name: "General: Security Scan"

on:
  workflow_dispatch:
  push:
    branches:
    - main
    paths:
    - ".github/workflows/general.security-scan.yaml"
  schedule:
    - cron: "0 0 * * 0"


jobs:
  directories: # Job that list subdirectories
    runs-on: ubuntu-latest
    outputs:
      dir: ${{ steps.set-dirs.outputs.dir }} # generate output name dir by using inner step output
    steps:
      - uses: actions/checkout@v2
        with:
          token: ${{ secrets.BOT_TOKEN }}
      - id: set-dirs # Give it an id to handle to get step outputs in the outputs key above
        run: echo "::set-output name=dir::$({ ls -d .containers/apps/*/ & ls -d .containers/base/*/; } | tr '\n' '\0' | xargs -0 -n 1 basename | jq -R -s -c 'split("\n")[:-1]')"
        # Define step output named dir base on ls command transformed to JSON thanks to jq


  scan_files:
    name: Scan Files
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
      uses: actions/checkout@v2

    - name: Run Trivy vulnerability scanner in repo mode
      uses: aquasecurity/trivy-action@master
      with:
        scan-type: 'fs'
        ignore-unfixed: true
        format: 'template'
        template: '@/contrib/sarif.tpl'
        output: 'trivy-repo-results.sarif'
        severity: 'CRITICAL'

    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v1
      with:
        sarif_file: 'trivy-repo-results.sarif'


  scan_containers:
    name: Scan Containers
    runs-on: ubuntu-20.04
    needs: [directories] # Depends on previous job
    strategy:
      matrix:
        dir: ${{fromJson(needs.directories.outputs.dir)}} # List matrix strategy from directories dynamically
      fail-fast: false
    steps:
    - name: Container Security scan
      uses: Azure/container-scan@v0
      with:
        image-name: ghcr.io/${{ github.repository_owner }}/${{matrix.dir}}:latest
        severity-threshold: HIGH