@@ -35,39 +35,27 @@ jobs:
3535 id : find_jobs
3636 run : |
3737 RUN_IDS=$(gh run list --workflow="ECR vulnerability detection" --limit=20 --json databaseId -q '.[].databaseId')
38-
3938 LATEST_JOB_ID=""
4039 PREVIOUS_JOB_ID=""
41-
4240 for RUN_ID in $RUN_IDS; do
4341 JOB_ID=$(gh api "repos/${{ github.repository }}/actions/runs/$RUN_ID/jobs" --jq ".jobs[] | select(.name | contains(\"${{ matrix.image_tag }}\")) | .id" || echo "")
44-
4542 if [[ -n "$JOB_ID" ]]; then
46- if [[ -z "$LATEST_JOB_ID" ]]; then
47- LATEST_JOB_ID=$JOB_ID
48- elif [[ -z "$PREVIOUS_JOB_ID" ]]; then
49- PREVIOUS_JOB_ID=$JOB_ID
50- break
51- fi
43+ if [[ -z "$LATEST_JOB_ID" ]]; then LATEST_JOB_ID=$JOB_ID;
44+ elif [[ -z "$PREVIOUS_JOB_ID" ]]; then PREVIOUS_JOB_ID=$JOB_ID; break; fi
5245 fi
5346 done
54-
55- echo "Found latest job: $LATEST_JOB_ID"
56- echo "Found previous job: $PREVIOUS_JOB_ID"
57-
47+ echo "Found latest job: $LATEST_JOB_ID"; echo "Found previous job: $PREVIOUS_JOB_ID"
5848 echo "latest_job_id=${LATEST_JOB_ID}" >> $GITHUB_OUTPUT
5949 echo "previous_job_id=${PREVIOUS_JOB_ID}" >> $GITHUB_OUTPUT
6050env :
6151 GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
6252
6353 - name : 📥 Fetch and Parse Logs for ${{ matrix.image_tag }}
6454 run : |
65- # Fetch and parse the log from the latest job, if found
6655 if [[ -n "${{ steps.find_jobs.outputs.latest_job_id }}" ]]; then
6756 gh run view --job ${{ steps.find_jobs.outputs.latest_job_id }} --log > latest_raw.log
6857 awk "/cat <<'JSON'/{flag=1; next} /JSON/{flag=0} flag" latest_raw.log > latest-scan.json
6958 fi
70- # Fetch and parse the log from the previous job, if found
7159 if [[ -n "${{ steps.find_jobs.outputs.previous_job_id }}" ]]; then
7260 gh run view --job ${{ steps.find_jobs.outputs.previous_job_id }} --log > previous_raw.log
7361 awk "/cat <<'JSON'/{flag=1; next} /JSON/{flag=0} flag" previous_raw.log > previous-scan.json
8068 run : |
8169 PREVIOUS_SCAN_FILE="previous-scan.json"
8270 CURRENT_SCAN_FILE="latest-scan.json"
83- if [[ ! -f "$PREVIOUS_SCAN_FILE" ]]; then echo '{ "imageScanFindings": { "findings": [] } }' > "$PREVIOUS_SCAN_FILE"; fi
84- if [[ ! -f "$CURRENT_SCAN_FILE" ]]; then echo '{ "imageScanFindings": { "findings": [] } }' > "$CURRENT_SCAN_FILE"; fi
71+ if [[ ! -f "$PREVIOUS_SCAN_FILE" ]]; then touch "$PREVIOUS_SCAN_FILE"; fi
72+ if [[ ! -f "$CURRENT_SCAN_FILE" ]]; then touch "$CURRENT_SCAN_FILE"; fi
73+
74+ # Validate the JSON in each file. If invalid, create a valid placeholder.
75+ if ! jq . "$PREVIOUS_SCAN_FILE" >/dev/null 2>&1; then
76+ echo "Warning: Previous scan file was invalid. Creating empty placeholder."
77+ echo '{ "imageScanFindings": { "findings": [] } }' > "$PREVIOUS_SCAN_FILE"
78+ fi
79+ if ! jq . "$CURRENT_SCAN_FILE" >/dev/null 2>&1; then
80+ echo "Warning: Current scan file was invalid. Creating empty placeholder."
81+ echo '{ "imageScanFindings": { "findings": [] } }' > "$CURRENT_SCAN_FILE"
82+ fi
8583
8684 FIXED_VULNS=$(jq -r --slurpfile current "$CURRENT_SCAN_FILE" \
8785 '.imageScanFindings.findings[] | select(.name as $cve | ($current[0].imageScanFindings.findings | map(.name) | index($cve) | not)) | "- **\(.name)**: \(.description)"' \
0 commit comments