Feature/managing trivy scaning new image build (#8)

* Controlling if a new image should be built or not

* Revert "Controlling if a new image should be built or not"

This reverts commit fa4af80.

* adding workflow to pull an image from Openshift and run Trivy against it

* fixing typo

* checking the template output to see if the error also happens

* changing the output type depending or not if the file is being uploaded

* fixing the "if" syntax

* fixing the "if" syntax -2

* fixing the "if" syntax - 3

.github/workflows/trivy-scan-openshift-image.yml

@@ -0,0 +1,97 @@
+on:
+  workflow_call:
+    inputs:
+      imagestream_name:
+        description: |
+          Name of the image stream where the image to be scanned resides.
+        type: string
+        required: true
+      image_tag:
+        description: |
+          The tag the image that needs to be scanned.
+        type: string
+        required: false
+        default: trivy
+      trivy_format:
+        description: |
+          How the output should be displayed
+        type: string
+        required: false
+        default: sarif
+      push_results_to_github:
+        description: |
+          decide wheter otr not the results should be pushed to GitHub Security tab
+        required: false
+        type: boolean
+        default: true
+    secrets:
+      openshift_namespace:
+        required: true
+      openshift_sa_name:
+        required: true
+      openshift_sa_password:
+        required: true
+      openshift_server_url:
+        required: true
+      openshift_token:
+        required: true
+      openshift_external_repository:
+        required: true
+
+jobs:
+  build-scan:
+    name: Build & Scan Image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Authenticate and set context
+        uses: redhat-actions/oc-login@v1
+        with:
+          openshift_server_url: ${{ secrets.openshift_server_url }}
+          openshift_token: ${{ secrets.openshift_token }}
+          namespace: ${{ secrets.openshift_namespace }}
+
+      - name: Login to OpenShift Container Repository
+        uses: docker/login-action@v1
+        with:
+          registry: ${{ secrets.openshift_external_repository }}
+          username: ${{ secrets.openshift_sa_name }}
+          password: ${{ secrets.openshift_sa_password }}
+
+      - name: Pull Image for Scannning
+        env:
+          IMAGE: ${{secrets.openshift_external_repository}}/${{secrets.openshift_namespace}}/${{inputs.imagestream_name}}:${{inputs.image_tag}}
+        run: |
+          docker pull ${IMAGE}
+
+      - name: Run Trivy vulnerability scanner - stdout
+        uses: aquasecurity/trivy-action@master
+        if: ${{ !inputs.push_results_to_github }}
+        with:
+          scan-type: image
+          image-ref: ${{secrets.openshift_external_repository}}/${{secrets.openshift_namespace}}/${{inputs.imagestream_name}}:${{inputs.image_tag}}
+          format: ${{ inputs.output }}
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: HIGH,CRITICAL
+
+      - name: Run Trivy vulnerability scanner - save-result to file
+        uses: aquasecurity/trivy-action@master
+        if: ${{ inputs.push_results_to_github }}
+        with:
+          scan-type: image
+          image-ref: ${{secrets.openshift_external_repository}}/${{secrets.openshift_namespace}}/${{inputs.imagestream_name}}:${{inputs.image_tag}}
+          format: ${{ inputs.output }}
+          output: trivy-results.sarif
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: HIGH,CRITICAL
+
+      #Upload results to the GitHub Security Tab.
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        if: always() && inputs.push_results_to_github
+        with:
+          sarif_file: trivy-results.sarif