CI: Minor image scanning tweaks

Author: Alex-Welsh

.github/workflows/stackhpc-container-image-build.yml

@@ -38,7 +38,12 @@ on:
         type: boolean
         required: false
         default: true
-      push-dirty:
+      sbom:
+        description: Generate SBOM?
+        type: boolean
+        required: false
+        default: true
+      push-critical:
         description: Push scanned images that have critical vulnerabilities?
         type: boolean
         required: false
@@ -252,14 +257,14 @@ jobs:
         run: if [ $(wc -l < ${{ matrix.distro.name }}-${{ matrix.distro.release }}-container-images) -le 1 ]; then exit 1; fi
 
       - name: Scan built container images
-        run: src/kayobe-config/tools/scan-images.sh ${{ matrix.distro.name }}-${{ matrix.distro.release }} ${{ steps.write-kolla-tag.outputs.kolla-tag }}
+        run: src/kayobe-config/tools/scan-images.sh ${{ matrix.distro.name }}-${{ matrix.distro.release }} ${{ steps.write-kolla-tag.outputs.kolla-tag }} ${{ inputs.sbom && '--sbom'}}
 
       - name: Move image scan logs to output artifact
         run: mv image-scan-output image-build-logs/image-scan-output
 
-      - name: Fail if no images have passed scanning
+      - name: Fail if any images have critical vulnerabilities
         run: if [ $(wc -l < image-build-logs/image-scan-output/critical-images.txt) -gt 0 ]; then exit 1; fi
-        if: ${{ !inputs.push-dirty }}
+        if: ${{ !inputs.push-critical }}
 
       - name: Copy clean images to push-attempt-images list
         run: cp image-build-logs/image-scan-output/clean-images.txt image-build-logs/push-attempt-images.txt
@@ -269,13 +274,13 @@ jobs:
       # This should be reverted when it's decided to filter high level CVEs as well.
       - name: Append dirty images to push list
         run: |
-          cat image-build-logs/image-scan-output/dirty-images.txt >> image-build-logs/push-attempt-images.txt
+          cat image-build-logs/image-scan-output/high-images.txt >> image-build-logs/push-attempt-images.txt
         if: ${{ inputs.push }}
 
       - name: Append images with critical vulnerabilities to push list
         run: |
           cat image-build-logs/image-scan-output/critical-images.txt >> image-build-logs/push-attempt-images.txt
-        if: ${{ inputs.push && inputs.push-dirty }}
+        if: ${{ inputs.push && inputs.push-critical }}
 
       - name: Push images
         run: |
@@ -324,12 +329,12 @@ jobs:
       # This can be used again instead of "Fail when critical vulnerabilities are found" when it's
       # decided to fail the job on detecting high CVEs as well.
       # - name: Fail when images failed scanning
-      #   run: if [ $(wc -l < image-build-logs/image-scan-output/dirty-images.txt) -gt 0 ]; then cat image-build-logs/image-scan-output/dirty-images.txt && exit 1; fi
-      #   if: ${{ !inputs.push-dirty && !cancelled() }}
+      #   run: if [ $(wc -l < image-build-logs/image-scan-output/high-images.txt) -gt 0 ]; then cat image-build-logs/image-scan-output/high-images.txt && exit 1; fi
+      #   if: ${{ !inputs.push-critical && !cancelled() }}
 
       - name: Fail when critical vulnerabilities are found
         run: if [ $(wc -l < image-build-logs/image-scan-output/critical-images.txt) -gt 0 ]; then cat image-build-logs/image-scan-output/critical-images.txt && exit 1; fi
-        if: ${{ !inputs.push-dirty && !cancelled() }}
+        if: ${{ !inputs.push-critical && !cancelled() }}
 
       # NOTE(mgoddard): Trigger another CI workflow in the
       # stackhpc-release-train repository.

tools/scan-images.sh

@@ -35,7 +35,7 @@ check_deps_installed() {
 file_prep() {
   rm -rf image-scan-output
   mkdir -p image-scan-output
-  touch image-scan-output/clean-images.txt image-scan-output/dirty-images.txt image-scan-output/critical-images.txt
+  touch image-scan-output/clean-images.txt image-scan-output/high-images.txt image-scan-output/critical-images.txt
 }
 
 # Gather image lists
@@ -99,7 +99,21 @@ categorise_image() {
   fi
 }
 
-# Scan images, generate SBOMs if requested 
+# Generate SBOM, return correct scan command for SBOM
+generate_sbom() {
+  local imagename=$1
+  local filename=$2
+  local image=$3
+  trivy image \
+        --format spdx-json \
+        --output image-scan-output/${imagename}/${filename}-sbom.json \
+        $image > /dev/null 2>&1
+  echo "trivy sbom $scan_common_args \
+        --output image-scan-output/${imagename}/${filename}-scan.json \
+        image-scan-output/${imagename}/${filename}-sbom.json"
+}
+
+# Scan images, generate SBOMs if requested
 scan_image() {
   local image=$1
   local filename=$(basename $image | sed 's/:/\./g')
@@ -108,25 +122,19 @@ scan_image() {
   mkdir -p image-scan-output/$imagename
   generate_trivy_ignore $imagename
 
-  echo "Scanning $imagename"
-
-  # If SBOM is required, generate that first, then generate scan results from it
+  # If SBOM is required, generate it first and scan the results, otherwise we
+  # scan the image directly.
   if $generate_sbom; then
-    trivy image \
-        --format spdx-json \
-        --output image-scan-output/${imagename}/${filename}-sbom.json \
-        $image
-    scan_command="trivy sbom $scan_common_args \
-                  --output image-scan-output/${imagename}/${filename}-scan.json \
-                  image-scan-output/${imagename}/${filename}-sbom.json"
+    echo "Generating SBOM for $imagename"
+    scan_command=$(generate_sbom $imagename $filename $image)
   else
     scan_command="trivy image $scan_common_args \
                   --output image-scan-output/${imagename}/${filename}-scan.json $image"
   fi
-  echo "scan command"
-  echo "$scan_command"
-  # Run scan, against image or SBOM. If no results, delete files.
-  if $scan_command; then
+
+  # Run scan against image or SBOM, format output. If no results, delete files.
+  echo "Scanning $imagename for vulnerabilities"
+  if $scan_command > /dev/null 2>&1; then
     rm -f image-scan-output/${imagename}/${filename}-scan.json
     echo "${image}" >> image-scan-output/clean-images.txt
   else