          trivyignores: ${{ steps.trivy-ignore.outputs.found_file }}
+        env:
+          TRIVY_SECRET_CONFIG: ${{ steps.trivy-secret.outputs.found_file }}
 
       - name: Save output to workflow summary
         if: always() # Runs even if there is a failure
@@ -69,6 +92,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - uses: ./.github/actions/first-file
+        id: grype-config
+        with:
+          files: |-
+            ${{ inputs.app_name }}/.grype.yml
+            .grype.yml
+
       - name: Build and tag Docker image for scanning
         id: build-image
         run: |
@@ -82,6 +112,8 @@ jobs:
         with:
           image: ${{ steps.build-image.outputs.image }}
           output-format: table
+        env:
+          GRYPE_CONFIG: ${{ steps.grype-config.outputs.found_file }}
 
       - name: Save output to workflow summary
         if: always() # Runs even if there is a failure
@@ -93,6 +125,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - uses: ./.github/actions/first-file
+        id: dockle-config
+        with:
+          files: |-
+            ${{ inputs.app_name }}/.dockleconfig
+            .dockleconfig
+
       - name: Build and tag Docker image for scanning
         id: build-image
         run: |
@@ -105,8 +144,8 @@ jobs:
       # variable, this will save the variable in this file to env for Dockle
       - name: Set any acceptable Dockle files
         run: |
-          if grep -q "^DOCKLE_ACCEPT_FILES=.*" .dockleconfig; then
-            grep -s '^DOCKLE_ACCEPT_FILES=' .dockleconfig >> "$GITHUB_ENV"
+          if grep -q "^DOCKLE_ACCEPT_FILES=.*" ${{ steps.dockle-config.outputs.found_file }}; then
+            grep -s '^DOCKLE_ACCEPT_FILES=' ${{ steps.dockle-config.outputs.found_file }} >> "$GITHUB_ENV"
           fi
 
       - name: Run Dockle container linter