.github/workflows/frontend-build-image-and-scan.yml

on:
  workflow_call:
    inputs:
      run-id:
        required: true
        type: string
      image-ref:
        required: true
        type: string

jobs:
  frontend-build-image-and-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Build frontend image
        run: docker build --file prod.Dockerfile --tag ${{ inputs.image-ref }} .
      - name: Run Trivy vulnerability image scanner
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
        env:
          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
        with:
          image-ref: ${{ inputs.image-ref }}
          format: "sarif"
          output: "trivy-results.sarif"
      - name: Check trivy results
        run: |
          if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
            echo "Vulnerabilities found"
            exit 1
          else
            echo "No significant vulnerabilities found"
            exit 0
          fi

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
        with:
          sarif_file: "trivy-results.sarif"
      - name: Run Trivy vulnerability file scanner
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
        env:
          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
        with:
          scan-type: "fs"
          scan-ref: "./frontend"
          skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283
          format: "sarif"
          output: "trivy-results.sarif"
      - name: Check trivy results
        run: |
          if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
            echo "Vulnerabilities found"
            exit 1
          else
            echo "No significant vulnerabilities found"
            exit 0
          fi
      - name: Upload Trivy file scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
        with:
          sarif_file: "trivy-results.sarif"
          category: trivy-fs-scan
      - name: Generate cosign vulnerability scan record
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
        env:
          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
        with:
          image-ref: ${{ inputs.image-ref }}
          format: "cosign-vuln"
          output: "vuln-frontend.json"
      - name: Upload cosign vulnerability scan record
        uses: actions/upload-artifact@v4
        with:
          name: "vuln-frontend.json"
          path: "vuln-frontend.json"
          if-no-files-found: error
      - name: Save image
        run: |
          mkdir /tmp/images
          docker save -o /tmp/images/frontend-image.tar ${{ inputs.image-ref }}
      - uses: actions/cache@v4
        with:
          path: /tmp/images
          key: docker-frontend-images-cache-${{ inputs.run-id }}
          restore-keys: docker-frontend-images-cache-${{ inputs.run-id }}
      - name: Send status to Slack
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
        if: ${{ failure() && github.ref == 'refs/heads/main' }}
        with:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}