ROX-30730: add scan-image-vulnerabilities action

[tommartensen]

Description

Partners with stackrox/stackrox#17985

• Workflow now scans Konflux and GHA-built images.
• Workflow now triggered by new tags automatically (can be manually dispatched for other tags or as required).
• Workflow uses composite action to stay DRY.

This PR mostly extracts the existing image scan logic into a composable action.

Validation

https://github.com/stackrox/stackrox/actions/runs/20063752468

Why did I not test with test-gh-actions?

The workflow there still uses quay.io ratings: https://github.com/stackrox/test-gh-actions/blob/main/.github/workflows/scripts/check-image-vulnerabilities.py and wasn't updated after stackrox/stackrox#10836.

[msugakov]

Skipped readme and some smaller details in the action.

[tommartensen]

@msugakov
I have refactored the action into a bash script, that made it easier for me to address your concerns.

The action now:

• allows for repository to be specified, ie allows rhacs-eng/... and stackrox-io/...
• doesn't have superfluous outputs, but still uploads the artifact to the workflow run. I am including this for a future workflow that: downloads all scan results -> collects vulnerable images -> suggests fixes)

The script has the following improvements:

• Consider moderate, important, critical CVEs
• Always displays a status (❌ or ✅ ) with description and a table with total and fixable vulnerability count per category. One of the problems I had with the previous version of the workflow was that this information needed to be parsed by human manually.
• Fail the action if there are fixable important or critical CVEs
• Print a collapsed vulnerability table in Markdown with full details.
  • GH automatically links CVEs to GHSA where available.

You can check how this looks in the summary for https://github.com/stackrox/stackrox/actions/runs/20063752468

[msugakov]

Made a pass. I'll likely find something else in subsequent iterations.

[msugakov]

Sorry, could cover only a small part today. Please expect follow-ups.

[msugakov]

I don't know bash pass-by-name semantics and so the question: would check_not_empty still work if IMAGE and SUMMARY_PREFIX are both declared local?

In my tiny test, it seems to work:

$ cat a.sh
#!/usr/bin/env bash

set -euo pipefail

function main() {
	local image="blah"
	check image
}

function check() {
	typeset -n VAR="$1"
	echo "it is: $VAR"
}

main

$ ./a.sh
it is: blah

[tommartensen]

Yes it works - what is your suggestion or concern here?

[msugakov]

  IMAGE="${1:-}"
  SUMMARY_PREFIX="${2:-}"

aren't declared as local. Please declare them as local.

[msugakov]

Finished the full pass.

[msugakov]

Suggested change

(keeping a newline but deleting a blank tab)

[tommartensen]

Done in 303fbdb, there was one more whitespace to fix.

[msugakov]

Suggestion:

Suggested change

	Additionally, an image integration for Quay.io needs to be configured in the ACS Central.
	Additionally, an image integration for Quay.io must be configured in the ACS Central so that it can pull images requested for scanning.

[tommartensen]

Done in 303fbdb

[msugakov]

How about?

Suggested change

	function print_findings_status() {
	function print_summary() {

[tommartensen]

Done in 303fbdb

[msugakov]

Please use [[ instead of [ in bash. There's a couple places to fix.

[tommartensen]

Done in 303fbdb

[msugakov]

Optional suggestion:

Suggested change

	function print_findings_table() {
	function print_details_table() {

[tommartensen]

Done in 303fbdb

[msugakov]

Sorry, this one's going to be a bit vague as I just throw a code suggestion:

Suggested change

	# Asserts if any fixable findings of relevant severity are present.
	function assert_fixable_findings_present() {
	local -n fixable_counts_map="$1"
	if (( fixable_counts_map[CRITICAL] > 0 || fixable_counts_map[IMPORTANT] > 0 )); then
	echo "true"
	else
	echo "false"
	fi
	}
	# Checks if any fixable findings of relevant severity are present.
	function are_blocking_vulns_present() {
	local -n fixable_counts="$1"
	if (( fixable_counts[CRITICAL] > 0 || fixable_counts[IMPORTANT] > 0 )); then
	return 0
	else
	return 1
	fi
	}

0 means success or "yes", no-zero means failure, or "no". Perhaps it can be done via just return (( fixable_counts[CRITICAL] > 0 || fixable_counts[IMPORTANT] > 0 )) but I haven't tried.

After this, you can simply write

if are_blocking_vulns_present fixable_counts_ref; then
  # ...

and no need to compare strings.

The logic is still invert of what it should be, 0 == "clean", no-zero == "failure", but we need a good function name and I can't come up with one at the moment. Perhaps you can?

[tommartensen]

Done in 35cf37d.
I think that are_blocking_vulns_present sufficiently describes the content of the function.

The variable needs to be named fixable_counts_map if we want to keep the local -n. If it was named fixable_counts, it would create a circular dependency.