Skip to content
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 15 additions & 5 deletions .github/workflows/shared-vulnerability-scan-failure-notify.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,15 @@ on:
description: The path to the pom.xml and Dockerfile.
type: string
default: '.'
image_ref:
description: >-
An already-published image reference to scan (e.g. ghcr.io/org/app:latest). When set,
the JDK/Maven/Docker-build steps are skipped and this image is scanned directly — use this
to re-scan released images for newly-disclosed CVEs. When empty (the default), behaviour is
unchanged: image mode builds from source. The image must be pullable without auth (or the
caller must log in to the registry before invoking this workflow).
type: string
default: ''
secrets:
SLACK_WEBHOOK:
required: false
Expand All @@ -50,14 +59,14 @@ jobs:
path: uid2-shared-actions

- name: Set up JDK
if: inputs.scan_type == 'image'
if: inputs.scan_type == 'image' && inputs.image_ref == ''
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: 'temurin'
java-version: ${{ inputs.java_version }}

- name: Package JAR
if: inputs.scan_type == 'image'
if: inputs.scan_type == 'image' && inputs.image_ref == ''
id: package
run: |
pushd ${{ inputs.working_dir }}
Expand All @@ -71,12 +80,12 @@ jobs:
popd

- name: Extract metadata for Docker
if: inputs.scan_type == 'image'
if: inputs.scan_type == 'image' && inputs.image_ref == ''
id: meta
run: echo "tags=${{ steps.package.outputs.jar_version }}-${{ steps.package.outputs.git_commit }}" >> $GITHUB_OUTPUT

- name: Build Docker image
if: inputs.scan_type == 'image'
if: inputs.scan_type == 'image' && inputs.image_ref == ''
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
with:
context: ${{inputs.working_dir}}
Expand All @@ -93,7 +102,8 @@ jobs:
scan_severity: ${{ inputs.vulnerability_severity }}
failure_severity: ${{ inputs.vulnerability_severity }}
publish_vulnerabilities: ${{ inputs.publish_vulnerabilities }}
image_ref: ${{ steps.meta.outputs.tags }}
# Scan the explicitly-supplied published image when given; otherwise the locally-built one.
image_ref: ${{ inputs.image_ref != '' && inputs.image_ref || steps.meta.outputs.tags }}
scan_type: ${{ inputs.scan_type }}
continue-on-error: true

Expand Down