Merge pull request #7 from neuvector/NVSHAS-8797-improve-set-output

becitsthere · web-flow · commit 196964fb269c · 2024-03-19T16:04:05.000-07:00
[NVSHAS-8797] Add variable to the GITHUB_OUTPUT for future reference
diff --git a/Dockerfile b/Dockerfile
@@ -5,4 +5,6 @@ RUN zypper in -y jq docker && zypper clean
 COPY run-scan.sh /usr/bin
 COPY utils.sh /usr/bin
 
+RUN chmod +x /usr/bin/run-scan.sh
+
 ENTRYPOINT ["/usr/bin/run-scan.sh"]
diff --git a/action.yml b/action.yml
@@ -72,6 +72,7 @@ runs:
     NV_SCANNER_IMAGE: ${{ inputs.nv-scanner-image }}
     DEBUG: ${{ inputs.debug }}
     OUTPUT: ${{ inputs.output }}
+    GITHUB_OUTPUT: $GITHUB_OUTPUT
 
 branding:
   icon: search
diff --git a/run-scan.sh b/run-scan.sh
@@ -45,6 +45,11 @@ FOUND_MEDIUM=$(cat scan_result.json | jq '.report.vulnerabilities[] | select(.se
 VUL_LIST=$(printf '["%s"]' "${VUL_NAMES_TO_FAIL//,/\",\"}")
 VUL_LIST_FOUND=$(cat scan_result.json | jq --arg arr "$VUL_LIST" '.report.vulnerabilities[] | select(.name as $n | $arr | index($n)) |.name')
 
+echo "GITHUB_OUTPUT: $GITHUB_OUTPUT"
+echo "vulnerability_count=$VUL_NUM" >> "$GITHUB_OUTPUT"
+echo "high_vulnerability_count=$FOUND_HIGH" >> "$GITHUB_OUTPUT"
+echo "medium_vulnerability_count=$FOUND_MEDIUM" >> "$GITHUB_OUTPUT"
+
 # we must count the high and med before we put.
 if [[ -n $VUL_LIST_FOUND ]]; then
   fail_reason="Found specific named vulnerabilities."
diff --git a/test/scan-image.bats b/test/scan-image.bats
@@ -1,11 +1,12 @@
 #!/usr/bin/env bats
+export GITHUB_OUTPUT="/github-output"
 
 setup_file() {
     docker build . -t neuvector/scan-action
 }
 
 @test "docker daemon not reachable" {
-    run docker run --rm -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 neuvector/scan-action
+    run docker run --rm -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -e GITHUB_OUTPUT="${GITHUB_OUTPUT}" -v "/github/output:/tmp"  neuvector/scan-action 
     echo "Status $status"
     echo "Output"
     echo -e $output
@@ -14,7 +15,7 @@ setup_file() {
 }
 
 @test "invalid scanner image" {
-    run docker run --rm -e NV_SCANNER_IMAGE=invalid-image:latest -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -v /var/run/docker.sock:/var/run/docker.sock neuvector/scan-action
+    run docker run --rm -e NV_SCANNER_IMAGE=invalid-image:latest -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -v /var/run/docker.sock:/var/run/docker.sock -e GITHUB_OUTPUT="${GITHUB_OUTPUT}" -v "/github/output:/tmp"  neuvector/scan-action 
     echo "Status $status"
     echo "Output"
     echo -e $output
@@ -23,7 +24,7 @@ setup_file() {
 }
 
 @test "scan image with vulnerabilities but don't fail" {
-    run docker run --rm -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -v /var/run/docker.sock:/var/run/docker.sock neuvector/scan-action
+    run docker run --rm -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -v /var/run/docker.sock:/var/run/docker.sock -e GITHUB_OUTPUT="${GITHUB_OUTPUT}" -v "/github/output:/tmp"  neuvector/scan-action 
     echo "Status $status"
     echo "Output"
     echo -e $output
@@ -32,7 +33,7 @@ setup_file() {
 }
 
 @test "scan image with vulnerabilities and high severity fail" {
-    run docker run --rm -e HIGH_VUL_TO_FAIL=1 -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -v /var/run/docker.sock:/var/run/docker.sock neuvector/scan-action
+    run docker run --rm -e HIGH_VUL_TO_FAIL=1 -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -v /var/run/docker.sock:/var/run/docker.sock -e GITHUB_OUTPUT="${GITHUB_OUTPUT}" -v "/github/output:/tmp"  neuvector/scan-action 
     echo "Status $status"
     echo "Output"
     echo -e $output
@@ -41,7 +42,7 @@ setup_file() {
 }
 
 @test "scan image with vulnerabilities and medium severity fail" {
-    run docker run --rm -e MEDIUM_VUL_TO_FAIL=1 -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -v /var/run/docker.sock:/var/run/docker.sock neuvector/scan-action
+    run docker run --rm -e MEDIUM_VUL_TO_FAIL=1 -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -v /var/run/docker.sock:/var/run/docker.sock -e GITHUB_OUTPUT="${GITHUB_OUTPUT}" -v "/github/output:/tmp"  neuvector/scan-action 
     echo "Status $status"
     echo "Output"
     echo -e $output
@@ -50,7 +51,7 @@ setup_file() {
 }
 
 @test "scan image with vulnerabilities and specific CVE fail" {
-    run docker run --rm -e VUL_NAMES_TO_FAIL=invalid,CVE-2020-16156 -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -v /var/run/docker.sock:/var/run/docker.sock neuvector/scan-action
+    run docker run --rm -e VUL_NAMES_TO_FAIL=invalid,CVE-2020-16156 -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -v /var/run/docker.sock:/var/run/docker.sock -e GITHUB_OUTPUT="${GITHUB_OUTPUT}" -v "/github/output:/tmp"  neuvector/scan-action 
     echo "Status $status"
     echo "Output"
     echo -e $output
@@ -59,7 +60,7 @@ setup_file() {
 }
 
 @test "scan image with json output" {
-    run docker run --rm -e OUTPUT=json -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -v /var/run/docker.sock:/var/run/docker.sock neuvector/scan-action
+    run docker run --rm -e OUTPUT=json -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -v /var/run/docker.sock:/var/run/docker.sock -e GITHUB_OUTPUT="${GITHUB_OUTPUT}" -v "/github/output:/tmp"  neuvector/scan-action 
     echo "Status $status"
     echo "Output"
     echo -e $output
@@ -68,7 +69,7 @@ setup_file() {
 }
 
 @test "scan image with csv output" {
-    run docker run --rm -e OUTPUT=csv -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -v /var/run/docker.sock:/var/run/docker.sock neuvector/scan-action
+    run docker run --rm -e OUTPUT=csv -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -v /var/run/docker.sock:/var/run/docker.sock -e GITHUB_OUTPUT="${GITHUB_OUTPUT}" -v "/github/output:/tmp"  neuvector/scan-action 
     echo "Status $status"
     echo "Output"
     echo -e $output
