PromucFlow_constructor/.github/workflows/test-vulnerabilities-data.yml

name: Run Vulnerability Data Script with Parameters and Update PR

on:
  workflow_dispatch:
    inputs:
      image_name:
        description: 'Docker image name to scan'
        required: true
        default: 'appsmith/appsmith-ce:release'

jobs:
  run-and-update-pr:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Set up Node.js
        uses: actions/setup-node@v3
        with:
          node-version: '20'
      
      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_HUB_USERNAME }}
          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}    

      - name: Install pg
        run: npm install pg

      # Run Scout vulnerability data script
      - name: Run Scout vulnerability data script
        if: always()
        env:
          DB_HOST: ${{ secrets.CYPRESS_DB_HOST }}
          DB_NAME: ${{ secrets.CYPRESS_DB_NAME }}
          DB_USER: ${{ secrets.CYPRESS_DB_USER }}
          DB_PWD: ${{ secrets.CYPRESS_DB_PWD }}
        run: |
          chmod +x scripts/scout_vulnerabilities_data.sh
          ./scripts/scout_vulnerabilities_data.sh \
            "${{ inputs.image_name }}" \
            "${{ github.event.pull_request.number }}" \
            "${{ github.event.pull_request.html_url }}" \
            "${{ github.run_id }}"          

      - name: Run Trivy vulnerability data script
        if: always()
        env:
          DB_HOST: ${{ secrets.CYPRESS_DB_HOST }}
          DB_NAME: ${{ secrets.CYPRESS_DB_NAME }}
          DB_USER: ${{ secrets.CYPRESS_DB_USER }}
          DB_PWD: ${{ secrets.CYPRESS_DB_PWD }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
          chmod +x scripts/trivy_vulnerabilities_data.sh
          ./scripts/trivy_vulnerabilities_data.sh \
            "${{ inputs.image_name }}" \
            "${{ github.event.pull_request.number }}" \
            "${{ github.event.pull_request.html_url }}" \
            "${{ github.run_id }}"          
      
      - name: Check for new vulnerabilities in Scout and Trivy files
        if: always()
        run: |
          # Check if Scout vulnerabilities file is not empty
          if [ -s "scout_new_vulnerabilities.csv" ]; then
            echo "Scout vulnerabilities detected."
            cat scout_new_vulnerabilities.csv
            exit 1  # Fail the job if data exists
          fi
          
          # Check if Trivy vulnerabilities file is not empty
          if [ -s "trivy_new_vulnerabilities.csv" ]; then
            echo "Trivy vulnerabilities detected."
            cat trivy_new_vulnerabilities.csv
            exit 1  # Fail the job if data exists
          fi