.github/workflows/test-vulnerabilities-data.yml

name: Run Vulnerability 

run-name: >
  On Branch: ${{ github.ref_name }} with Image: ${{ inputs.image_name || 'appsmith/appsmith-ce:release' }}

on:
  workflow_dispatch:
    inputs:
      image_name:
        description: 'Docker image name to scan'
        required: true
        default: 'appsmith/appsmith-ce:release'

jobs:
  run-and-update-pr:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Set up Node.js
        uses: actions/setup-node@v3
        with:
          node-version: '20'
      
      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_HUB_USERNAME }}
          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}    

      - name: Install pg
        run: npm install pg

      # Run Scout vulnerability data script
      - name: Run Scout vulnerability data script
        if: always()
        env:
          DB_HOST: ${{ secrets.CYPRESS_DB_HOST }}
          DB_NAME: ${{ secrets.CYPRESS_DB_NAME }}
          DB_USER: ${{ secrets.CYPRESS_DB_USER }}
          DB_PWD: ${{ secrets.CYPRESS_DB_PWD }}
        run: |
          chmod +x scripts/scout_vulnerabilities_data.sh
          ./scripts/scout_vulnerabilities_data.sh \
            "${{ inputs.image_name }}" \
            "${{ github.event.pull_request.number }}" \
            "${{ github.event.pull_request.html_url }}" \
            "${{ github.run_id }}"

      - name: Run Trivy vulnerability data script
        if: always()
        env:
          DB_HOST: ${{ secrets.CYPRESS_DB_HOST }}
          DB_NAME: ${{ secrets.CYPRESS_DB_NAME }}
          DB_USER: ${{ secrets.CYPRESS_DB_USER }}
          DB_PWD: ${{ secrets.CYPRESS_DB_PWD }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
          chmod +x scripts/trivy_vulnerabilities_data.sh
          ./scripts/trivy_vulnerabilities_data.sh \
            "${{ inputs.image_name }}" \
            "${{ github.event.pull_request.number }}" \
            "${{ github.event.pull_request.html_url }}" \
            "${{ github.run_id }}"
      
      - name: Check for new vulnerabilities in Scout and Trivy files
        if: always()
        run: |
          # Check if Scout vulnerabilities file has data after the header
          if [ $(tail -n +2 scout_new_vulnerabilities.csv | wc -l) -gt 0 ]; then
            echo "Scout vulnerabilities detected."
            cat scout_new_vulnerabilities.csv
            exit 1  # Fail the job if data exists
          else
            echo "No new Scout vulnerabilities detected."
          fi
                  
          # Check if Trivy vulnerabilities file has data after the header
          if [ $(tail -n +2 trivy_new_vulnerabilities.csv | wc -l) -gt 0 ]; then
            echo "Trivy vulnerabilities detected."
            cat trivy_new_vulnerabilities.csv
            exit 1  # Fail the job if data exists
          else
            echo "No new Trivy vulnerabilities detected."
          fi