m

.github/actions/audit-report-action/action.yml

@@ -5,16 +5,14 @@ inputs:
       required: true
     include-dev-dependencies:
       required: true
-    include-unfixed-for-image:
+    include-unfixed:
       required: false
-    include-unfixed-for-fs:
-      required: false
-    severity-levels-for-image:
-      required: true
-    severity-levels-for-fs:
+    severity-levels:
       required: true
     issue_title_prefix:
       required: false
+    scan-type:
+      required: true
     token:
       required: true
 runs:

.github/actions/audit-report-action/audit.js

@@ -9,9 +9,9 @@ export async function performImageAudit(projectName) {
   }
   await pullImage(image);
   const additionalArgs = ["image", "--input", `${image}.tar`, "--format", "json", "--exit-code", "1", "--vuln-type", "os"];
-  additionalArgs.push("--severity", Config.severityLevelsForImage);
+  additionalArgs.push("--severity", Config.severityLevels);
 
-  if (!Config.includeUnfixedForImage) {
+  if (!Config.includeUnfixed) {
     additionalArgs.push("--ignore-unfixed");
   }
 
@@ -42,13 +42,13 @@ export async function performFsAudit(projectName) {
   console.info(`\n Performing File System audit on Project ${projectName}...`);
 
   const additionalArgs = ["fs", `./${projectName}`, "--format", "json", "--exit-code", "1"];
-  additionalArgs.push("--severity", Config.severityLevelsForFs);
+  additionalArgs.push("--severity", Config.severityLevels);
 
   if (Config.includeDevDependencies) {
     additionalArgs.push("--include-dev-deps");
   }
 
-  if (!Config.includeUnfixedForFs) {
+  if (!Config.includeUnfixed) {
     additionalArgs.push("--ignore-unfixed");
   }
 

.github/actions/audit-report-action/config.js

@@ -4,10 +4,9 @@ const github = require('@actions/github');
 export const Config = {
   projects: core.getInput('projects').split(','),
   includeDevDependencies: core.getInput('include-dev-dependencies') === 'true',
-  includeUnfixedForImage: core.getInput('include-unfixed-for-image') === 'true',
-  includeUnfixedForFs: core.getInput('include-unfixed-for-fs') === 'true',
-  severityLevelsForImage: core.getInput('severity-levels-for-image') || "CRITICAL,HIGH,MEDIUM",
-  severityLevelsForFs: core.getInput('severity-levels-for-fs') || "CRITICAL,HIGH,MEDIUM,LOW",
+  includeUnfixed: core.getInput('include-unfixed') === 'true',
+  severityLevels: core.getInput('severity-levels') || "CRITICAL,HIGH,MEDIUM",
+  scanType: core.getInput('scan-type'),
   token: core.getInput('token'),
   issueTitlePrefix: core.getInput('issue_title_prefix') || 'Security Report:',
   octokit: github.getOctokit(core.getInput('token')),
@@ -17,7 +16,7 @@ export const Config = {
 
 
 export function validateConfig() {
-  const { projects, severityLevels, token } = Config;
+  const { projects, token } = Config;
 
   if (!projects) {
     throw new Error('Input project names are required');

.github/actions/audit-report-action/dist/index.js

@@ -46,9 +46,9 @@ async function performImageAudit(projectName) {
   }
   await pullImage(image);
   const additionalArgs = ["image", "--input", `${image}.tar`, "--format", "json", "--exit-code", "1", "--vuln-type", "os"];
-  additionalArgs.push("--severity", config.Config.severityLevelsForImage);
+  additionalArgs.push("--severity", config.Config.severityLevels);
 
-  if (!config.Config.includeUnfixedForImage) {
+  if (!config.Config.includeUnfixed) {
     additionalArgs.push("--ignore-unfixed");
   }
 
@@ -79,13 +79,13 @@ async function performFsAudit(projectName) {
   console.info(`\n Performing File System audit on Project ${projectName}...`);
 
   const additionalArgs = ["fs", `./${projectName}`, "--format", "json", "--exit-code", "1"];
-  additionalArgs.push("--severity", config.Config.severityLevelsForFs);
+  additionalArgs.push("--severity", config.Config.severityLevels);
 
   if (config.Config.includeDevDependencies) {
     additionalArgs.push("--include-dev-deps");
   }
 
-  if (!config.Config.includeUnfixedForFs) {
+  if (!config.Config.includeUnfixed) {
     additionalArgs.push("--ignore-unfixed");
   }
 
@@ -129,10 +129,9 @@ const github = __nccwpck_require__(3617);
 const Config = {
   projects: core.getInput('projects').split(','),
   includeDevDependencies: core.getInput('include-dev-dependencies') === 'true',
-  includeUnfixedForImage: core.getInput('include-unfixed-for-image') === 'true',
-  includeUnfixedForFs: core.getInput('include-unfixed-for-fs') === 'true',
-  severityLevelsForImage: core.getInput('severity-levels-for-image') || "CRITICAL,HIGH,MEDIUM",
-  severityLevelsForFs: core.getInput('severity-levels-for-fs') || "CRITICAL,HIGH,MEDIUM,LOW",
+  includeUnfixed: core.getInput('include-unfixed') === 'true',
+  severityLevels: core.getInput('severity-levels') || "CRITICAL,HIGH,MEDIUM",
+  scanType: core.getInput('scan-type'),
   token: core.getInput('token'),
   issueTitlePrefix: core.getInput('issue_title_prefix') || 'Security Report:',
   octokit: github.getOctokit(core.getInput('token')),
@@ -142,7 +141,7 @@ const Config = {
 
 
 function validateConfig() {
-  const { projects, severityLevels, token } = Config;
+  const { projects, token } = Config;
 
   if (!projects) {
     throw new Error('Input project names are required');
@@ -38678,8 +38677,11 @@ const { validateConfig, Config } = __nccwpck_require__(152);
 const { createOrUpdateIssues } = __nccwpck_require__(9853);
 
 const run = async function() {
-  await doFsAudit();
-  await doImageAudit();
+  if(Config.scanType === 'fs') {
+    await doFsAudit();
+  } else {
+    await doImageAudit();
+  }
 }
 
 async function doImageAudit() {

.github/actions/audit-report-action/index.js

@@ -3,8 +3,11 @@ const { validateConfig, Config } = require('./config');
 const { createOrUpdateIssues } = require('./issue');
 
 const run = async function() {
-  await doFsAudit();
-  await doImageAudit();
+  if(Config.scanType === 'fs') {
+    await doFsAudit();
+  } else {
+    await doImageAudit();
+  }
 }
 
 async function doImageAudit() {

.github/workflows/daily-security-check.yml

@@ -21,14 +21,23 @@ jobs:
           echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
           sudo apt-get update
           sudo apt-get install trivy
-      - name: Audit projects and create security reports
+      - name: Audit images
         uses: ./.github/actions/audit-report-action
         with:
           projects: frontend,api,blockchain,provisioning,e2e-test,excel-export-service,email-notification-service,storage-service,logging-service,migration
           include-dev-dependencies: false
           issue_title_prefix: "Security Report:"
-          include-unfixed-for-image: false
-          include-unfixed-for-fs: true
-          severity-levels-for-image: CRITICAL,HIGH
-          severity-levels-for-fs: CRITICAL,HIGH,MEDIUM,LOW
+          include-unfixed: false
+          severity-levels: CRITICAL,HIGH
+          scan-type: image
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Audit filesystem
+        uses: ./.github/actions/audit-report-action
+        with:
+          projects: frontend,api,blockchain,provisioning,e2e-test,excel-export-service,email-notification-service,storage-service,logging-service,migration
+          include-dev-dependencies: false
+          issue_title_prefix: "Security Report:"
+          include-unfixed: true
+          severity-levels: CRITICAL,HIGH,MEDIUM,LOW
+          scan-type: fs
           token: ${{ secrets.GITHUB_TOKEN }}