Skip to content

Commit 66f6429

Browse files
semalaiappansemalaiappan
authored
[ODS-6479] Analyze Docker Images updated (#1120)
1 parent c96c44a commit 66f6429

File tree

1 file changed

+75
-2
lines changed

1 file changed

+75
-2
lines changed

.github/workflows/Analyze docker images.yml

+75-2
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,8 @@
66
name: Analyze Docker Images
77

88
on:
9-
pull_request:
10-
branches: [main, 'b-v*-patch*','feature-*']
9+
schedule:
10+
- cron: '0 0 * * 0'
1111
workflow_dispatch:
1212

1313
permissions: read-all
@@ -54,6 +54,8 @@ jobs:
5454
{ name: "ods-api-db-ods-sandbox", path: "ubuntu/mssql" }
5555
]
5656
name: ${{ matrix.dockerfile.name }}/${{ matrix.dockerfile.path }} Image for (Standard ${{ matrix.StandardVersion }} Extension ${{ matrix.ExtensionVersion }})
57+
continue-on-error: true
58+
5759
steps:
5860
- name: Checkout code
5961
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
@@ -85,10 +87,81 @@ jobs:
8587
sarif-file: sarif-${{ matrix.dockerfile.name }}.${{ env.PACKAGE_VERSION }}.0-${{ matrix.StandardVersion }}.output.json
8688
summary: true
8789
only-severities: "critical,high"
90+
91+
- name: Set Dockerfile Path with Hyphens
92+
id: set-dockerfile-path
93+
run: |
94+
$newPath = "${{ matrix.dockerfile.path }}" -replace '/', '-'
95+
echo "DockerFile-ModifiedPath=$newPath">> $env:GITHUB_ENV
96+
shell: pwsh
97+
98+
- name: Upload vulnerabilities-${{ matrix.dockerfile.name }}.${{ env.DockerFile-ModifiedPath }}.${{ env.PACKAGE_VERSION }}.0-${{ matrix.StandardVersion }} Report
99+
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
100+
with:
101+
name: vulnerabilities-${{ matrix.dockerfile.name }}.${{ env.DockerFile-ModifiedPath }}.${{ env.PACKAGE_VERSION }}.0-${{ matrix.StandardVersion }}
102+
path: sarif-${{ matrix.dockerfile.name }}.${{ env.PACKAGE_VERSION }}.0-${{ matrix.StandardVersion }}.output.json
103+
88104
- name: Upload SARIF result
89105
id: upload-sarif
90106
if: ${{ github.event_name != 'pull_request_target' }}
91107
uses: github/codeql-action/upload-sarif@df32e399139a3050671466d7d9b3cbacc1cfd034 #codeql-bundle-v2.15.2
92108
with:
93109
sarif_file: sarif-${{ matrix.dockerfile.name }}.${{ env.PACKAGE_VERSION }}.0-${{ matrix.StandardVersion }}.output.json
94110

111+
- name: Check for Critical and High vulnerabilities
112+
run: |
113+
$sarifFile = "sarif-${{ matrix.dockerfile.name }}.${{ env.PACKAGE_VERSION }}.0-${{ matrix.StandardVersion }}.output.json"
114+
$sarifContent = Get-Content -Path $sarifFile | ConvertFrom-Json
115+
foreach ($result in $sarifContent.runs.results) {
116+
$severity = ($result.message.text -match "Severity\s+:\s+(.*)\s*\n") | Out-Null
117+
$severity = $matches[1].Trim()
118+
119+
if ($severity -ieq "critical" -or $severity -ieq "high") {
120+
$criticalHighVulnerabilities++
121+
Write-Host "Found $severity vulnerability: $($result.ruleId)"
122+
}
123+
}
124+
125+
if ($criticalHighVulnerabilities -gt 0) {
126+
Write-Error "Found $criticalHighVulnerabilities critical or high vulnerabilities."
127+
exit 1
128+
} else {
129+
Write-Host "No critical or high vulnerabilities found."
130+
}
131+
shell: pwsh
132+
finalize:
133+
needs: analyze-docker # Depends on the analyze-docker job
134+
runs-on: ubuntu-latest
135+
if: always()
136+
steps:
137+
- name: Checkout code
138+
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
139+
140+
- name: Download all vulnerability reports
141+
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 #v4.1.1
142+
with:
143+
path: ./vulnerability-reports
144+
- name: Determine if there were critical or high vulnerabilities
145+
run: |
146+
# Get all files in the directory
147+
$files = Get-ChildItem -Path ./vulnerability-reports -Recurse -File
148+
foreach ($file in $files) {
149+
$sarifData = Get-Content $file.FullName | ConvertFrom-Json
150+
foreach ($result in $sarifData.runs.results) {
151+
$severity = ($result.message.text -match "Severity\s+:\s+(.*)\s*\n") | Out-Null
152+
$severity = $matches[1].Trim()
153+
154+
if ($severity -ieq "critical" -or $severity -ieq "high") {
155+
$criticalHighVulnerabilities++
156+
Write-Host "Found $severity vulnerability: $($result.ruleId) in $file.FullName"
157+
}
158+
}
159+
}
160+
161+
if ( $criticalHighVulnerabilities -gt 0) {
162+
Write-Error "Critical or High vulnerabilities found in previous jobs."
163+
exit 1
164+
} else {
165+
Write-Host "No critical or high vulnerabilities found."
166+
}
167+
shell: pwsh

0 commit comments

Comments
 (0)