From 55181b4bac52c455c87b6cd7feca429a4da377cb Mon Sep 17 00:00:00 2001 From: sean wibisono Date: Mon, 29 Jun 2026 10:53:23 +1000 Subject: [PATCH] UID2-7390: add optional image_ref to shared vuln-scan notify workflow The scheduled vulnerability-scan-failure-notify workflow only supported two modes: fs (scan repo files) and image (mvn package -> docker build a single default Dockerfile -> scan the freshly-built image). Neither can re-scan an already-published image for newly-disclosed CVEs, and the image mode assumes a Maven project with one Dockerfile. Add an optional `image_ref` input. When set, the JDK/Maven/Docker-build steps are skipped and that published image is scanned directly. When empty (the default), behaviour is unchanged, so existing image-mode callers (uid2-admin, uid2-core, uid2-e2e, uid2-operator, uid2-optout, uid2-snowflake, uid2-validator) are unaffected. This lets repos with non-Maven builds or multiple images (e.g. uid2-self-serve-portal's Keycloak image) schedule recurring scans of their released images, and is reusable for scanning pinned third-party images such as the EKS addon images in UID2-7353. Co-Authored-By: Claude Opus 4.8 (1M context) --- ...red-vulnerability-scan-failure-notify.yaml | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/.github/workflows/shared-vulnerability-scan-failure-notify.yaml b/.github/workflows/shared-vulnerability-scan-failure-notify.yaml index 0a4ce41c..b8671f34 100644 --- a/.github/workflows/shared-vulnerability-scan-failure-notify.yaml +++ b/.github/workflows/shared-vulnerability-scan-failure-notify.yaml @@ -30,6 +30,15 @@ on: description: The path to the pom.xml and Dockerfile. type: string default: '.' + image_ref: + description: >- + An already-published image reference to scan (e.g. ghcr.io/org/app:latest). When set, + the JDK/Maven/Docker-build steps are skipped and this image is scanned directly — use this + to re-scan released images for newly-disclosed CVEs. When empty (the default), behaviour is + unchanged: image mode builds from source. The image must be pullable without auth (or the + caller must log in to the registry before invoking this workflow). + type: string + default: '' secrets: SLACK_WEBHOOK: required: false @@ -50,14 +59,14 @@ jobs: path: uid2-shared-actions - name: Set up JDK - if: inputs.scan_type == 'image' + if: inputs.scan_type == 'image' && inputs.image_ref == '' uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' java-version: ${{ inputs.java_version }} - name: Package JAR - if: inputs.scan_type == 'image' + if: inputs.scan_type == 'image' && inputs.image_ref == '' id: package run: | pushd ${{ inputs.working_dir }} @@ -71,12 +80,12 @@ jobs: popd - name: Extract metadata for Docker - if: inputs.scan_type == 'image' + if: inputs.scan_type == 'image' && inputs.image_ref == '' id: meta run: echo "tags=${{ steps.package.outputs.jar_version }}-${{ steps.package.outputs.git_commit }}" >> $GITHUB_OUTPUT - name: Build Docker image - if: inputs.scan_type == 'image' + if: inputs.scan_type == 'image' && inputs.image_ref == '' uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: ${{inputs.working_dir}} @@ -93,7 +102,8 @@ jobs: scan_severity: ${{ inputs.vulnerability_severity }} failure_severity: ${{ inputs.vulnerability_severity }} publish_vulnerabilities: ${{ inputs.publish_vulnerabilities }} - image_ref: ${{ steps.meta.outputs.tags }} + # Scan the explicitly-supplied published image when given; otherwise the locally-built one. + image_ref: ${{ inputs.image_ref != '' && inputs.image_ref || steps.meta.outputs.tags }} scan_type: ${{ inputs.scan_type }} continue-on-error: true