added an option to choose the repo to login on scan stage (#55)

* added an option to choose the repo to login on scan stage

* moved duplicated scan image job to a function

Author: leonid-lapshin-covergo

.gflows/libs/job_scan_image.lib.yml

@@ -2,9 +2,10 @@
 #@ load("@ytt:struct", "struct")
 #@ load("tagging.lib.yml", "tagging")
 #@ load("job_docker_publish_alicloud.lib.yml", "get_docker_publish_alicloud_job_ids")
+#@ load("steps.lib.yml", "steps")
 
 ---
-#@ def generate_scan_image_job(scan_image, services):
+#@ def generate_scan_image_job(image_name, services, registry):
   name: Trivy scan
   runs-on: ubuntu-latest
   timeout-minutes: 10
@@ -14,16 +15,11 @@
     - #@ alicloud_job_id
     #@ end
   steps:
-    - name: Login to AliCloud Container Registry
-      uses: docker/login-action@v2
-      with:
-        registry: registry-intl.cn-hongkong.aliyuncs.com
-        username: ${{ secrets.ALI_CONTAINER_REGISTRY_USER }}
-        password: ${{ secrets.ALI_CONTAINER_REGISTRY_PASSWORD }}
+    - #@ steps.login_docker(registry)
     - name: Run Trivy vulnerability scanner
       uses: aquasecurity/trivy-action@master
       with:
-        image-ref: #@ scan_image.image
+        image-ref: #@ "{}/{}:{}".format(registry.url, image_name, "${{ needs.version.outputs.app_version }}")
         format: 'table'
         vuln-type: 'os,library'
         severity: 'CRITICAL,HIGH'

.gflows/workflows/build-publish/build-publish.template.yml

@@ -26,6 +26,7 @@
 #@  load("job_dependency_resolution.lib.yml", "dep")
 
 
+
 ---
 #@ def generate_jobs(data):
   #@ jobs = {"version": generate_version_job(data.values)}   
@@ -116,8 +117,28 @@
     #@ end
   #@ end
 
-  #@ if hasattr(data.values,"scan_image"):
-    #@ jobs["scan-image"] = generate_scan_image_job(data.values.scan_image, service_sections)
+  #@ def generate_scan_image_sub_job(service, values, service_sections):
+  #@   if hasattr(values,"scan_image"):
+  #@     if hasattr(values,"main_registry"): 
+  #@       jobs["scan-image-{}".format(service.slug)] = generate_scan_image_job(service.image_name, service_sections, values.main_registry)
+  #@     else:
+  #@       if hasattr(values,"cache_registry"):
+  #@         jobs["scan-image-{}".format(service.slug)] = generate_scan_image_job(service.image_name, service_sections, values.cache_registry)
+  #@       end
+  #@     end
+  #@   end
+  #@ end
+
+  #@ if hasattr(data.values,"services"):
+  #@   for service in getattr(data.values,"services",[]):
+  #@     generate_scan_image_sub_job(service, data.values, service_sections)
+  #@   end
+  #@ end
+
+  #@ if hasattr(data.values,"service"):
+  #@   if hasattr(data.values,"scan_image"):
+  #@     generate_scan_image_sub_job(service, data.values, service_sections)
+  #@   end
   #@ end
 
   #@ if hasattr(data.values, "deploy_tenants"):

github-sample/workflows/build-publish.yml

@@ -1236,7 +1236,7 @@ jobs:
         provenance: "false"
     - name: Image digest
       run: echo ${{ steps.docker-build-auth-mongo.outputs.digest }}
-  scan-image:
+  scan-image-auth-service:
     name: Trivy scan
     runs-on: ubuntu-latest
     timeout-minutes: 10
@@ -1258,6 +1258,28 @@ jobs:
         format: table
         vuln-type: os,library
         severity: CRITICAL,HIGH
+  scan-image-auth-predeployment:
+    name: Trivy scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    needs:
+    - version
+    - docker-publish-alicloud-auth-service
+    - docker-publish-alicloud-auth-predeployment
+    steps:
+    - name: Login to AliCloud Container Registry
+      uses: docker/login-action@v2
+      with:
+        registry: registry-intl.cn-hongkong.aliyuncs.com
+        username: ${{ secrets.ALI_CONTAINER_REGISTRY_USER }}
+        password: ${{ secrets.ALI_CONTAINER_REGISTRY_PASSWORD }}
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: registry-intl.cn-hongkong.aliyuncs.com/covergo/auth-predeployment:${{ needs.version.outputs.app_version }}
+        format: table
+        vuln-type: os,library
+        severity: CRITICAL,HIGH
   deploy-tenant-tahoe:
     if: ${{ needs.version.outputs.is_production == 'true' }}
     runs-on: self-hosted