name: Check fleetdm/bomutils for vulnerabilities

on:
  workflow_dispatch:
    inputs:
      build_image:
        description: "Scan locally-built image instead of published image"
        type: boolean
        default: false
  schedule:
    - cron: "0 6 * * *"

# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
  cancel-in-progress: true

defaults:
  run:
    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
    shell: bash

permissions:
  contents: read

jobs:
  check-published:
    runs-on: ubuntu-22.04
    environment: Docker Hub
    permissions:
      id-token: write # for aws-actions/configure-aws-credentials
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

      - name: Login to Docker Hub
        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}

      - name: Set up Go
        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"

      - name: Build fleetdm/bomutils
        if: ${{ github.event_name == 'workflow_dispatch' && inputs.build_image }}
        run: make bomutils-docker

      - name: Clean up Docker build cache
        if: ${{ github.event_name == 'workflow_dispatch' && inputs.build_image }}
        run: docker builder prune -af

      - name: List VEX files
        id: generate_vex_files
        run: |
          echo "VEX_FILES=$(ls -1 ./security/vex/bomutils/ | while IFS= read -r line; do echo "./security/vex/bomutils/$line"; done | tr '\n' ',' | sed 's/.$//')" >> $GITHUB_OUTPUT

      # We use the trivy command and not the github action because it doesn't support loading VEX files yet.
      - name: Run Trivy vulnerability scanner on fleetdm/bomutils
        env:
          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
        run: |
          mkdir trivy-download
          cd trivy-download
          curl -L https://github.com/aquasecurity/trivy/releases/download/v0.69.2/trivy_0.69.2_Linux-64bit.tar.gz --output trivy_0.69.2_Linux-64bit.tar.gz
          tar -xf trivy_0.69.2_Linux-64bit.tar.gz
          mv trivy ..
          cd ..
          chmod +x ./trivy
          ./trivy image \
            --exit-code=1 \
            --ignore-unfixed \
            --pkg-types=os,library \
            --severity=HIGH,CRITICAL \
            --vex="${{ steps.generate_vex_files.outputs.VEX_FILES }}" \
            fleetdm/bomutils

      - name: Slack notification
        if: github.event.schedule == '0 6 * * *' && failure()
        uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
        with:
          payload: |
            {
              "text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}",
              "blocks": [
                {
                  "type": "section",
                  "text": {
                    "type": "mrkdwn",
                    "text": "⚠️ Build fleetdm/bomutils and check vulnerabilities failed.\nhttps://github.com/fleetdm/fleet/actions/runs/${{  github.run_id }}"
                  }
                }
              ]
            }
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_ORCHESTRATION_WEBHOOK_URL }}
          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK