scan.yml

name: Vulnerability scan

on:
  workflow_call:
    inputs:
      REGISTRY:
        required: true
        type: string
      NAMESPACE:
        required: true
        type: string
      TAG:
        required: true
        type: string
  workflow_dispatch:
    inputs:
      REGISTRY:
        description: Target registry to push images
        required: true
        type: string
        default: ghcr.io
      NAMESPACE:
        description: Target namespace to the given registry
        required: true
        type: string
        default: this-is-tobi/template-monorepo-ts
      TAG:
        description: Tag used to scan images
        required: true
        type: string
        default: latest

permissions:
  issues: write

jobs:
  infos:
    name: Generate infos
    runs-on: ubuntu-latest
    outputs:
      build-matrix: ${{ steps.build-matrix.outputs.BUILD_MATRIX }}
    steps:
    - name: Checks-out repository
      uses: actions/checkout@v4

    - name: Generate matrix
      id: build-matrix
      run: |
        echo "BUILD_MATRIX=$(jq -c . < ./ci/matrix/docker.json)" >> $GITHUB_OUTPUT

  images-scan:
    name: Scan images vulnerabilities
    runs-on: ubuntu-latest
    needs:
    - infos
    strategy:
      matrix:
        images: ${{ fromJSON(needs.infos.outputs.build-matrix) }}
    steps:
    - name: Checks-out repository
      uses: actions/checkout@v4

    - name: Set up Docker buildx
      if: ${{ matrix.images.build != false }}
      uses: docker/setup-buildx-action@v3

    - name: Run Trivy vulnerability scanner on images
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: "${{ inputs.REGISTRY }}/${{ inputs.NAMESPACE }}/${{ matrix.images.name }}:${{ inputs.TAG }}"
        format: template
        template: "@/contrib/sarif.tpl"
        vuln-type: "os,library"
        ignore-unfixed: true
        output: trivy-results.sarif
      continue-on-error: true

    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: trivy-results.sarif
      continue-on-error: true

  config-scan:
    name: Scan config files vulnerabilities
    runs-on: ubuntu-latest
    needs:
    - infos
    steps:
    - name: Checks-out repository
      uses: actions/checkout@v4

    - name: Run Trivy vulnerability scanner on config files
      uses: aquasecurity/trivy-action@master
      with:
        scan-ref: .
        scan-type: config
        format: template
        template: "@/contrib/sarif.tpl"
        skip-dirs: "**/node_modules,ci"
        ignore-unfixed: true
        output: trivy-results.sarif
      continue-on-error: true

    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: trivy-results.sarif
      continue-on-error: true

  scan-notif:
    name: Notify users
    runs-on: ubuntu-latest
    needs:
    - infos
    - images-scan
    - config-scan
    if: ${{ github.event_name == 'pull_request' }}
    steps:
    - name: Comment PR
      uses: thollander/actions-comment-pull-request@v2
      with:
        message: |
          🤖 Hey !

          The security scan report for the current pull request is available [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+branch%3Amain+pr%3A${{ github.event.pull_request.number || github.event.number }}).
        comment_tag: vuln-scan