feat: support scanning multiple images

Right now limited to three images since this is not easily done without additional jobs (using a matrix) and this is not a frequent use case.
wetransform · Nov 15, 2023 · 46af370 · 46af370
1 parent ee341f2
commit 46af370
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 0 deletions.
diff --git a/.github/workflows/gradle-service-check.yml b/.github/workflows/gradle-service-check.yml
@@ -9,6 +9,14 @@ on:
         description: Image tag to scan after build
         required: true
         type: string
+      image-tag-2:
+        description: Additional image tag to scan after build
+        type: string
+        default: ''
+      image-tag-3:
+        description: Additional image tag to scan after build
+        type: string
+        default: ''
       multi-module:
         description: If this is a multi-module project
         type: boolean
@@ -32,6 +40,8 @@ jobs:
       gradle-tasks: 'clean check dockerTagLatest'
       java-version: ${{ inputs.java-version }}
       image-tag: ${{ inputs.image-tag }}
+      image-tag-2: ${{ inputs.image-tag-2 }}
+      image-tag-3: ${{ inputs.image-tag-3 }}
       multi-module: ${{ inputs.multi-module }}
       notify-failure: false
     secrets: inherit
diff --git a/.github/workflows/gradle-service-publish.yml b/.github/workflows/gradle-service-publish.yml
@@ -9,6 +9,14 @@ on:
         description: Image tag to scan after build
         required: true
         type: string
+      image-tag-2:
+        description: Additional image tag to scan after build
+        type: string
+        default: ''
+      image-tag-3:
+        description: Additional image tag to scan after build
+        type: string
+        default: ''
       multi-module:
         description: If this is a multi-module project
         type: boolean
@@ -34,5 +42,7 @@ jobs:
       gradle-tasks: 'clean check dockerPushImage dockerPushLatest'
       java-version: ${{ inputs.java-version }}
       image-tag: ${{ inputs.image-tag }}
+      image-tag-2: ${{ inputs.image-tag-2 }}
+      image-tag-3: ${{ inputs.image-tag-3 }}
       multi-module: ${{ inputs.multi-module }}
     secrets: inherit
diff --git a/.github/workflows/gradle-service.yml b/.github/workflows/gradle-service.yml
@@ -21,6 +21,14 @@ on:
         description: Image tag to scan after build
         required: true
         type: string
+      image-tag-2:
+        description: Additional image tag to scan after build
+        type: string
+        default: ''
+      image-tag-3:
+        description: Additional image tag to scan after build
+        type: string
+        default: ''
       multi-module:
         description: If this is a multi-module project
         type: boolean
@@ -108,6 +116,25 @@ jobs:
           image-ref: 'docker.io/${{ inputs.image-tag }}'
           junit-test-output: "${{ inputs.multi-module && 'trivy-gha-scan/build/test-results/trivy.xml' || 'build/test-results/trivy.xml' }}" # added to unit test report
           report-retention-days: 30
+          report-tag: ${{ inputs.image-tag }}
+
+      - name: Vulnerability scan (Image 2)
+        uses: wetransform/gha-trivy@master
+        if: ${{ inputs.image-tag-2 != '' }}
+        with:
+          image-ref: 'docker.io/${{ inputs.image-tag-2 }}'
+          junit-test-output: "${{ inputs.multi-module && 'trivy-gha-scan/build/test-results/trivy-2.xml' || 'build/test-results/trivy-2.xml' }}" # added to unit test report
+          report-retention-days: 30
+          report-tag: ${{ inputs.image-tag-2 }}
+
+      - name: Vulnerability scan (Image 3)
+        uses: wetransform/gha-trivy@master
+        if: ${{ inputs.image-tag-3 != '' }}
+        with:
+          image-ref: 'docker.io/${{ inputs.image-tag-3 }}'
+          junit-test-output: "${{ inputs.multi-module && 'trivy-gha-scan/build/test-results/trivy-3.xml' || 'build/test-results/trivy-3.xml' }}" # added to unit test report
+          report-retention-days: 30
+          report-tag: ${{ inputs.image-tag-3 }}
 
       #
       # Report on unit tests and critical vulnerabilities