diff --git a/.github/workflows/shared-vulnerability-scan-failure-notify.yaml b/.github/workflows/shared-vulnerability-scan-failure-notify.yaml index 0a4ce41c..b8671f34 100644 --- a/.github/workflows/shared-vulnerability-scan-failure-notify.yaml +++ b/.github/workflows/shared-vulnerability-scan-failure-notify.yaml @@ -30,6 +30,15 @@ on: description: The path to the pom.xml and Dockerfile. type: string default: '.' + image_ref: + description: >- + An already-published image reference to scan (e.g. ghcr.io/org/app:latest). When set, + the JDK/Maven/Docker-build steps are skipped and this image is scanned directly — use this + to re-scan released images for newly-disclosed CVEs. When empty (the default), behaviour is + unchanged: image mode builds from source. The image must be pullable without auth (or the + caller must log in to the registry before invoking this workflow). + type: string + default: '' secrets: SLACK_WEBHOOK: required: false @@ -50,14 +59,14 @@ jobs: path: uid2-shared-actions - name: Set up JDK - if: inputs.scan_type == 'image' + if: inputs.scan_type == 'image' && inputs.image_ref == '' uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' java-version: ${{ inputs.java_version }} - name: Package JAR - if: inputs.scan_type == 'image' + if: inputs.scan_type == 'image' && inputs.image_ref == '' id: package run: | pushd ${{ inputs.working_dir }} @@ -71,12 +80,12 @@ jobs: popd - name: Extract metadata for Docker - if: inputs.scan_type == 'image' + if: inputs.scan_type == 'image' && inputs.image_ref == '' id: meta run: echo "tags=${{ steps.package.outputs.jar_version }}-${{ steps.package.outputs.git_commit }}" >> $GITHUB_OUTPUT - name: Build Docker image - if: inputs.scan_type == 'image' + if: inputs.scan_type == 'image' && inputs.image_ref == '' uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: ${{inputs.working_dir}} @@ -93,7 +102,8 @@ jobs: scan_severity: ${{ inputs.vulnerability_severity }} failure_severity: ${{ inputs.vulnerability_severity }} publish_vulnerabilities: ${{ inputs.publish_vulnerabilities }} - image_ref: ${{ steps.meta.outputs.tags }} + # Scan the explicitly-supplied published image when given; otherwise the locally-built one. + image_ref: ${{ inputs.image_ref != '' && inputs.image_ref || steps.meta.outputs.tags }} scan_type: ${{ inputs.scan_type }} continue-on-error: true