From de1e80fd18f29707ef3aa064d560f758170abb50 Mon Sep 17 00:00:00 2001
From: Tanner Doshier <git@doshitan.com>
Date: Tue, 31 Dec 2024 13:43:13 -0500
Subject: [PATCH] Support per-app vulnerability scan configs

Application templates can provide overrides in their own directories,
with the scanning falling back to the top-level project configs
otherwise.
---
 .github/actions/first-file/action.yml     | 58 +++++++++++++++++++++++
 .github/workflows/vulnerability-scans.yml | 43 ++++++++++++++++-
 2 files changed, 99 insertions(+), 2 deletions(-)
 create mode 100644 .github/actions/first-file/action.yml

diff --git a/.github/actions/first-file/action.yml b/.github/actions/first-file/action.yml
new file mode 100644
index 00000000..2b700893
--- /dev/null
+++ b/.github/actions/first-file/action.yml
@@ -0,0 +1,58 @@
+name: "Return first file that exists"
+description: "Check given list of files in order and return first one that exists."
+
+inputs:
+  files:
+    required: true
+    type: string
+    description: |
+      The list of files to check, in the order to check for them.
+
+      File names should be properly quoted\escaped and either space or newline
+      separated.
+
+      Either:
+      ```yaml
+      files: my_file.txt some_other_file.txt
+      ```
+
+      Or:
+      ```yaml
+      files: |-
+        my_file.txt
+        some_other_file.txt
+      ```
+
+outputs:
+  found_file:
+    description: "Path of first file found."
+    value: ${{ steps.find-file.outputs.found_file }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Get file list
+      id: file-list
+      shell: bash
+      run: |
+        # Get file list
+        # https://github.com/actions/runner/issues/1877
+        files=$(printf %s "${{ inputs.files }}" | tr '\n' ' ')
+        echo "File list: ${files}"
+        echo "files=${files}" >> "$GITHUB_OUTPUT"
+
+    - name: Check file list
+      id: find-file
+      shell: bash
+      run: |
+        # Check file list
+        # https://github.com/actions/runner/issues/1877
+        for f in ${{ steps.file-list.outputs.files }}; do
+          if [[ -e "${f}" ]]; then
+            found_file="${f}"
+            break
+          fi
+        done
+
+        echo "found_file=${found_file}"
+        echo "found_file=${found_file}" >> "$GITHUB_OUTPUT"
diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml
index 232f34b6..663b3b75 100644
--- a/.github/workflows/vulnerability-scans.yml
+++ b/.github/workflows/vulnerability-scans.yml
@@ -20,6 +20,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - uses: ./.github/actions/first-file
+        id: hadolint-config
+        with:
+          files: |-
+            ${{ inputs.app_name }}/.hadolint.yaml
+            .hadolint.yaml
+
       # Scans Dockerfile for any bad practices or issues
       - name: Scan Dockerfile by hadolint
         uses: hadolint/hadolint-action@v3.1.0
@@ -28,6 +35,7 @@ jobs:
           format: tty
           failure-threshold: warning
           output-file: hadolint-results.txt
+          config: ${{ steps.hadolint-config.outputs.found_file }}
 
       - name: Save output to workflow summary
         if: always() # Runs even if there is a failure
@@ -39,6 +47,18 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - uses: ./.github/actions/first-file
+        id: trivy-ignore
+        with:
+          files: |-
+            ${{ inputs.app_name }}/.trivyignore
+            .trivyignore
+
+      - uses: ./.github/actions/first-file
+        id: trivy-secret
+        with:
+          files: ${{ inputs.app_name }}/trivy-secret.yaml .trivy-secret.yaml
+
       - name: Build and tag Docker image for scanning
         id: build-image
         run: |
@@ -57,6 +77,9 @@ jobs:
           ignore-unfixed: true
           vuln-type: os
           scanners: vuln,secret
+          trivyignores: ${{ steps.trivy-ignore.outputs.found_file }}
+        env:
+          TRIVY_SECRET_CONFIG: ${{ steps.trivy-secret.outputs.found_file }}
 
       - name: Save output to workflow summary
         if: always() # Runs even if there is a failure
@@ -69,6 +92,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - uses: ./.github/actions/first-file
+        id: grype-config
+        with:
+          files: |-
+            ${{ inputs.app_name }}/.grype.yml
+            .grype.yml
+
       - name: Build and tag Docker image for scanning
         id: build-image
         run: |
@@ -82,6 +112,8 @@ jobs:
         with:
           image: ${{ steps.build-image.outputs.image }}
           output-format: table
+        env:
+          GRYPE_CONFIG: ${{ steps.grype-config.outputs.found_file }}
 
       - name: Save output to workflow summary
         if: always() # Runs even if there is a failure
@@ -93,6 +125,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - uses: ./.github/actions/first-file
+        id: dockle-config
+        with:
+          files: |-
+            ${{ inputs.app_name }}/.dockleconfig
+            .dockleconfig
+
       - name: Build and tag Docker image for scanning
         id: build-image
         run: |
@@ -105,8 +144,8 @@ jobs:
       # variable, this will save the variable in this file to env for Dockle
       - name: Set any acceptable Dockle files
         run: |
-          if grep -q "^DOCKLE_ACCEPT_FILES=.*" .dockleconfig; then
-            grep -s '^DOCKLE_ACCEPT_FILES=' .dockleconfig >> "$GITHUB_ENV"
+          if grep -q "^DOCKLE_ACCEPT_FILES=.*" ${{ steps.dockle-config.outputs.found_file }}; then
+            grep -s '^DOCKLE_ACCEPT_FILES=' ${{ steps.dockle-config.outputs.found_file }} >> "$GITHUB_ENV"
           fi
 
       - name: Run Dockle container linter