Skip to content

ROX-30730: add scan-image-vulnerabilities action #72

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tommartensen merged 30 commits into from
Jan 14, 2026
Merged

ROX-30730: add scan-image-vulnerabilities action #72

tommartensen merged 30 commits into from
Jan 14, 2026
+262 −0

Conversation

@tommartensen
Copy link
Collaborator

@tommartensen tommartensen commented Dec 8, 2025
edited
Loading

Description

Partners with stackrox/stackrox#17985

  • Workflow now scans Konflux and GHA-built images.
  • Workflow now triggered by new tags automatically (can be manually dispatched for other tags or as required).
  • Workflow uses composite action to stay DRY.

This PR mostly extracts the existing image scan logic into a composable action.

Validation

https://github.com/stackrox/stackrox/actions/runs/20063752468

Why did I not test with test-gh-actions?

The workflow there still uses quay.io ratings: https://github.com/stackrox/test-gh-actions/blob/main/.github/workflows/scripts/check-image-vulnerabilities.py and wasn't updated after stackrox/stackrox#10836.

@tommartensen tommartensen self-assigned this Dec 8, 2025
@tommartensen tommartensen changed the title ROX-30730: add action for iamge-vulnerability-check ROX-30730: add action for image-vulnerability-check Dec 8, 2025
@tommartensen tommartensen marked this pull request as ready for review December 8, 2025 15:40
@tommartensen tommartensen requested a review from a team as a code owner December 8, 2025 15:40
@tommartensen tommartensen mentioned this pull request Dec 8, 2025
Open
5 tasks
@tommartensen tommartensen requested a review from msugakov December 8, 2025 15:50
msugakov
msugakov reviewed Dec 8, 2025
View reviewed changes
Copy link
Contributor

@msugakov msugakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skipped readme and some smaller details in the action.

@tommartensen tommartensen marked this pull request as draft December 9, 2025 10:41
@tommartensen
Copy link
Collaborator Author

tommartensen commented Dec 9, 2025
edited
Loading

@msugakov
I have refactored the action into a bash script, that made it easier for me to address your concerns.

The action now:

  • allows for repository to be specified, ie allows rhacs-eng/... and stackrox-io/...
  • doesn't have superfluous outputs, but still uploads the artifact to the workflow run. I am including this for a future workflow that: downloads all scan results -> collects vulnerable images -> suggests fixes)

The script has the following improvements:

  • Consider moderate, important, critical CVEs
  • Always displays a status (❌ or ✅ ) with description and a table with total and fixable vulnerability count per category. One of the problems I had with the previous version of the workflow was that this information needed to be parsed by human manually.
  • Fail the action if there are fixable important or critical CVEs
  • Print a collapsed vulnerability table in Markdown with full details.
    • GH automatically links CVEs to GHSA where available.

You can check how this looks in the summary for https://github.com/stackrox/stackrox/actions/runs/20063752468

@tommartensen tommartensen marked this pull request as ready for review December 9, 2025 12:54
@tommartensen tommartensen requested a review from msugakov December 9, 2025 12:54
msugakov
msugakov reviewed Dec 10, 2025
View reviewed changes
Copy link
Contributor

@msugakov msugakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made a pass. I'll likely find something else in subsequent iterations.

@tommartensen tommartensen force-pushed the tm/ROX-image-vuln-check branch from e060327 to e6f53b0 Compare December 13, 2025 11:45
@msugakov msugakov changed the title ROX-30730: add action for image-vulnerability-check ROX-30730: add scan-image-vulnerabilities action Dec 15, 2025
msugakov
msugakov reviewed Dec 15, 2025
View reviewed changes
Copy link
Contributor

@msugakov msugakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, could cover only a small part today. Please expect follow-ups.

msugakov
msugakov reviewed Dec 16, 2025
View reviewed changes
Copy link
Contributor

@msugakov msugakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Finished the full pass.

msugakov
msugakov reviewed Dec 19, 2025
View reviewed changes
@tommartensen tommartensen requested a review from msugakov January 5, 2026 17:44
msugakov
msugakov approved these changes Jan 14, 2026
View reviewed changes
Copy link
Contributor

@msugakov msugakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! https://github.com/stackrox/stackrox/actions/runs/20992238662

One last comment, after which please ship it!

@tommartensen tommartensen merged commit cd450a8 into main Jan 14, 2026
3 checks passed
@tommartensen tommartensen deleted the tm/ROX-image-vuln-check branch January 14, 2026 11:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@msugakov msugakov msugakov approved these changes

Assignees

@tommartensen tommartensen

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tommartensen @msugakov