.github/workflows/scan.yml

name: scan
on:
  schedule:
    - cron: '0 10 * * *' # 10 UTC
  workflow_dispatch: {}
env:
  REF: "ghcr.io/chainguard-dev/rumble:latest"
  GCLOUD_PROJECT: ${{ secrets.GCLOUD_PROJECT }}
  GCLOUD_DATASET: ${{ secrets.GCLOUD_DATASET }}
  GCLOUD_TABLE: ${{ secrets.GCLOUD_TABLE }}
  GCLOUD_TABLE_VULNS: ${{ secrets.GCLOUD_TABLE_VULNS }}
  GOOGLE_APPLICATION_CREDENTIALS_BASE64: ${{ secrets.GOOGLE_APPLICATION_CREDENTIALS_BASE64 }}
concurrency: scan
jobs:
  generate-matrix-chainguard:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    outputs:
      images: ${{ steps.list-images.outputs.images }}
    steps:
      - uses: chainguard-dev/actions/setup-chainctl@main
        with:
          # This identity allows us to list the public Chainguard images.
          identity: 720909c9f5279097d847ad02a2f24ba8f59de36a/a033a6fabe0bfa0d
      - id: list-images
        run: |
          image_list="$(chainctl img ls --group 720909c9f5279097d847ad02a2f24ba8f59de36a -o json)"

          unwanted_images=("alpine-base" "k3s-images" "sdk" "source-controller" "spire")

          for img in ${unwanted_images[@]}; do
            image_list=$(echo "$image_list" | jq "map(select(.repo.name != \"$img\"))")
          done

          echo images=$(echo $image_list | jq -c '[ .[] | select(.tags[].name | contains("latest")) | "cgr.dev/chainguard/" + .repo.name + ":latest" ] | unique') >> $GITHUB_OUTPUT

  scan-chainguard:
    runs-on: ubuntu-latest
    needs: generate-matrix-chainguard
    outputs:
      success: ${{ steps.rumble-chainguard.outputs.success }}
    strategy:
      fail-fast: false
      matrix:
        image: ${{ fromJson(needs.generate-matrix-chainguard.outputs.images) }}
    permissions:
      id-token: write
      packages: write
      contents: read
    steps:
      - name: Run rumble on image
        id: rumble-chainguard
        run: |
          set -x
          echo "${GOOGLE_APPLICATION_CREDENTIALS_BASE64}" | base64 -d > google-creds.json
          echo "Scanning: ${{ matrix.image }}"
          env > github.env
          echo "GOOGLE_APPLICATION_CREDENTIALS=/google-creds.json" >> github.env
          for scanner in "grype" "trivy"; do
            docker run --rm \
              -v "${PWD}/google-creds.json":/google-creds.json \
              --env-file github.env \
              "${REF}" \
              -image "${{ matrix.image }}" \
              -scanner "${scanner}" \
              -syft
          done
      - uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0
        if: ${{ failure() }}
        id: slack
        with:
          payload: '{"text": "[scan] failed for chainguard image ${{ matrix.image }}: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"}'
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK

  generate-matrix-external:
    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.generate-matrix.outputs.matrix }}
    steps:
      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
      - id: generate-matrix
        run: |
          set -x
          echo '{"include":[]}' > matrix.json
          while read name
          do
            cat matrix.json | jq '.include += [{ref: "'${name}'"}]' > matrix.json.tmp
            mv matrix.json.tmp matrix.json
          done < images.txt
          cat matrix.json | jq
          echo "matrix=$(cat matrix.json | jq -c -M)" >> $GITHUB_OUTPUT

  scan-external:
    runs-on: ubuntu-latest
    needs: generate-matrix-external
    outputs:
      success: ${{ steps.rumble-external.outputs.success }}
    strategy:
      fail-fast: false
      matrix: ${{ fromJson(needs.generate-matrix-external.outputs.matrix) }}
    permissions:
      id-token: write
      packages: write
      contents: read
    steps:
      - name: Run rumble on image
        id: rumble-external
        run: |
          set -x
          echo "${GOOGLE_APPLICATION_CREDENTIALS_BASE64}" | base64 -d > google-creds.json
          echo "Scanning: ${{ matrix.ref }}"
          env > github.env
          echo "GOOGLE_APPLICATION_CREDENTIALS=/google-creds.json" >> github.env
          for scanner in "grype" "trivy"; do
            docker run --rm \
              -v "${PWD}/google-creds.json":/google-creds.json \
              --env-file github.env \
              "${REF}" \
              -image "${{ matrix.ref }}" \
              -scanner "${scanner}" \
              -syft
          done
      - uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0
        if: ${{ failure() }}
        id: slack
        with:
          payload: '{"text": "[scan] failed for external image ${{ matrix.ref }}: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"}'
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK