platform-tooling/.github/workflows/node-vulnerability-scan.yml at main · orangitfi/platform-tooling · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# Node Vulnerability Scan
#
# Reusable workflow that runs two vulnerability scans in parallel using
# Syft (SBOM generation) and Grype (vulnerability detection):
#
#   1. code-scan   — generates an SBOM for the source directory and scans it
#   2. docker-scan — builds the Docker image, generates an SBOM and scans it
#                    skipped when run-docker-scan is set to false
#
# Both jobs fail independently; the workflow fails if either fails.
#
# Usage in a consuming repository:
#
#   # Source code only (no Dockerfile)
#   jobs:
#     vulnerability-scan:
#       uses: your-org/platform-tooling/.github/workflows/node-vulnerability-scan.yml@v1
#       with:
#         run-docker-scan: false
#
#   # Source code + Docker image
#   jobs:
#     vulnerability-scan:
#       uses: your-org/platform-tooling/.github/workflows/node-vulnerability-scan.yml@v1
#       with:
#         image-name: my-app

name: Node Vulnerability Scan

on:
  workflow_call:
    inputs:
      working-directory:
        description: "Directory to scan for source code vulnerabilities"
        required: false
        default: "."
        type: string
      fail-on-severity:
        description: "Minimum severity to fail on: critical, high, medium, low, negligible"
        required: false
        default: "high"
        type: string
      run-docker-scan:
        description: "Build and scan the Docker image (set to false for repos without a Dockerfile)"
        required: false
        default: true
        type: boolean
      dockerfile-path:
        description: "Path to the Dockerfile relative to working-directory"
        required: false
        default: "Dockerfile"
        type: string
      image-name:
        description: "Name for the Docker image. Defaults to the repository name."
        required: false
        default: ""
        type: string
      image-tag:
        description: "Tag for the Docker image. Defaults to the commit SHA."
        required: false
        default: ""
        type: string

permissions:
  contents: read

jobs:
  code-scan:
    name: Code Vulnerability Scan (Syft + Grype)
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Syft and Grype
        uses: orangitfi/platform-tooling/.github/actions/scheduled_test_setup@a4ca46b0de8eda2f61573cfbd4164e538a7775a1 # pt-sha

      - name: Scan codebase
        uses: orangitfi/platform-tooling/.github/actions/security-scan-code@a4ca46b0de8eda2f61573cfbd4164e538a7775a1 # pt-sha
        with:
          directory: ${{ inputs.working-directory }}
          fail-on-severity: ${{ inputs.fail-on-severity }}

  docker-scan:
    name: Docker Vulnerability Scan (Syft + Grype)
    if: ${{ inputs.run-docker-scan }}
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Scan Docker image
        uses: orangitfi/platform-tooling/.github/actions/docker-scan@a4ca46b0de8eda2f61573cfbd4164e538a7775a1 # pt-sha
        with:
          working-directory: ${{ inputs.working-directory }}
          dockerfile-path: ${{ inputs.dockerfile-path }}
          image-name: ${{ inputs.image-name || github.event.repository.name }}
          image-tag: ${{ inputs.image-tag || github.sha }}
          fail-on-severity: ${{ inputs.fail-on-severity }}