.github/workflows/pullrequest-scan-containers.yaml

---
name: Scan Containers

on:
  pull_request:
    branches:
      - main
      - next
    paths:
      - "cluster/**.yaml"
  workflow_dispatch:

jobs:
  detect-file-changes:
    name: Detect File Changes
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
      - uses: dorny/paths-filter@v2
        id: filter
        with:
          list-files: json
          filters: |
            yaml:
              - added|modified: "**.yaml"
              - added|modified: "**.yml"
    outputs:
      yaml_files: ${{ steps.filter.outputs.yaml_files }}
  detect-containers:
    name: Detect Containers
    runs-on: ubuntu-24.04
    needs: detect-file-changes
    strategy:
      matrix:
        file: ${{ fromJSON(needs.detect-file-changes.outputs.yaml_files) }}
    steps:
      - name: Generate Token
        uses: actions/create-github-app-token@v1
        id: generate-token
        with:
          app-id: "${{ secrets.BOT_APP_ID }}"
          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"

      - name: Checkout
        uses: actions/checkout@v4
        with:
          token: "${{ steps.generate-token.outputs.token }}"
          fetch-depth: 0

      - name: Install Jo
        run: |
          sudo apt-get install jo

      - name: Detect Containers in Files
        id: containers
        run: |
          containers=$(.github/scripts/container-parser.sh --file "${{ matrix.file }}")
          echo "{\"containers\": ${containers}}" > containers.json
    outputs:
      containers: ${{ steps.containers.outputs.containers }}
  scan-containers:
    name: Scan Containers
    runs-on: ubuntu-24.04
    needs: detect-containers
    strategy:
      matrix: ${{ fromJSON(needs.detect-containers.outputs.containers) }}
      fail-fast: false
    steps:
      - name: Generate Token
        uses: actions/create-github-app-token@v1
        id: generate-token
        with:
          app-id: "${{ secrets.BOT_APP_ID }}"
          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"

      - name: Checkout
        uses: actions/checkout@v4
        with:
          token: "${{ steps.generate-token.outputs.token }}"
          fetch-depth: 0

      - name: Scan Container
        uses: aquasecurity/trivy-action@0.29.0
        with:
          image-ref: ${{ matrix.containers }}
          vuln-type: os,library
          severity: CRITICAL,HIGH
          format: template
          template: "@/contrib/sarif.tpl"
          output: trivy-results.sarif

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: trivy-results.sarif